Merge pull request #462 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 35f2e10129d7 · 2025-09-22T18:41:23.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1
@@ -4,7 +4,7 @@ function Get-CIPPAlertNewRiskyUsers {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $TenantFilter
@@ -13,17 +13,17 @@ function Get-CIPPAlertNewRiskyUsers {
     try {
         # Check if tenant has P2 capabilities
         $Capabilities = Get-CIPPTenantCapabilities -TenantFilter $TenantFilter
-        if (-not $Capabilities.AADPremiumService) {
+        if (-not ($Capabilities.AAD_PREMIUM_P2 -eq $true)) {
             Write-AlertMessage -tenant $($TenantFilter) -message 'Tenant does not have Azure AD Premium P2 licensing required for risky users detection'
             return
         }
 
         $Filter = "PartitionKey eq 'RiskyUsersDelta' and RowKey eq '{0}'" -f $TenantFilter
         $RiskyUsersDelta = (Get-CIPPAzDataTableEntity @Deltatable -Filter $Filter).delta | ConvertFrom-Json -ErrorAction SilentlyContinue
-        
+
         # Get current risky users with more detailed information
         $NewDelta = (New-GraphGetRequest -uri 'https://graph.microsoft.com/v1.0/identityProtection/riskyUsers' -tenantid $TenantFilter) | Select-Object userPrincipalName, riskLevel, riskState, riskDetail, riskLastUpdatedDateTime, isProcessing, history
-        
+
         $NewDeltatoSave = $NewDelta | ConvertTo-Json -Depth 10 -Compress -ErrorAction SilentlyContinue | Out-String
         $DeltaEntity = @{
             PartitionKey = 'RiskyUsersDelta'
@@ -33,25 +33,24 @@ function Get-CIPPAlertNewRiskyUsers {
         Add-CIPPAzDataTableEntity @DeltaTable -Entity $DeltaEntity -Force
 
         if ($RiskyUsersDelta) {
-            $AlertData = $NewDelta | Where-Object { 
-                $_.userPrincipalName -notin $RiskyUsersDelta.userPrincipalName 
+            $AlertData = $NewDelta | Where-Object {
+                $_.userPrincipalName -notin $RiskyUsersDelta.userPrincipalName
             } | ForEach-Object {
                 $riskHistory = if ($_.history) {
                     $latestHistory = $_.history | Sort-Object -Property riskLastUpdatedDateTime -Descending | Select-Object -First 1
                     "Previous Risk Level: $($latestHistory.riskLevel), Last Updated: $($latestHistory.riskLastUpdatedDateTime)"
-                }
-                else {
+                } else {
                     'No previous risk history'
                 }
-                
+
                 # Map risk level to severity
                 $severity = switch ($_.riskLevel) {
                     'high' { 'Critical' }
                     'medium' { 'Warning' }
                     'low' { 'Info' }
                     default { 'Info' }
                 }
-                
+
                 @{
                     Message = "New risky user detected: $($_.userPrincipalName)"
                     Details = @{
@@ -65,13 +64,12 @@ function Get-CIPPAlertNewRiskyUsers {
                     }
                 }
             }
-            
+
             if ($AlertData) {
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
             }
         }
-    }
-    catch {
+    } catch {
         Write-AlertMessage -tenant $($TenantFilter) -message "Could not get risky users for $($TenantFilter): $(Get-NormalizedError -message $_.Exception.message)"
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-ListCheckExtAlerts.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-ListCheckExtAlerts.ps1
@@ -0,0 +1,37 @@
+using namespace System.Net
+
+function Invoke-ListCheckExtAlerts {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        CIPP.Core.Read
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+
+    $TenantFilter = $Request.Query.tenantFilter
+    $Table = Get-CIPPTable -tablename CheckExtensionAlerts
+
+    if ($TenantFilter -and $TenantFilter -ne 'AllTenants') {
+        $Filter = "PartitionKey eq '$TenantFilter'"
+    } else {
+        $Filter = $null
+    }
+
+    try {
+        $Alerts = Get-CIPPAzDataTableEntity @Table -Filter $Filter
+    } catch {
+        Write-LogMessage -headers $Headers -API $APIName -message "Failed to retrieve check extension alerts: $($_.Exception.Message)" -Sev 'Error'
+        $Alerts = @()
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = [HttpStatusCode]::OK
+            Body       = @($Alerts | Sort-Object -Property Timestamp -Descending)
+        })
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1 b/Modules/CIPPCore/Public/Entrypoints/Invoke-PublicPhishingCheck.ps1
@@ -17,10 +17,27 @@ function Invoke-PublicPhishingCheck {
     if ($Request.body.Cloned -and $Tenant.customerId -eq $Request.body.TenantId) {
         Write-AlertMessage -message $Request.body.AlertMessage -sev 'Alert' -tenant $Request.body.TenantId
     } elseif ($Request.Body.source -and $Tenant) {
+        $table = Get-CIPPTable -tablename CheckExtensionAlerts
         $Message = "Alert received from $($Request.Body.source) for $($Request.body.TenantId)"
-        Write-Information ($Request.Body | ConvertTo-Json)
-        Write-AlertTrace -cmdletName 'CheckExtentionAlert' -tenantFilter $Tenant -data $Request.body
-        Write-AlertMessage -message $Message -sev 'Alert' -tenant $Tenant.customerId -LogData $Request.body
+        $ID = (New-Guid).GUID
+        $TableBody = @{
+            RowKey                   = "$ID"
+            PartitionKey             = [string]$Tenant.defaultDomainName
+            tenantFilter             = [string]$Tenant.defaultDomainName
+            message                  = [string]$Message
+            type                     = [string]$request.body.type
+            url                      = [string]$request.body.url
+            reason                   = [string]$request.body.reason
+            score                    = [string]$request.body.score
+            threshold                = [string]$request.body.threshold
+            potentialUserName        = [string]$request.body.userEmail
+            potentialUserDisplayName = [string]$request.body.userDisplayName
+            reportedByIP             = [string]$Request.headers.'x-forwarded-for'
+            rawBody                  = "$($Request.body | ConvertTo-Json)"
+        }
+        $null = Add-CIPPAzDataTableEntity @table -Entity $TableBody -Force
+        Write-AlertTrace -cmdletName 'CheckExtentionAlert' -tenantFilter $Tenant.defaultDomainName -data $TableBody
+        #Write-AlertMessage -message $Message -sev 'Alert' -tenant $Tenant.customerId -LogData $Request.body
     }
 
     # Associate values to output bindings by calling 'Push-OutputBinding'.
