From 1d3c9f300e6e9c75b332b3c423f201edb1a240b6 Mon Sep 17 00:00:00 2001
From: Hubert Cornet <hcornet@noreply@tips-of-mine.fr>
Date: Mon, 23 Jun 2025 16:45:33 +0200
Subject: [PATCH] Ajouter Azure/KQL/Query.ps1

---
 Azure/KQL/Query.ps1 | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 Azure/KQL/Query.ps1

diff --git a/Azure/KQL/Query.ps1 b/Azure/KQL/Query.ps1
new file mode 100644
index 0000000..3d1b940
--- /dev/null
+++ b/Azure/KQL/Query.ps1
@@ -0,0 +1,34 @@
+$TenantId = 'zz0z00z0-00zz-0z0z-z000-zz000z000000'
+$loggingClientID = '000zzzzz-zz0z-0000-0z00-zzz00z00z000'
+$loggingSecret = 'z000Z~0ZZ-0zzZZzzzZzz0zzzzzzzZzz00ZZZzZZ'
+$logAnalyticsWorkspace = '00z0zz00-0000-0z00-z000-000000zz0000'
+$customLogName = "ELEMENT"
+
+$lastEntry = $null
+
+# Get Access Token for Log Analytics to allow KQL Queries to get last ingested events in Custom Logs
+$loginURL            = "https://login.microsoftonline.com/$TenantId/oauth2/token"
+$resource            = "https://api.loganalytics.io"
+$authbody            = @{grant_type = "client_credentials"; resource = $resource; client_id = $loggingClientID; client_secret = $loggingSecret }
+$oauth               = Invoke-RestMethod -Method Post -Uri $loginURL -Body $authbody
+$headerParams        = @{'Authorization' = "$($oauth.token_type) $($oauth.access_token)" }
+$logAnalyticsBaseURI = "https://api.loganalytics.io/v1/workspaces"
+
+# Get last 2 records from  Log Analytics Data ourAppCustomLogs
+$result = invoke-RestMethod -method Get -uri "$($logAnalyticsBaseURI)/$($logAnalyticsWorkspace)/query?query=$($customLogName) | take 10&timespan=PT12H" -Headers $headerParams
+
+# Format Result to PSObject
+$headerRow    = $null
+$headerRow    = $result.tables.columns | Select-Object name
+$columnsCount = $headerRow.Count
+$logData      = @()
+
+Foreach ($row in $result.tables.rows) {
+     $data = new-object PSObject
+     For ($i = 0; $i -lt $columnsCount; $i++) {
+         $data | add-member -membertype NoteProperty -name $headerRow[$i].name -value $row[$i]
+     }
+     $logData += $data
+     $data = $null
+}
+[string]$lastEntry = $logData[0]
\ No newline at end of file