Feat: add MDO/Email & collaboration alerts API

kris6673 · kris6673 · commit 53248f3709eb · 2025-08-30T20:16:50.000+02:00
simpler

Refactor API request in Invoke-ExecOffice365AlertsList to simplify URI construction

Add Invoke-ExecSetOffice365Alert function

add AllTenants support

rename to MDO
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecMdoAlertsListAllTenants.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Push-ExecMdoAlertsListAllTenants.ps1
@@ -0,0 +1,48 @@
+function Push-ExecMdoAlertsListAllTenants {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    #>
+    param($Item)
+
+    $Tenant = Get-Tenants -TenantFilter $Item.customerId
+    $domainName = $Tenant.defaultDomainName
+    $Table = Get-CIPPTable -TableName 'cachealertsandincidents'
+
+    try {
+        # Get MDO alerts using the specific endpoint and filter
+        $Alerts = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/security/alerts_v2?`$filter=serviceSource eq 'microsoftDefenderForOffice365'" -tenantid $domainName
+
+        foreach ($Alert in $Alerts) {
+            $GUID = (New-Guid).Guid
+            $GraphRequest = @{
+                MdoAlert     = [string]($Alert | ConvertTo-Json -Depth 10)
+                RowKey       = [string]$GUID
+                PartitionKey = 'MdoAlert'
+                Tenant       = [string]$domainName
+            }
+            Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null
+        }
+
+    } catch {
+        $GUID = (New-Guid).Guid
+        $AlertText = ConvertTo-Json -InputObject @{
+            Tenant          = $domainName
+            displayName     = "Could not connect to Tenant: $($_.Exception.Message)"
+            id              = ''
+            severity        = 'CIPP'
+            status          = 'Failed'
+            createdDateTime = (Get-Date).ToString('s')
+            category        = 'Unknown'
+            description     = 'Could not connect'
+            serviceSource   = 'microsoftDefenderForOffice365'
+        }
+        $GraphRequest = @{
+            MdoAlert     = [string]$AlertText
+            RowKey       = [string]$GUID
+            PartitionKey = 'MdoAlert'
+            Tenant       = [string]$domainName
+        }
+        Add-CIPPAzDataTableEntity @Table -Entity $GraphRequest -Force | Out-Null
+    }
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Security/Invoke-ExecMdoAlertsList.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Security/Invoke-ExecMdoAlertsList.ps1
@@ -0,0 +1,84 @@
+using namespace System.Net
+
+function Invoke-ExecMDOAlertsList {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Security.Alert.Read
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    # Interact with query parameters or the body of the request.
+    $TenantFilter = $Request.Query.tenantFilter
+
+    try {
+        $GraphRequest = if ($TenantFilter -ne 'AllTenants') {
+            # Single tenant functionality
+            New-GraphGetRequest -uri "https://graph.microsoft.com/beta/security/alerts_v2?`$filter=serviceSource eq 'microsoftDefenderForOffice365'" -tenantid $TenantFilter
+        } else {
+            # AllTenants functionality
+            $Table = Get-CIPPTable -TableName cachealertsandincidents
+            $PartitionKey = 'MdoAlert'
+            $Filter = "PartitionKey eq '$PartitionKey'"
+            $Rows = Get-CIPPAzDataTableEntity @Table -filter $Filter | Where-Object -Property Timestamp -GT (Get-Date).AddMinutes(-30)
+            $QueueReference = '{0}-{1}' -f $TenantFilter, $PartitionKey
+            $RunningQueue = Invoke-ListCippQueue -Reference $QueueReference | Where-Object { $_.Status -notmatch 'Completed' -and $_.Status -notmatch 'Failed' }
+            # If a queue is running, we will not start a new one
+            if ($RunningQueue) {
+                $Metadata = [PSCustomObject]@{
+                    QueueMessage = 'Still loading data for all tenants. Please check back in a few more minutes'
+                    QueueId      = $RunningQueue.RowKey
+                }
+            } elseif (!$Rows -and !$RunningQueue) {
+                # If no rows are found and no queue is running, we will start a new one
+                $TenantList = Get-Tenants -IncludeErrors
+                $Queue = New-CippQueueEntry -Name 'MDO Alerts - All Tenants' -Link '/security/reports/mdo-alerts?customerId=AllTenants' -Reference $QueueReference -TotalTasks ($TenantList | Measure-Object).Count
+                $Metadata = [PSCustomObject]@{
+                    QueueMessage = 'Loading data for all tenants. Please check back in a few minutes'
+                    QueueId      = $Queue.RowKey
+                }
+                $InputObject = [PSCustomObject]@{
+                    OrchestratorName = 'MdoAlertsOrchestrator'
+                    QueueFunction    = @{
+                        FunctionName = 'GetTenants'
+                        QueueId      = $Queue.RowKey
+                        TenantParams = @{
+                            IncludeErrors = $true
+                        }
+                        DurableName  = 'ExecMdoAlertsListAllTenants'
+                    }
+                    SkipLog          = $true
+                }
+                Start-NewOrchestration -FunctionName 'CIPPOrchestrator' -InputObject ($InputObject | ConvertTo-Json -Depth 5 -Compress) | Out-Null
+            } else {
+                $Metadata = [PSCustomObject]@{
+                    QueueId = $RunningQueue.RowKey ?? $null
+                }
+                $Alerts = $Rows
+                foreach ($alert in $Alerts) {
+                    ConvertFrom-Json -InputObject $alert.MdoAlert -Depth 10
+                }
+            }
+        }
+    } catch {
+        $Body = Get-NormalizedError -Message $_.Exception.Message
+        $StatusCode = [HttpStatusCode]::Forbidden
+    }
+    if (!$Body) {
+        $StatusCode = [HttpStatusCode]::OK
+        $Body = [PSCustomObject]@{
+            Results  = @($GraphRequest)
+            Metadata = $Metadata
+        }
+    }
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = $Body
+        })
+}
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Security/Invoke-ExecSetMdoAlert.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Security/Invoke-ExecSetMdoAlert.ps1
@@ -0,0 +1,74 @@
+using namespace System.Net
+
+function Invoke-ExecSetMdoAlert {
+    <#
+    .FUNCTIONALITY
+        Entrypoint
+    .ROLE
+        Security.Incident.ReadWrite
+    #>
+    [CmdletBinding()]
+    param($Request, $TriggerMetadata)
+
+    $APIName = $Request.Params.CIPPEndpoint
+    $Headers = $Request.Headers
+    Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
+
+    # Interact with query parameters or the body of the request.
+    $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
+    $AlertId = $Request.Query.GUID ?? $Request.Body.GUID
+    $Status = $Request.Query.Status ?? $Request.Body.Status
+    $Assigned = $Request.Query.Assigned ?? $Request.Body.Assigned ?? ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Headers.'x-ms-client-principal')) | ConvertFrom-Json).userDetails
+    $Classification = $Request.Query.Classification ?? $Request.Body.Classification
+    $Determination = $Request.Query.Determination ?? $Request.Body.Determination
+    $Result = ''
+    $AssignBody = @{}
+
+    try {
+        # Set received status
+        if ($null -ne $Status) {
+            $AssignBody.status = $Status
+            $Result += 'Set status for incident ' + $AlertId + ' to ' + $Status
+        }
+
+        # Set received classification and determination
+        if ($null -ne $Classification) {
+            if ($null -eq $Determination) {
+                # Maybe some poindexter tries to send a classification without a determination
+                throw
+            }
+
+            $AssignBody.classification = $Classification
+            $AssignBody.determination = $Determination
+            $Result += 'Set classification & determination for incident ' + $AlertId + ' to ' + $Classification + ' ' + $Determination
+        }
+
+        # Set received assignee
+        if ($null -ne $Assigned) {
+            $AssignBody.assignedTo = $Assigned
+            if ($null -eq $Status) {
+                $Result += 'Set assigned for incident ' + $AlertId + ' to ' + $Assigned
+            }
+        }
+
+        # Convert hashtable to JSON
+        $AssignBodyJson = $AssignBody | ConvertTo-Json -Compress
+
+        $null = New-GraphPOSTRequest -uri "https://graph.microsoft.com/beta/security/alerts_v2/$AlertId" -type PATCH -tenantid $TenantFilter -body $AssignBodyJson -asApp $true
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -Sev 'Info'
+
+        $StatusCode = [HttpStatusCode]::OK
+    } catch {
+        $ErrorMessage = Get-CippException -Exception $_
+        $Result = "Failed to update incident $AlertId : $($ErrorMessage.NormalizedError)"
+        Write-LogMessage -headers $Headers -API $APIName -tenant $TenantFilter -message $Result -Sev 'Error' -LogData $ErrorMessage
+        $StatusCode = [HttpStatusCode]::InternalServerError
+    }
+
+    # Associate values to output bindings by calling 'Push-OutputBinding'.
+    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+            StatusCode = $StatusCode
+            Body       = @{'Results' = $Result }
+        })
+
+}
