Category: Azure Security
-
KQL To List DCRs To Log Analytics Workspace
Resources | where type == “microsoft.insights/datacollectionrules” | join kind=inner ( resourcecontainers | where type == “microsoft.resources/subscriptions” | project subscriptionId, SubscriptionName = name ) on subscriptionId | extend laDestinations = properties.destinations.logAnalytics | mv-expand laDestinations | extend WorkspaceResourceId = tostring(laDestinations.workspaceResourceId) | extend WorkspaceName = split(WorkspaceResourceId, “/”)[-1] | extend TargetResourcesRaw = properties.targetResources | mv-expand TargetResourcesRaw to typeof(string) | extend ConnectedResourceName = split(TargetResourcesRaw, “/”)[-1] | project DCRName = name, SubscriptionName, WorkspaceName, SubscriptionId, ResourceGroup = resourceGroup, Location = location, DataSources = properties.dataSources, ConnectedResourceName
-
Steps To Get Az Activity Across All Subscriptions
# Login to Azure Connect-AzAccount # Define time range $startTime = (Get-Date).AddDays(-10) # Initialize array to collect results $allLogs = @() # Get all subscriptions $subscriptions = Get-AzSubscription foreach ($sub in $subscriptions) { $subscriptionId = $sub.Id $subscriptionName = $sub.Name Select-AzSubscription -SubscriptionId $subscriptionId # Get all role assignments at subscription scope …
onelinecommand 