Ajouter Azure/KQL/Query.ps1

2025-06-23 16:45:33 +02:00
parent 4b402d19b0
commit 1d3c9f300e
1 changed files with 34 additions and 0 deletions
--- a/Azure/KQL/Query.ps1
+++ b/Azure/KQL/Query.ps1
@ -0,0 +1,34 @@
+$TenantId = 'zz0z00z0-00zz-0z0z-z000-zz000z000000'
+$loggingClientID = '000zzzzz-zz0z-0000-0z00-zzz00z00z000'
+$loggingSecret = 'z000Z~0ZZ-0zzZZzzzZzz0zzzzzzzZzz00ZZZzZZ'
+$logAnalyticsWorkspace = '00z0zz00-0000-0z00-z000-000000zz0000'
+$customLogName = "ELEMENT"
+
+$lastEntry = $null
+
+# Get Access Token for Log Analytics to allow KQL Queries to get last ingested events in Custom Logs
+$loginURL            = "https://login.microsoftonline.com/$TenantId/oauth2/token"
+$resource            = "https://api.loganalytics.io"
+$authbody            = @{grant_type = "client_credentials"; resource = $resource; client_id = $loggingClientID; client_secret = $loggingSecret }
+$oauth               = Invoke-RestMethod -Method Post -Uri $loginURL -Body $authbody
+$headerParams        = @{'Authorization' = "$($oauth.token_type) $($oauth.access_token)" }
+$logAnalyticsBaseURI = "https://api.loganalytics.io/v1/workspaces"
+
+# Get last 2 records from  Log Analytics Data ourAppCustomLogs
+$result = invoke-RestMethod -method Get -uri "$($logAnalyticsBaseURI)/$($logAnalyticsWorkspace)/query?query=$($customLogName) | take 10&timespan=PT12H" -Headers $headerParams
+
+# Format Result to PSObject
+$headerRow    = $null
+$headerRow    = $result.tables.columns | Select-Object name
+$columnsCount = $headerRow.Count
+$logData      = @()
+
+Foreach ($row in $result.tables.rows) {
+     $data = new-object PSObject
+     For ($i = 0; $i -lt $columnsCount; $i++) {
+         $data | add-member -membertype NoteProperty -name $headerRow[$i].name -value $row[$i]
+     }
+     $logData += $data
+     $data = $null
+}
+[string]$lastEntry = $logData[0]