├── .gitignore ├── CreateLogExportProfile.ps1 ├── Images └── SplunkDataInput2.png ├── LICENSE ├── README.md ├── SECURITY.md ├── SetupDefaultEventHub.ps1 ├── activity-log-export-automation.pssproj └── activity-log-export-automation.sln /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | ## 4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore 5 | 6 | # User-specific files 7 | *.suo 8 | *.user 9 | *.userosscache 10 | *.sln.docstates 11 | 12 | # User-specific files (MonoDevelop/Xamarin Studio) 13 | *.userprefs 14 | 15 | # Build results 16 | [Dd]ebug/ 17 | [Dd]ebugPublic/ 18 | [Rr]elease/ 19 | [Rr]eleases/ 20 | x64/ 21 | x86/ 22 | bld/ 23 | [Bb]in/ 24 | [Oo]bj/ 25 | [Ll]og/ 26 | 27 | # Visual Studio 2015 cache/options directory 28 | .vs/ 29 | # Uncomment if you have tasks that create the project's static files in wwwroot 30 | #wwwroot/ 31 | 32 | # MSTest test Results 33 | [Tt]est[Rr]esult*/ 34 | [Bb]uild[Ll]og.* 35 | 36 | # NUNIT 37 | *.VisualState.xml 38 | TestResult.xml 39 | 40 | # Build Results of an ATL Project 41 | [Dd]ebugPS/ 42 | [Rr]eleasePS/ 43 | dlldata.c 44 | 45 | # .NET Core 46 | project.lock.json 47 | project.fragment.lock.json 48 | artifacts/ 49 | **/Properties/launchSettings.json 50 | 51 | *_i.c 52 | *_p.c 53 | *_i.h 54 | *.ilk 55 | *.meta 56 | *.obj 57 | *.pch 58 | *.pdb 59 | *.pgc 60 | *.pgd 61 | *.rsp 62 | *.sbr 63 | *.tlb 64 | *.tli 65 | *.tlh 66 | *.tmp 67 | *.tmp_proj 68 | *.log 69 | *.vspscc 70 | *.vssscc 71 | .builds 72 | *.pidb 73 | *.svclog 74 | *.scc 75 | 76 | # Chutzpah Test files 77 | _Chutzpah* 78 | 79 | # Visual C++ cache files 80 | ipch/ 81 | *.aps 82 | *.ncb 83 | *.opendb 84 | *.opensdf 85 | *.sdf 86 | *.cachefile 87 | *.VC.db 88 | *.VC.VC.opendb 89 | 90 | # Visual Studio profiler 91 | *.psess 92 | *.vsp 93 | *.vspx 94 | *.sap 95 | 96 | # TFS 2012 Local Workspace 97 | $tf/ 98 | 99 | # Guidance Automation Toolkit 100 | *.gpState 101 | 102 | # ReSharper is a .NET coding add-in 103 | _ReSharper*/ 104 | *.[Rr]e[Ss]harper 105 | *.DotSettings.user 106 | 107 | # JustCode is a .NET coding add-in 108 | .JustCode 109 | 110 | # TeamCity is a build add-in 111 | _TeamCity* 112 | 113 | # DotCover is a Code Coverage Tool 114 | *.dotCover 115 | 116 | # Visual Studio code coverage results 117 | *.coverage 118 | *.coveragexml 119 | 120 | # NCrunch 121 | _NCrunch_* 122 | .*crunch*.local.xml 123 | nCrunchTemp_* 124 | 125 | # MightyMoose 126 | *.mm.* 127 | AutoTest.Net/ 128 | 129 | # Web workbench (sass) 130 | .sass-cache/ 131 | 132 | # Installshield output folder 133 | [Ee]xpress/ 134 | 135 | # DocProject is a documentation generator add-in 136 | DocProject/buildhelp/ 137 | DocProject/Help/*.HxT 138 | DocProject/Help/*.HxC 139 | DocProject/Help/*.hhc 140 | DocProject/Help/*.hhk 141 | DocProject/Help/*.hhp 142 | DocProject/Help/Html2 143 | DocProject/Help/html 144 | 145 | # Click-Once directory 146 | publish/ 147 | 148 | # Publish Web Output 149 | *.[Pp]ublish.xml 150 | *.azurePubxml 151 | # TODO: Comment the next line if you want to checkin your web deploy settings 152 | # but database connection strings (with potential passwords) will be unencrypted 153 | *.pubxml 154 | *.publishproj 155 | 156 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 157 | # checkin your Azure Web App publish settings, but sensitive information contained 158 | # in these scripts will be unencrypted 159 | PublishScripts/ 160 | 161 | # NuGet Packages 162 | *.nupkg 163 | # The packages folder can be ignored because of Package Restore 164 | **/packages/* 165 | # except build/, which is used as an MSBuild target. 166 | !**/packages/build/ 167 | # Uncomment if necessary however generally it will be regenerated when needed 168 | #!**/packages/repositories.config 169 | # NuGet v3's project.json files produces more ignorable files 170 | *.nuget.props 171 | *.nuget.targets 172 | 173 | # Microsoft Azure Build Output 174 | csx/ 175 | *.build.csdef 176 | 177 | # Microsoft Azure Emulator 178 | ecf/ 179 | rcf/ 180 | 181 | # Windows Store app package directories and files 182 | AppPackages/ 183 | BundleArtifacts/ 184 | Package.StoreAssociation.xml 185 | _pkginfo.txt 186 | 187 | # Visual Studio cache files 188 | # files ending in .cache can be ignored 189 | *.[Cc]ache 190 | # but keep track of directories ending in .cache 191 | !*.[Cc]ache/ 192 | 193 | # Others 194 | ClientBin/ 195 | ~$* 196 | *~ 197 | *.dbmdl 198 | *.dbproj.schemaview 199 | *.jfm 200 | *.pfx 201 | *.publishsettings 202 | orleans.codegen.cs 203 | 204 | # Since there are multiple workflows, uncomment next line to ignore bower_components 205 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 206 | #bower_components/ 207 | 208 | # RIA/Silverlight projects 209 | Generated_Code/ 210 | 211 | # Backup & report files from converting an old project file 212 | # to a newer Visual Studio version. Backup files are not needed, 213 | # because we have git ;-) 214 | _UpgradeReport_Files/ 215 | Backup*/ 216 | UpgradeLog*.XML 217 | UpgradeLog*.htm 218 | 219 | # SQL Server files 220 | *.mdf 221 | *.ldf 222 | *.ndf 223 | 224 | # Business Intelligence projects 225 | *.rdl.data 226 | *.bim.layout 227 | *.bim_*.settings 228 | 229 | # Microsoft Fakes 230 | FakesAssemblies/ 231 | 232 | # GhostDoc plugin setting file 233 | *.GhostDoc.xml 234 | 235 | # Node.js Tools for Visual Studio 236 | .ntvs_analysis.dat 237 | node_modules/ 238 | 239 | # Typescript v1 declaration files 240 | typings/ 241 | 242 | # Visual Studio 6 build log 243 | *.plg 244 | 245 | # Visual Studio 6 workspace options file 246 | *.opt 247 | 248 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.) 249 | *.vbw 250 | 251 | # Visual Studio LightSwitch build output 252 | **/*.HTMLClient/GeneratedArtifacts 253 | **/*.DesktopClient/GeneratedArtifacts 254 | **/*.DesktopClient/ModelManifest.xml 255 | **/*.Server/GeneratedArtifacts 256 | **/*.Server/ModelManifest.xml 257 | _Pvt_Extensions 258 | 259 | # Paket dependency manager 260 | .paket/paket.exe 261 | paket-files/ 262 | 263 | # FAKE - F# Make 264 | .fake/ 265 | 266 | # JetBrains Rider 267 | .idea/ 268 | *.sln.iml 269 | 270 | # CodeRush 271 | .cr/ 272 | 273 | # Python Tools for Visual Studio (PTVS) 274 | __pycache__/ 275 | *.pyc 276 | 277 | # Cake - Uncomment if you are using it 278 | # tools/** 279 | # !tools/packages.config 280 | 281 | # Telerik's JustMock configuration file 282 | *.jmconfig 283 | 284 | # BizTalk build output 285 | *.btp.cs 286 | *.btm.cs 287 | *.odx.cs 288 | *.xsd.cs 289 | -------------------------------------------------------------------------------- /CreateLogExportProfile.ps1: -------------------------------------------------------------------------------- 1 | #settings 2 | $AzureSubscriptionName="MSInternal" 3 | $LogRetentionDays = 3 4 | $ServiceBusRuleId = "/subscriptions/aed7eb10-0c55-4e2f-9789-56a40fe42f16/resourceGroups/CorpLogging/providers/Microsoft.EventHub/namespaces/CorpLoggingHub/AuthorizationRules/RootManageSharedAccessKey" 5 | 6 | Write-Host "Authenticating..." 7 | $ctx=Get-AzureRmContext 8 | if ($ctx.Account -eq $null) { 9 | Login-AzureRmAccount 10 | } 11 | if ($ctx.SubscriptionName -ne $AzureSubscriptionName) { 12 | Set-AzureRmContext -SubscriptionName $AzureSubscriptionName 13 | } 14 | 15 | #get list of locations available to this subscription 16 | $locations = (Get-AzureRMLocation).DisplayName 17 | $locations = $locations += "Global" 18 | 19 | $profile = Get-AzureRmLogProfile -Name default -ErrorAction SilentlyContinue 20 | if ($profile -ne $null) { 21 | Write-Host "Clearing previous profile..." 22 | #clear any previous profile entry 23 | Remove-AzureRmLogProfile -Name default 24 | } 25 | 26 | Write-Host "Configuring profile..." 27 | $profile = Add-AzureRmLogProfile ` 28 | -Location $locations ` 29 | -Name default ` 30 | -ServiceBusRuleId $ServiceBusRuleId ` 31 | -RetentionInDays $LogRetentionDays ` 32 | -Category "Write","Delete","Action" 33 | Write-Host "Profile configured." 34 | $profile 35 | -------------------------------------------------------------------------------- /Images/SplunkDataInput2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/activity-log-export-automation/5f91a95a773441f8ea1ff9b2d480cf3091ca7791/Images/SplunkDataInput2.png -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. All rights reserved. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Activity Log Export to Splunk - Automation 2 | ## Connect Splunk to Azure Activity Log automatically 3 | 4 | ### Details 5 | These two scripts are designed to automate the deployment of Azure components for configuration of Splunk logging from the Azure Activity Log. It uses the "Azure Monitor Add-on for Splunk": 6 | 7 | https://splunkbase.splunk.com/app/3534/ 8 | 9 | The wiki for that add-on describes the steps necessary to configure Splunk Logging from Azure: 10 | 11 | https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki 12 | 13 | There are 2 main scripts in the repo: 14 | * SetupDefaultEventHub.ps1 15 | * Deploys the following infrastructure: 16 | * Azure Event Hub 17 | * Azure Key Vault 18 | * Azure AD Application/Service Principal 19 | * Grants Sign-in and Read directory role 20 | * Grants RBAC "Reader" to the subscription 21 | * Grants permission to get secrets from Key Vault 22 | * Stores Event Hub Primary Key in Key Vault 23 | * Returns the following output: 24 | ```powershell 25 | $output = @{ 26 | "Name" = "AzureActivityLogs"; 27 | "SPNTenantID" = $tenantid; 28 | "SPNApplicationID" = $Security.ServicePrincipal.AppId; 29 | "SPNApplicationKey" = $Security.SPSecret; 30 | "eventHubNamespace" = $EventHub.Name; 31 | "vaultName" = $vault.KeyVault.VaultName; 32 | "secretName" = "EHLoggingCredentials"; 33 | "secretVersion" = $vault.EHSecretVersion; 34 | "ruleid" = $eventHub.id; 35 | } 36 | ``` 37 | * All of the above (except "ruleid") is used to connect Splunk to the connector: 38 | ![alt text][App1] 39 | 40 | * CreateLogExportProfile.ps1 41 | * Configures the Activity Log to export activity to Event Hub 42 | * Uses the "ruleid" value exported from the first script 43 | * Can be run on multiple subscriptions, as long as all subscriptions are in the same tenant 44 | * For each iteration, the following settings are required: 45 | ```powershell 46 | #settings 47 | $AzureSub="[Subscription name being connected to Splunk]" 48 | $LogRetentionDays = [int, days to retain data in Event Hub] 49 | $ServiceBusRuleId = "[ruleid string from SetupDefaultEventHub output]" 50 | ``` 51 | * (LogRetentionDays gives you a "backup" in case your Splunk instance goes offline for a period of time) 52 | 53 | ## Notes 54 | The Monitor Add-on provides the capability for Splunk to capture Metrics, Diagnostic Logs and the Activity Log. The approach outlined here is primarily designed for capturing Activity Log data from multiple subscriptions into one Splunk instance, using a single Event Hub. Per the add-on documentation, capturing Metrics and/or Diagnostic Logs requires additional consideration regarding the number of Event Hubs to use, and where they are deployed. 55 | 56 | [App1]: ./Images/SplunkDataInput2.png "Splunk Configuration" 57 | 58 | # Contributing 59 | 60 | This project welcomes contributions and suggestions. Most contributions require you to agree to a 61 | Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us 62 | the rights to use your contribution. For details, visit https://cla.microsoft.com. 63 | 64 | When you submit a pull request, a CLA-bot will automatically determine whether you need to provide 65 | a CLA and decorate the PR appropriately (e.g., label, comment). Simply follow the instructions 66 | provided by the bot. You will only need to do this once across all repos using our CLA. 67 | 68 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 69 | For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or 70 | contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments. 71 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Security 4 | 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). 6 | 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. 8 | 9 | ## Reporting Security Issues 10 | 11 | **Please do not report security vulnerabilities through public GitHub issues.** 12 | 13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). 14 | 15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). 16 | 17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 18 | 19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: 20 | 21 | * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) 22 | * Full paths of source file(s) related to the manifestation of the issue 23 | * The location of the affected source code (tag/branch/commit or direct URL) 24 | * Any special configuration required to reproduce the issue 25 | * Step-by-step instructions to reproduce the issue 26 | * Proof-of-concept or exploit code (if possible) 27 | * Impact of the issue, including how an attacker might exploit the issue 28 | 29 | This information will help us triage your report more quickly. 30 | 31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. 32 | 33 | ## Preferred Languages 34 | 35 | We prefer all communications to be in English. 36 | 37 | ## Policy 38 | 39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). 40 | 41 | 42 | -------------------------------------------------------------------------------- /SetupDefaultEventHub.ps1: -------------------------------------------------------------------------------- 1 | #settings 2 | $AzureSub="MyAzureSub" 3 | $RGName = "MyLoggingRG" 4 | $Location = "South Central US" 5 | $ResourceTags = @{"Owner" = "Corp"} 6 | $splunkConnectorName = "AzureActivityLogs" 7 | 8 | #Update the following two variables to use an existing Key Vault, must be in same region and subscription. 9 | #Leave set to $null to create a new Key Vault 10 | $KVRGName = $null 11 | $KVName = $null 12 | 13 | ################################################################# 14 | # Don't modify anything below unless you know what you're doing. 15 | ################################################################# 16 | 17 | #variables 18 | $namespace = "$($RGName)Hub" 19 | $AppDisplayName = "$($RGName)App" 20 | $secretName = "EHLoggingCredentials" 21 | 22 | if((!$KVRGName) -and (!$KVName)){ 23 | $vaultName = "$($RGName)Vault" 24 | $KVRGName = $RGName 25 | }elseif(($KVRGName -and ($KVName))) { 26 | $vaultName = $KVName 27 | }else{ 28 | Write-Host -ForegroundColor Red "Please check the values for KVRGName and KVName, must be both populated or left empty" 29 | return 30 | } 31 | 32 | Write-Host "Authenticating..." 33 | $ctx=Get-AzureRmContext 34 | if ($ctx.Account -eq $null) { 35 | Login-AzureRmAccount 36 | } 37 | if ($ctx.SubscriptionName -ne $AzureSub) { 38 | Set-AzureRmContext -SubscriptionName $AzureSub 39 | } 40 | $ctx=Get-AzureRmContext -ErrorAction Stop 41 | 42 | #force context to grab a token for graph 43 | Get-AzureRmADUser -UserPrincipalName $ctx.Account.Id -ErrorAction Stop 44 | 45 | $cache = $ctx.TokenCache 46 | $cacheItems = $cache.ReadItems() 47 | $token = ($cacheItems | where { $_.Resource -eq "https://graph.windows.net/" }) 48 | if ($token.ExpiresOn -le [System.DateTime]::UtcNow) { 49 | $ac = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]::new("$($ctx.Environment.ActiveDirectoryAuthority)$($ctx.Tenant.Id)",$token) 50 | #appId is well-known id of Powershell; reusing token cache from AzureRM login 51 | $token = $ac.AcquireTokenByRefreshToken($token.RefreshToken, "1950a258-227b-4e31-a9cf-717495945fc2", "https://graph.windows.net") 52 | } 53 | $aad = Connect-AzureAD -AadAccessToken $token.AccessToken -AccountId $ctx.Account.Id -TenantId $ctx.Tenant.Id -ErrorAction Stop 54 | $SubscriptionId = $ctx.Subscription.Id 55 | $tenantid = $ctx.Tenant.Id 56 | 57 | Write-Host "Setting up Resource Group..." 58 | #create Resource Group for Event Hub 59 | $rg = Get-AzureRmResourceGroup -Name $RGName -ErrorAction SilentlyContinue 60 | 61 | if ($rg -eq $null) { 62 | $rg = New-AzureRmResourceGroup ` 63 | -Name $RGName ` 64 | -Location $Location ` 65 | -Tag $ResourceTags ` 66 | -ErrorAction Stop 67 | } 68 | 69 | Write-Host "Setting up Event Hub..." 70 | $ehn = Get-AzureRmEventHubNamespace -ResourceGroupName $RGName -Name $Namespace -ErrorAction SilentlyContinue 71 | 72 | if ($ehn -eq $null) { 73 | #test if event hub namespace exists 74 | $ehntest = Test-AzureRmEventHubName -Namespace $namespace 75 | if ($ehntest.NameAvailable -eq $true) { 76 | #create event hub namespace 77 | $ehn = New-AzureRmEventHubNamespace ` 78 | -ResourceGroupName $RGName ` 79 | -Name $Namespace ` 80 | -Location $Location ` 81 | -SkuName Standard ` 82 | -SkuCapacity 1 ` 83 | -EnableAutoInflate $true ` 84 | -Tag $ResourceTags ` 85 | -ErrorVariable NSError 86 | } elseif ($ehntest.NameAvailable -eq $false) { 87 | Write-Host -F Red $ehntest.Message 88 | Return 89 | } 90 | } 91 | 92 | $ehkey = Get-AzureRmEventHubKey ` 93 | -ResourceGroupName $RGName ` 94 | -Namespace $Namespace ` 95 | -Name "RootManageSharedAccessKey" ` 96 | -ErrorAction Stop 97 | 98 | #get new namespace authorization rule 99 | $rule = Get-AzureRmEventHubAuthorizationRule -ResourceGroupName $RGName -Namespace $Namespace -ErrorAction Stop 100 | 101 | Write-Host "Setting up Key vault..." 102 | $kv = Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $KVRGName 103 | if ($kv) { 104 | #Check location 105 | if ($kv.Location -eq $Location) { 106 | Write-Host ("Using Existing Key Vault {0}" -f $kv.VaultName) 107 | }elseif($kv.Location -ne $Location){ 108 | Write-host -F Red ("Unable to use existing Key Vault {0},must be located in {1} region" -f $kv.VaultName, $Location) 109 | Return 110 | } 111 | } 112 | elseif (!$kv) { 113 | #Create Azure Key vault 114 | $kv = New-AzureRmKeyVault ` 115 | -VaultName $vaultName ` 116 | -ResourceGroupName $KVRGName ` 117 | -Location $Location ` 118 | -ErrorAction Stop 119 | } 120 | 121 | Write-Host "Setting up Service Principal..." 122 | $uri = "http://$($AppDisplayName).$((Get-AzureRmSubscription -SubscriptionName $AzureSub).TenantId)" 123 | 124 | #setup access rules for new app 125 | $appResources = [System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]]::New() 126 | 127 | # get AAD SPN/perms 128 | $aadapp = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Windows Azure Active Directory'" -ErrorAction Stop 129 | if ($aadapp -eq $null) { 130 | throw [System.Exception] "Azure AD Service Principal not found, please check the name" 131 | exit 1 132 | } 133 | $aadSignInPerm = $aadapp | select -expand Oauth2Permissions | ? {$_.value -eq "User.Read"} 134 | 135 | try { 136 | # create perm object 137 | $readAndSignInPerm = [Microsoft.Open.AzureAD.Model.ResourceAccess]::New() 138 | $readAndSignInPerm.Id = $aadSignInPerm.Id 139 | $readAndSignInPerm.Type = "Scope" 140 | 141 | # Read/Sign-In Perms to AAD 142 | $appAccess = [Microsoft.Open.AzureAD.Model.RequiredResourceAccess]::New() 143 | $appAccess.ResourceAppId = $aadapp.AppId 144 | $appAccess.ResourceAccess = $readAndSignInPerm 145 | 146 | $appResources.Add($appAccess) 147 | } 148 | catch { 149 | throw [System.Exception] "Error creating permissions objects. Please ensure you have installed the Microsoft ADAL library from NuGet or https://github.com/AzureAD/microsoft-authentication-library-for-dotnet" 150 | exit 1 151 | } 152 | 153 | #hack to work around odata filter using variable 154 | $execstr = "AzureAD\Get-AzureADApplication -Filter `"identifierUris/any(uri:uri eq '$uri')`"" 155 | $app = Invoke-Expression $execstr 156 | 157 | if ($app -ne $null) { 158 | #start over 159 | AzureAD\Remove-AzureADApplication -ObjectId $app.ObjectId -ErrorAction Stop 160 | Start-Sleep 3 161 | } 162 | 163 | #Create AzureAD Application 164 | $app = AzureAD\New-AzureADApplication ` 165 | -DisplayName $AppDisplayName ` 166 | -IdentifierUris $uri ` 167 | -RequiredResourceAccess $appResources ` 168 | -ErrorAction Stop 169 | 170 | #create Service Principal 171 | $sp = AzureAD\New-AzureADServicePrincipal ` 172 | -AppId $app.AppId ` 173 | -DisplayName $AppDisplayName ` 174 | -Tags {WindowsAzureActiveDirectoryIntegratedApp} ` 175 | -ErrorAction Stop 176 | 177 | # Generate a client secret 178 | $now = Get-Date 179 | $addYear = $now.AddYears(1) 180 | $cred = New-AzureADApplicationPasswordCredential -ObjectId $app.ObjectId -StartDate $now -EndDate $addYear -CustomKeyIdentifier "Key1" 181 | 182 | Write-Host "Pausing 60 seconds to let our new service principal propagate..." 183 | #give AAD 60 seconds to propagate the new SP over to the directory for RBAC assignment 184 | Start-Sleep 60 185 | 186 | Write-Host "Adding RBAC role assignment..." 187 | #assign role 188 | New-AzureRmRoleAssignment ` 189 | -ObjectId $sp.ObjectId ` 190 | -RoleDefinitionName "Reader" ` 191 | -Scope "/subscriptions/$($SubscriptionId)" ` 192 | -ErrorAction Stop 193 | 194 | Write-Host "Adding access to key vault..." 195 | #grant "Get Secrets" access to Key Vault 196 | Set-AzureRmKeyVaultAccessPolicy ` 197 | -VaultName $vaultName ` 198 | -ObjectId $sp.ObjectId ` 199 | -PermissionsToSecrets get ` 200 | -ResourceGroupName $KVRGName ` 201 | -ErrorAction Stop 202 | 203 | Write-Host "Adding secrets to Key vault..." 204 | #get and store key 205 | $ss = ConvertTo-SecureString -String $ehkey.PrimaryKey -AsPlainText -Force 206 | 207 | $secret = Set-AzureKeyVaultSecret ` 208 | -VaultName $kv.VaultName ` 209 | -Name $secretName ` 210 | -SecretValue $ss ` 211 | -ContentType "RootManageSharedAccessKey" ` 212 | -ErrorAction Stop 213 | 214 | $output = @{ 215 | "Name" = $splunkConnectorName; 216 | "SPNTenantID" = $ctx.Tenant.Id; 217 | "SPNApplicationID" = $sp.AppId; 218 | "SPNApplicationKey" = $cred.Value; 219 | "eventHubNamespace" = $ehn.Name; 220 | "vaultName" = $kv.VaultName; 221 | "secretName" = $secret.Name; 222 | "secretVersion" = $secret.Version; 223 | "ruleid" = $rule.id; 224 | } 225 | 226 | Write-Host "" 227 | Write-Host "---" 228 | Write-Host "Configuration complete" 229 | Write-Host "" 230 | 231 | Write-Host "" 232 | Write-Host "****************************" 233 | Write-Host "*** RuleID for Profiles ***" 234 | Write-Host "****************************" 235 | Write-Host "" 236 | Write-Host $output.ruleid 237 | 238 | Write-Host "" 239 | Write-Host "****************************" 240 | Write-Host "*** SPLUNK CONFIGURATION ***" 241 | Write-Host "****************************" 242 | Write-Host "" 243 | Write-Host "Data Input Settings for configuration as explained at https://github.com/Microsoft/AzureMonitorAddonForSplunk/wiki/Configuration-of-Splunk" 244 | Write-Host "" 245 | Write-Host " AZURE MONITOR ACTIVITY LOG" 246 | Write-Host " ----------------------------" 247 | Write-Host " Name: " $output.Name 248 | Write-Host " SPNTenantID: " $output.SPNTenantID 249 | Write-Host " SPNApplicationId: " $output.SPNApplicationID 250 | Write-Host " SPNApplicationKey: " $output.SPNApplicationKey 251 | Write-Host " eventHubNamespace: " $output.eventHubNamespace 252 | Write-Host " vaultName: " $output.vaultName 253 | Write-Host " secretName: " $output.secretName 254 | Write-Host " secretVersion: " $output.secretVersion 255 | 256 | -------------------------------------------------------------------------------- /activity-log-export-automation.pssproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | Debug 4 | 2.0 5 | 6CAFC0C6-A428-4d30-A9F9-700E829FEA51 6 | Exe 7 | MyApplication 8 | MyApplication 9 | activity-log-export-automation 10 | 11 | 12 | true 13 | full 14 | false 15 | bin\Debug\ 16 | DEBUG;TRACE 17 | prompt 18 | 4 19 | 20 | 21 | pdbonly 22 | true 23 | bin\Release\ 24 | TRACE 25 | prompt 26 | 4 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /activity-log-export-automation.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27130.2036 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{F5034706-568F-408A-B7B3-4D38C6DB8A32}") = "activity-log-export-automation", "activity-log-export-automation.pssproj", "{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 15 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.Build.0 = Debug|Any CPU 16 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | GlobalSection(ExtensibilityGlobals) = postSolution 23 | SolutionGuid = {C3391EA4-6F5E-400B-913F-1F91F0D33FAA} 24 | EndGlobalSection 25 | EndGlobal 26 | --------------------------------------------------------------------------------