jpda · June 21, 2019 20:09
diff --git a/do-a-really-bad-thing.ps1 b/do-a-really-bad-thing.ps1
 # change me
 $AppId = "" # client id, with user_impersonation rights on azure svc management
 $secret = "" # app secret
 $Resource = "https://management.core.windows.net/"
 $TenantId = "" # tenant guid
 $user = "" # some global admin account, without any extra goop - e.g., no MFA, no conditional access, etc, or you'll have to use app passwords or something similar
 # or, if you use a federated account, you can use the active endpoint on your STS to authenticate, which you then use to authenticate to AAD, which you can then use for oauth
 $password = "lol no" # as icky as this is, at least make this SecureString

 $tokenUrl = "https://login.microsoftonline.com/$TenantId/oauth2/token"
 $postData = "resource=$Resource&client_id=$AppId&grant_type=password&username=$user&password=$password&scope=openid&client_secret=$secret";

 $token = Invoke-RestMethod -Uri $tokenUrl -Body $postData -Method Post -Verbose -Headers @{"Content-Type" = "application/x-www-form-urlencoded"}
 $Headers = @{Authorization = "Bearer $($token.access_token)"}

 $GetUrl="https://management.azure.com/providers/Microsoft.SecurityGraph/diagnosticSettings/securityApiAlerts?api-version=2017-04-01-preview"
 $Res1 = Invoke-RestMethod -Uri $GetUrl -Method Get -Headers $Headers

 $url="https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$top=10&`$filter=eventTimestamp ge '2019-04-20T00:00:00Z' and eventTimestamp le '2019-07-21T15:00:00Z'"
 $Res2 = Invoke-RestMethod -Uri $url -Method Get -Headers $Headers

 $res1.properties | ConvertTo-Json -Depth 2
 $res2 | ConvertTo-Json -Depth 2
	# change me
	$AppId = "" # client id, with user_impersonation rights on azure svc management
	$secret = "" # app secret
	$Resource = "https://management.core.windows.net/"
	$TenantId = "" # tenant guid
	$user = "" # some global admin account, without any extra goop - e.g., no MFA, no conditional access, etc, or you'll have to use app passwords or something similar
	# or, if you use a federated account, you can use the active endpoint on your STS to authenticate, which you then use to authenticate to AAD, which you can then use for oauth
	$password = "lol no" # as icky as this is, at least make this SecureString

	$tokenUrl = "https://login.microsoftonline.com/$TenantId/oauth2/token"
	$postData = "resource=$Resource&client_id=$AppId&grant_type=password&username=$user&password=$password&scope=openid&client_secret=$secret";

	$token = Invoke-RestMethod -Uri $tokenUrl -Body $postData -Method Post -Verbose -Headers @{"Content-Type" = "application/x-www-form-urlencoded"}
	$Headers = @{Authorization = "Bearer $($token.access_token)"}

	$GetUrl="https://management.azure.com/providers/Microsoft.SecurityGraph/diagnosticSettings/securityApiAlerts?api-version=2017-04-01-preview"
	$Res1 = Invoke-RestMethod -Uri $GetUrl -Method Get -Headers $Headers

	$url="https://management.azure.com/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&`$top=10&`$filter=eventTimestamp ge '2019-04-20T00:00:00Z' and eventTimestamp le '2019-07-21T15:00:00Z'"
	$Res2 = Invoke-RestMethod -Uri $url -Method Get -Headers $Headers

	$res1.properties \| ConvertTo-Json -Depth 2
	$res2 \| ConvertTo-Json -Depth 2