From b121e2bd4da66718c2d702f157e63b7ee5dd64f1 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 2 Oct 2024 19:38:26 -0400 Subject: [PATCH 1/7] Update Start-AuditLogOrchestrator.ps1 --- .../Start-AuditLogOrchestrator.ps1 | 24 +++++++++++++++---- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 index 4790f78afc9c..2dc14a0aa36f 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 @@ -8,6 +8,9 @@ function Start-AuditLogOrchestrator { try { $AuditLogSearchesTable = Get-CIPPTable -TableName 'AuditLogSearches' $AuditLogSearches = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "CippStatus eq 'Pending'" + + $ConfigTable = Get-CippTable -TableName 'WebhookRules' + $ConfigEntries = Get-CIPPAzDataTableEntity @ConfigTable $TenantList = Get-Tenants -IncludeErrors # Round time down to nearest minute $Now = Get-Date @@ -32,11 +35,22 @@ function Start-AuditLogOrchestrator { Write-Information 'Audit Logs: Creating new searches' foreach ($Tenant in $TenantList) { - try { - $NewSearch = New-CippAuditLogSearch -TenantFilter $Tenant.defaultDomainName -StartTime $StartTime -EndTime $EndTime -ProcessLogs - Write-Information "Created audit log search $($Tenant.defaultDomainName) - $($NewSearch.displayName)" - } catch { - Write-Information "Error creating audit log search $($Tenant.defaultDomainName) - $($_.Exception.Message)" + $Configuration = $ConfigEntries | Where-Object { ($_.Tenants -match $TenantFilter -or $_.Tenants -match 'AllTenants') } + if ($Configuration) { + $ServiceFilters = $Configuration | Select-Object -Property type | Sort-Object -Property type -Unique | ForEach-Object { $_.type.split('.')[1] } + try { + $LogSearch = @{ + StartTime = $StartTime + EndTime = $EndTime + ServiceFilters = $ServiceFilters + TenantFilter = $Tenant.defaultDomainName + ProcessLogs = $true + } + $NewSearch = New-CippAuditLogSearch @LogSearch + Write-Information "Created audit log search $($Tenant.defaultDomainName) - $($NewSearch.displayName)" + } catch { + Write-Information "Error creating audit log search $($Tenant.defaultDomainName) - $($_.Exception.Message)" + } } } } catch { From e254c8b1e67966a154925b8cb85579d79fdccf8c Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 2 Oct 2024 19:56:15 -0400 Subject: [PATCH 2/7] Audit log cleanup --- .../Push-Schedulerwebhookcreation.ps1 | 4 +- .../Start-AuditLogOrchestrator.ps1 | 1 + Modules/CIPPCore/Public/Send-CIPPAlert.ps1 | 5 +- .../Webhooks/Invoke-CIPPWebhookProcessing.ps1 | 9 +++ .../Webhooks/New-CIPPGraphSubscription.ps1 | 67 +------------------ 5 files changed, 17 insertions(+), 69 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-Schedulerwebhookcreation.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-Schedulerwebhookcreation.ps1 index bba8630e91c5..62da83dff4cd 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-Schedulerwebhookcreation.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-Schedulerwebhookcreation.ps1 @@ -6,7 +6,7 @@ function Push-Schedulerwebhookcreation { param ( $item ) - $Table = Get-CIPPTable -TableName 'SchedulerConfig' + <#$Table = Get-CIPPTable -TableName 'SchedulerConfig' $WebhookTable = Get-CIPPTable -TableName 'webhookTable' $Tenant = $Item.Tenant $Row = Get-CIPPAzDataTableEntity @Table -Filter "RowKey eq '$($item.SchedulerRow)'" @@ -42,6 +42,6 @@ function Push-Schedulerwebhookcreation { Write-Information "Failed to create webhook for $Tenant - $($Row.webhookType): $($_.Exception.Message)" } } - } + }#> } diff --git a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 index 2dc14a0aa36f..3af3c2e869ac 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 @@ -11,6 +11,7 @@ function Start-AuditLogOrchestrator { $ConfigTable = Get-CippTable -TableName 'WebhookRules' $ConfigEntries = Get-CIPPAzDataTableEntity @ConfigTable + $TenantList = Get-Tenants -IncludeErrors # Round time down to nearest minute $Now = Get-Date diff --git a/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 b/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 index 54e0def2bb98..f5610cd84e63 100644 --- a/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 +++ b/Modules/CIPPCore/Public/Send-CIPPAlert.ps1 @@ -9,7 +9,8 @@ function Send-CIPPAlert { $TenantFilter, $APIName = 'Send Alert', $ExecutingUser, - $TableName + $TableName, + $RowKey = [string][guid]::NewGuid() ) Write-Information 'Shipping Alert' $Table = Get-CIPPTable -TableName SchedulerConfig @@ -52,7 +53,7 @@ function Send-CIPPAlert { $Table = Get-CIPPTable -TableName $TableName $Alert = @{ PartitionKey = $TenantFilter ?? 'Alert' - RowKey = [string][guid]::NewGuid() + RowKey = $RowKey Title = $Title Data = [string]$JSONContent Tenant = $TenantFilter diff --git a/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 b/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 index 454b5f7cc95b..7f23dc87483e 100644 --- a/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 +++ b/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 @@ -10,6 +10,14 @@ function Invoke-CippWebhookProcessing { $ExecutingUser ) + $AuditLogTable = Get-CIPPTable -TableName 'AuditLogs' + $AuditLog = Get-CIPPAzDataTableEntity @AuditLogTable -Filter "PartitionKey eq '$TenantFilter' and RowKey eq '$($Data.Id)'" + + if ($AuditLog) { + Write-Host "Audit Log already exists for $($Data.Id). Skipping processing." + return + } + $Tenant = Get-Tenants -IncludeErrors | Where-Object { $_.defaultDomainName -eq $TenantFilter } Write-Host "Received data. Our Action List is $($data.CIPPAction)" @@ -71,6 +79,7 @@ function Invoke-CippWebhookProcessing { JSONContent = $JsonContent TenantFilter = $TenantFilter TableName = 'AuditLogs' + RowKey = $Data.Id } $LogId = Send-CIPPAlert @CIPPAlert diff --git a/Modules/CIPPCore/Public/Webhooks/New-CIPPGraphSubscription.ps1 b/Modules/CIPPCore/Public/Webhooks/New-CIPPGraphSubscription.ps1 index 83747a8592f9..a6212c26f322 100644 --- a/Modules/CIPPCore/Public/Webhooks/New-CIPPGraphSubscription.ps1 +++ b/Modules/CIPPCore/Public/Webhooks/New-CIPPGraphSubscription.ps1 @@ -2,7 +2,6 @@ function New-CIPPGraphSubscription { [CmdletBinding()] param ( $TenantFilter, - [bool]$auditLogAPI = $false, $TypeofSubscription, $AllowedLocations, $BaseURL, @@ -17,69 +16,7 @@ function New-CIPPGraphSubscription { $WebhookTable = Get-CIPPTable -TableName 'webhookTable' try { - if ($auditLogAPI) { - $CIPPID = (New-Guid).GUID - $Resource = $EventType - $WebhookFilter = "PartitionKey eq '$($TenantFilter)' and Resource eq '$Resource' and Version eq '3'" - $ExistingWebhooks = Get-CIPPAzDataTableEntity @WebhookTable -Filter $WebhookFilter - $MatchedWebhook = $ExistingWebhooks - try { - if (!$MatchedWebhook -or ($Recreate.IsPresent)) { - if (!$MatchedWebhook) { - $WebhookRow = [PSCustomObject]@{ - PartitionKey = [string]$TenantFilter - RowKey = [string]$CIPPID - Status = 'Enabled' - Error = '' - Resource = [string]$Resource - Expiration = [string]'Does Not Expire' - Version = [string]'3' - } - Add-CIPPAzDataTableEntity @WebhookTable -Entity $WebhookRow - } else { - Write-Host 'Setting webhook back to enabled' - Write-Host ($MatchedWebhook | ConvertTo-Json) - $MatchedWebhook | Add-Member -MemberType NoteProperty -Name Status -Value 'Enabled' -Force - $MatchedWebhook | Add-Member -MemberType NoteProperty -Name Error -Value '' -Force - - $null = Add-CIPPAzDataTableEntity @WebhookTable -Entity $MatchedWebhook -Force - $WebhookRow = $MatchedWebhook - } - Write-Host "Creating webhook subscription for $EventType" - - $AuditLog = New-GraphPOSTRequest -type POST -uri "https://manage.office.com/api/v1.0/$($TenantFilter)/activity/feed/subscriptions/start?contentType=$EventType&PublisherIdentifier=$($env:TenantID)" -tenantid $TenantFilter -scope 'https://manage.office.com/.default' -body '{}' -verbose - Write-LogMessage -user $ExecutingUser -API $APIName -message "Created Webhook subscription for $($TenantFilter) for the log $($EventType)" -Sev 'Info' -tenant $TenantFilter - return @{ Success = $true; message = "Created Webhook subscription for $($TenantFilter) for the log $($EventType)" } - } else { - if ($MatchedWebhook.Status -eq 'Disabled') { - return @{ success = $false; message = "Webhook subscription for $($TenantFilter) is disabled due to an error"; WebhookID = $MatchedWebhook.RowKey } - } else { - return @{ success = $true; message = "Webhook exists for $($TenantFilter) for the log $($EventType)"; WebhookID = $MatchedWebhook.RowKey } - } - } - } catch { - if ($_.Exception.Message -eq 'The subscription is already enabled. No property change.' -or $_.Exception.Message -like '*already exists*') { - Write-LogMessage -user $ExecutingUser -API $APIName -message "Webhook subscription for $($TenantFilter) already exists" -Sev 'Info' -tenant $TenantFilter - return @{ success = $true; message = "Webhook exists for $($TenantFilter) for the log $($EventType)" } - } elseif ($_.Exception.Message -match "The service principal for resource 'https://manage.office.com' is disabled") { - Write-LogMessage -user $ExecutingUser -API $APIName -message "Failed to create Webhook Subscription for $($TenantFilter): This tenant may not have an Exchange Online license. Audit Log subscription disabled." -Sev 'Error' -tenant $TenantFilter -LogData (Get-CippException -Exception $_) - $WebhookRow.Status = 'Disabled' - $WebhookRow.Error = $_.Exception.Message - $null = Add-CIPPAzDataTableEntity @WebhookTable -Entity $WebhookRow -Force - return @{ success = $false; message = "Failed to create Webhook Subscription for $($TenantFilter): $($_.Exception.Message)" } - } elseif ($_.Exception.Message -match 'Retry the request.') { - Remove-AzDataTableEntity @WebhookTable -Entity @{ PartitionKey = $TenantFilter; RowKey = [string]$CIPPID } | Out-Null - Write-LogMessage -user $ExecutingUser -API $APIName -message "Failed to create Webhook Subscription for $($TenantFilter): $($_.Exception.Message)" -Sev 'Error' -tenant $TenantFilter -LogData (Get-CippException -Exception $_) - return @{ success = $false; message = "Failed to create Webhook Subscription for $($TenantFilter): A temporary error occurred, we will try to subscribe again later" } - } else { - $WebhookRow.Status = 'Disabled' - $WebhookRow.Error = $_.Exception.Message - $null = Add-CIPPAzDataTableEntity @WebhookTable -Entity $WebhookRow -Force - Write-LogMessage -user $ExecutingUser -API $APIName -message "Failed to create Webhook Subscription for $($TenantFilter): $($_.Exception.Message)" -Sev 'Error' -tenant $TenantFilter -LogData (Get-CippException -Exception $_) - return @{ success = $false; message = "Failed to create Webhook Subscription for $($TenantFilter): $($_.Exception.Message). Audit log subscription disabled." } - } - } - } elseif ($PartnerCenter.IsPresent) { + if ($PartnerCenter.IsPresent) { $WebhookFilter = "PartitionKey eq '$($env:TenantID)'" $ExistingWebhooks = Get-CIPPAzDataTableEntity @WebhookTable -Filter $WebhookFilter $CIPPID = $env:TenantID @@ -143,7 +80,7 @@ function New-CIPPGraphSubscription { } } else { - # First check if there is an exsiting Webhook in place + # First check if there is an existing Webhook in place $WebhookFilter = "PartitionKey eq '$($TenantFilter)'" $ExistingWebhooks = Get-CIPPAzDataTableEntity @WebhookTable -Filter $WebhookFilter $MatchedWebhook = $ExistingWebhooks | Where-Object { $_.Resource -eq $Resource } From 297028dd4f086b81766f9fb92a29f8236f38b969 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 2 Oct 2024 20:46:14 -0400 Subject: [PATCH 3/7] Audit log tweaks --- .../Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 | 6 +++--- Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 index a2a36fd518a9..bfd2aacc155e 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenant.ps1 @@ -29,9 +29,9 @@ function Push-AuditLogTenant { $SearchEntity.CippStatus = 'Completed' $MatchedRules = [string](ConvertTo-Json -Compress -InputObject $AuditLogTest.MatchedRules) - $SearchEntity | Add-Member -MemberType NoteProperty -Name MatchedRules -Value $MatchedRules - $SearchEntity | Add-Member -MemberType NoteProperty -Name MatchedLogs -Value $AuditLogTest.MatchedLogs - $SearchEntity | Add-Member -MemberType NoteProperty -Name TotalLogs -Value $AuditLogTest.TotalLogs + $SearchEntity | Add-Member -MemberType NoteProperty -Name MatchedRules -Value $MatchedRules -Force + $SearchEntity | Add-Member -MemberType NoteProperty -Name MatchedLogs -Value $AuditLogTest.MatchedLogs -Force + $SearchEntity | Add-Member -MemberType NoteProperty -Name TotalLogs -Value $AuditLogTest.TotalLogs -Force } catch { $SearchEntity.CippStatus = 'Failed' Write-Information "Error processing audit log rules: $($_.Exception.Message)" diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 index fea710132087..041f0f79629f 100644 --- a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 +++ b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 @@ -185,7 +185,7 @@ function Test-CIPPAuditLogRules { } $ReturnedData } - $Results.MatchedRules = $MatchedRules | Select-Object -Unique + $Results.MatchedRules = @($MatchedRules | Select-Object -Unique) $Results.MatchedLogs = ($DataToProcess | Measure-Object).Count $Results.DataToProcess = $DataToProcess } From 7380958df9a9f97280df8fb46abdb0687fc447e3 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 2 Oct 2024 21:25:25 -0400 Subject: [PATCH 4/7] Update Push-AuditLogBundleProcessing.ps1 --- .../Webhooks/Push-AuditLogBundleProcessing.ps1 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogBundleProcessing.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogBundleProcessing.ps1 index 13f2315e94a8..757180f3a0bd 100644 --- a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogBundleProcessing.ps1 +++ b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogBundleProcessing.ps1 @@ -1,6 +1,8 @@ function Push-AuditLogBundleProcessing { Param($Item) + return # Disabled for now, as it's not used + try { $AuditBundleTable = Get-CippTable -tablename 'AuditLogBundles' $AuditLogBundle = Get-CIPPAzDataTableEntity @AuditBundleTable -Filter "PartitionKey eq '$($Item.TenantFilter)' and RowKey eq '$($Item.ContentId)'" @@ -37,4 +39,4 @@ function Push-AuditLogBundleProcessing { } catch { Write-Host ( 'Audit log error {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message) } -} \ No newline at end of file +} From b7bc28ae4ece99328ebb380ca34fa47a6dcfbd4b Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 2 Oct 2024 21:44:36 -0400 Subject: [PATCH 5/7] Add audit record --- .../Webhooks/Invoke-CIPPWebhookProcessing.ps1 | 2 ++ .../Public/Webhooks/Test-CIPPAuditLogRules.ps1 | 14 +++++--------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 b/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 index 7f23dc87483e..bdaa8e328ce1 100644 --- a/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 +++ b/Modules/CIPPCore/Public/Webhooks/Invoke-CIPPWebhookProcessing.ps1 @@ -62,6 +62,7 @@ function Invoke-CippWebhookProcessing { # Save audit log entry to table $LocationInfo = $Data.CIPPLocationInfo | ConvertFrom-Json -ErrorAction SilentlyContinue + $AuditRecord = $Data.AuditRecord | ConvertFrom-Json -ErrorAction SilentlyContinue $GenerateJSON = New-CIPPAlertTemplate -format 'json' -data $Data -ActionResults $ActionResults -CIPPURL $CIPPURL $JsonContent = @{ Title = $GenerateJSON.Title @@ -71,6 +72,7 @@ function Invoke-CippWebhookProcessing { IP = $data.ClientIP PotentialLocationInfo = $LocationInfo ActionsTaken = $ActionResults + AuditRecord = $AuditRecord } | ConvertTo-Json -Depth 15 -Compress $CIPPAlert = @{ diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 index 041f0f79629f..db024dcbee24 100644 --- a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 +++ b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 @@ -34,21 +34,16 @@ function Test-CIPPAuditLogRules { LogType = $_.Type } } - #$AuditLogQuery = @{ - # TenantFilter = $TenantFilter - # ContentUri = $ContentUri - #} - #Write-Information 'Getting data from Office 365 Management Activity API' - #$Data = Get-CIPPAuditLogContent @AuditLogQuery Write-Information 'Getting audit records from Graph API' - $Data = Get-CippAuditLogSearchResults -TenantFilter $TenantFilter -QueryId $SearchId + $SearchResults = Get-CippAuditLogSearchResults -TenantFilter $TenantFilter -QueryId $SearchId $LogCount = ($Data | Measure-Object).Count Write-Information "Logs to process: $LogCount" $Results.TotalLogs = $LogCount if ($LogCount -gt 0) { - $PreProcessedData = $Data.auditData | Select-Object *, CIPPAction, CIPPClause, CIPPGeoLocation, CIPPBadRepIP, CIPPHostedIP, CIPPIPDetected, CIPPLocationInfo, CIPPExtendedProperties, CIPPDeviceProperties, CIPPParameters, CIPPModifiedProperties -ErrorAction SilentlyContinue $LocationTable = Get-CIPPTable -TableName 'knownlocationdb' - $ProcessedData = foreach ($Data in $PreProcessedData) { + $ProcessedData = foreach ($AuditRecord in $SearchResults) { + $RootProperties = $AuditRecord | Select-Object * -ExcludeProperty auditData + $Data = $AuditRecord.auditData | Select-Object *, CIPPAction, CIPPClause, CIPPGeoLocation, CIPPBadRepIP, CIPPHostedIP, CIPPIPDetected, CIPPLocationInfo, CIPPExtendedProperties, CIPPDeviceProperties, CIPPParameters, CIPPModifiedProperties, AuditRecord -ErrorAction SilentlyContinue try { if ($Data.ExtendedProperties) { $Data.CIPPExtendedProperties = ($Data.ExtendedProperties | ConvertTo-Json) @@ -134,6 +129,7 @@ function Test-CIPPAuditLogRules { $Data.CIPPHostedIP = $hosting $Data.CIPPIPDetected = $IP $Data.CIPPLocationInfo = ($Location | ConvertTo-Json) + $Data.AuditRecord = ($AuditRecord | ConvertTo-Json) } $Data | Select-Object * -ExcludeProperty ExtendedProperties, DeviceProperties, parameters } catch { From 5c47a0fa9e161dcb756a4562acf40ae54c03bd76 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 2 Oct 2024 21:50:20 -0400 Subject: [PATCH 6/7] Update Get-CIPPTimerFunctions.ps1 --- Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 b/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 index 8454a21e7b48..99bea5b3cd84 100644 --- a/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 +++ b/Modules/CIPPCore/Public/Get-CIPPTimerFunctions.ps1 @@ -96,7 +96,7 @@ function Get-CIPPTimerFunctions { } Add-CIPPAzDataTableEntity @Table -Entity $Status } else { - if ($Orchestrator.IsSystem -or $ResetToDefault.IsPresent) { + if ($Orchestrator.IsSystem -eq $true -or $ResetToDefault.IsPresent) { $Status.Cron = $CronString } $Status.NextOccurrence = $NextOccurrence.ToUniversalTime() From 8d27543c7c656160a664da8f4ce45bc4201b28f1 Mon Sep 17 00:00:00 2001 From: John Duprey Date: Wed, 2 Oct 2024 23:25:19 -0400 Subject: [PATCH 7/7] Update Test-CIPPAuditLogRules.ps1 --- Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 index db024dcbee24..0e300cbac49d 100644 --- a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 +++ b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 @@ -36,7 +36,7 @@ function Test-CIPPAuditLogRules { } Write-Information 'Getting audit records from Graph API' $SearchResults = Get-CippAuditLogSearchResults -TenantFilter $TenantFilter -QueryId $SearchId - $LogCount = ($Data | Measure-Object).Count + $LogCount = ($SearchResults | Measure-Object).Count Write-Information "Logs to process: $LogCount" $Results.TotalLogs = $LogCount if ($LogCount -gt 0) { @@ -129,7 +129,7 @@ function Test-CIPPAuditLogRules { $Data.CIPPHostedIP = $hosting $Data.CIPPIPDetected = $IP $Data.CIPPLocationInfo = ($Location | ConvertTo-Json) - $Data.AuditRecord = ($AuditRecord | ConvertTo-Json) + $Data.AuditRecord = ($RootProperties | ConvertTo-Json) } $Data | Select-Object * -ExcludeProperty ExtendedProperties, DeviceProperties, parameters } catch {