Feat: Refactor alerts to return complex objects with more data for easier filtering.

Feat: Add Tenant property to all alerts

Author: kris6673

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertAppleTerms.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertAppleTerms {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
@@ -18,13 +18,23 @@ function Get-CIPPAlertAppleTerms {
     # 4 = Warning
 
     try {
-        $appleterms = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings" -tenantid $TenantFilter
+        Write-Host "Checking Apple Terms for $($TenantFilter)"
+        $AppleTerms = New-GraphGetRequest -uri 'https://graph.microsoft.com/beta/deviceManagement/depOnboardingSettings' -tenantid $TenantFilter
     } catch {
         return
     }
 
-    if ($appleterms.lastSyncErrorCode -eq 3) {
-        $AlertData = "New Apple Business Manager terms are ready to accept."
+    if ($AppleTerms.lastSyncErrorCode -eq 3) {
+        $AlertData = [PSCustomObject]@{
+            Message                    = 'New Apple Business Manager terms are ready to accept.'
+            AppleIdentifier            = $AppleTerms.appleIdentifier
+            TokenName                  = $AppleTerms.tokenName
+            TokenExpirationDateTime    = $AppleTerms.tokenExpirationDateTime
+            LastSyncErrorCode          = $AppleTerms.lastSyncErrorCode
+            LastSuccessfulSyncDateTime = $AppleTerms.lastSuccessfulSyncDateTime
+            LastSyncTriggeredDateTime  = $AppleTerms.lastSyncTriggeredDateTime
+            Tenant                     = $TenantFilter
+        }
         Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
     }
 }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderMalware.ps1

@@ -14,7 +14,18 @@ function Get-CIPPAlertDefenderMalware {
     try {
         $TenantId = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $TenantFilter).customerId
         $AlertData = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/managedTenants/windowsDeviceMalwareStates?`$top=999&`$filter=tenantId eq '$($TenantId)'" | Where-Object { $_.malwareThreatState -eq 'Active' } | ForEach-Object {
-            "$($_.managedDeviceName): Malware found and active. Severity: $($_.MalwareSeverity). Malware name: $($_.MalwareDisplayName)"
+            [PSCustomObject]@{
+                DeviceName               = $_.managedDeviceName
+                MalwareName              = $_.malwareDisplayName
+                MalwareSeverity          = $_.malwareSeverity
+                ThreatState              = $_.malwareThreatState
+                AdditionalInformationUrl = $_.additionalInformationUrl
+                InitialDetectionDateTime = $_.initialDetectionDateTime
+                LastStateChangeDateTime  = $_.lastStateChangeDateTime
+                DetectionCount           = $_.detectionCount
+                Tenant                   = $TenantFilter
+                TenantId                 = $_.tenantId
+            }
         }
         Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
 

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertDefenderStatus.ps1

@@ -13,7 +13,18 @@ function Get-CIPPAlertDefenderStatus {
     try {
         $TenantId = (Get-Tenants | Where-Object -Property defaultDomainName -EQ $TenantFilter).customerId
         $AlertData = New-GraphGetRequest -uri "https://graph.microsoft.com/beta/tenantRelationships/managedTenants/windowsProtectionStates?`$top=999&`$filter=tenantId eq '$($TenantId)'" | Where-Object { $_.realTimeProtectionEnabled -eq $false -or $_.MalwareprotectionEnabled -eq $false } | ForEach-Object {
-            "$($_.managedDeviceName) - Real Time Protection: $($_.realTimeProtectionEnabled) & Malware Protection: $($_.MalwareprotectionEnabled)"
+            [PSCustomObject]@{
+                ManagedDeviceName              = $_.managedDeviceName
+                RealTimeProtectionEnabled      = $_.realTimeProtectionEnabled
+                MalwareProtectionEnabled       = $_.malwareProtectionEnabled
+                NetworkInspectionSystemEnabled = $_.networkInspectionSystemEnabled
+                ManagedDeviceHealthState       = $_.managedDeviceHealthState
+                AttentionRequired              = $_.attentionRequired
+                LastSyncDateTime               = $_.lastSyncDateTime
+                OsVersion                      = $_.osVersion
+                Tenant                         = $TenantFilter
+                TenantId                       = $_.tenantId
+            }
         }
         Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
 

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertGlobalAdminNoAltEmail.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertGlobalAdminNoAltEmail {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
@@ -22,7 +22,14 @@ function Get-CIPPAlertGlobalAdminNoAltEmail {
         }
 
         if ($adminsWithoutAltEmail.Count -gt 0) {
-            $AlertData = "The following Global Admin accounts do not have an alternate email address set: $($adminsWithoutAltEmail.userPrincipalName -join ', ')"
+            $AlertData = foreach ($admin in $adminsWithoutAltEmail) {
+                [PSCustomObject]@{
+                    DisplayName       = $admin.displayName
+                    UserPrincipalName = $admin.userPrincipalName
+                    Id                = $admin.id
+                    Tenant            = $TenantFilter
+                }
+            }
             Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
         }
     } catch {

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertHuntressRogueApps.ps1

@@ -10,7 +10,7 @@ function Get-CIPPAlertHuntressRogueApps {
         https://huntresslabs.github.io/rogueapps/
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertInactiveLicensedUsers.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertInactiveLicensedUsers {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
@@ -18,7 +18,7 @@ function Get-CIPPAlertInactiveLicensedUsers {
             $Lookup = (Get-Date).AddDays(-90).ToUniversalTime()
 
             # Build base filter - cannot filter assignedLicenses server-side
-            $BaseFilter = if ($InputValue -eq $true) { "accountEnabled eq true" } else { "" }
+            $BaseFilter = if ($InputValue -eq $true) { 'accountEnabled eq true' } else { '' }
 
             $Uri = if ($BaseFilter) {
                 "https://graph.microsoft.com/beta/users?`$filter=$BaseFilter&`$select=id,UserPrincipalName,signInActivity,mail,userType,accountEnabled,assignedLicenses"
@@ -56,7 +56,13 @@ function Get-CIPPAlertInactiveLicensedUsers {
                         $Message = 'User {0} has been inactive for {1} days but still has a license assigned. Last sign-in: {2}' -f $user.UserPrincipalName, $daysSinceSignIn, $lastSignIn
                     }
 
-                    $user | Select-Object -Property UserPrincipalName, signInActivity, @{Name = 'Message'; Expression = { $Message } }
+                    [PSCustomObject]@{
+                        UserPrincipalName = $user.UserPrincipalName
+                        Id                = $user.id
+                        lastSignIn        = $lastSignIn
+                        Message           = $Message
+                        Tenant            = $TenantFilter
+                    }
                 }
             }
 

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLicenseAssignmentErrors.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertLicenseAssignmentErrors {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory)]
         $TenantFilter,
         [Alias('input')]
@@ -14,24 +14,24 @@ function Get-CIPPAlertLicenseAssignmentErrors {
     # Define error code translations for human-readable messages
     $ErrorTranslations = @(
         @{
-            ErrorCode = "CountViolation"
-            Description = "Not enough licenses available - the organization has exceeded the number of available licenses for this SKU"
+            ErrorCode   = 'CountViolation'
+            Description = 'Not enough licenses available - the organization has exceeded the number of available licenses for this SKU'
         },
         @{
-            ErrorCode = "MutuallyExclusiveViolation"
-            Description = "Conflicting licenses assigned - this license cannot be assigned alongside another license the user already has"
+            ErrorCode   = 'MutuallyExclusiveViolation'
+            Description = 'Conflicting licenses assigned - this license cannot be assigned alongside another license the user already has'
         },
         @{
-            ErrorCode = "ProhibitedInUsageLocationViolation"
+            ErrorCode   = 'ProhibitedInUsageLocationViolation'
             Description = "License not available in user's location - this license cannot be assigned to users in the user's current usage location"
         },
         @{
-            ErrorCode = "UniquenessViolation"
-            Description = "Duplicate license assignment - this license can only be assigned once per user"
+            ErrorCode   = 'UniquenessViolation'
+            Description = 'Duplicate license assignment - this license can only be assigned once per user'
         },
         @{
-            ErrorCode = "Unknown"
-            Description = "Unknown license assignment error - an unspecified error occurred during license assignment"
+            ErrorCode   = 'Unknown'
+            Description = 'Unknown license assignment error - an unspecified error occurred during license assignment'
         }
     )
 
@@ -44,11 +44,11 @@ function Get-CIPPAlertLicenseAssignmentErrors {
             $_.licenseAssignmentStates -and
             ($_.licenseAssignmentStates | Where-Object {
                 $_.error -and (
-                    $_.error -like "*CountViolation*" -or
-                    $_.error -like "*MutuallyExclusiveViolation*" -or
-                    $_.error -like "*ProhibitedInUsageLocationViolation*" -or
-                    $_.error -like "*UniquenessViolation*" -or
-                    $_.error -like "*Unknown*"
+                    $_.error -like '*CountViolation*' -or
+                    $_.error -like '*MutuallyExclusiveViolation*' -or
+                    $_.error -like '*ProhibitedInUsageLocationViolation*' -or
+                    $_.error -like '*UniquenessViolation*' -or
+                    $_.error -like '*Unknown*'
                 )
             })
         }
@@ -57,11 +57,11 @@ function Get-CIPPAlertLicenseAssignmentErrors {
         $LicenseAssignmentErrors = foreach ($User in $UsersWithViolations) {
             $ViolationErrors = $User.licenseAssignmentStates | Where-Object {
                 $_.error -and (
-                    $_.error -like "*CountViolation*" -or
-                    $_.error -like "*MutuallyExclusiveViolation*" -or
-                    $_.error -like "*ProhibitedInUsageLocationViolation*" -or
-                    $_.error -like "*UniquenessViolation*" -or
-                    $_.error -like "*Unknown*"
+                    $_.error -like '*CountViolation*' -or
+                    $_.error -like '*MutuallyExclusiveViolation*' -or
+                    $_.error -like '*ProhibitedInUsageLocationViolation*' -or
+                    $_.error -like '*UniquenessViolation*' -or
+                    $_.error -like '*Unknown*'
                 )
             }
 
@@ -74,9 +74,19 @@ function Get-CIPPAlertLicenseAssignmentErrors {
                     "Unknown license assignment error: $($Violation.error)"
                 }
 
-                $PrettyName = Convert-SKUname -skuID $Violation.skuId
+                $PrettyName = Convert-SKUname -SkuID $Violation.skuId
 
-                "$($User.userPrincipalName): $HumanReadableError (License: $PrettyName)"
+                $Message = "$($User.userPrincipalName): $HumanReadableError (License: $PrettyName)"
+                [PSCustomObject]@{
+                    Message           = $Message
+                    UserPrincipalName = $User.userPrincipalName
+                    Error             = $HumanReadableError
+                    LicenseName       = $PrettyName
+                    SkuId             = $Violation.skuId
+                    DisplayName       = $User.displayName
+                    Id                = $User.id
+                    Tenant            = $TenantFilter
+                }
             }
         }
 

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertLowDomainScore.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertLowDomainScore {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory)]
         $TenantFilter,
         [Alias('input')]
@@ -13,10 +13,14 @@ function Get-CIPPAlertLowDomainScore {
     )
 
     $DomainData = Get-CIPPDomainAnalyser -TenantFilter $TenantFilter
-    $LowScoreDomains = $DomainData | Where-Object {
-        $_.ScorePercentage -lt $InputValue -and $_.ScorePercentage -ne ''
-    } | ForEach-Object {
-        "$($_.Domain): Domain security score is $($_.ScorePercentage)%, which is below the threshold of $InputValue%. Issues: $($_.ScoreExplanation)"
+    $LowScoreDomains = $DomainData | Where-Object { $_.ScorePercentage -lt $InputValue -and $_.ScorePercentage -ne '' } | ForEach-Object {
+        [PSCustomObject]@{
+            Message          = "$($_.Domain): Domain security score is $($_.ScorePercentage)%, which is below the threshold of $InputValue%. Issues: $($_.ScoreExplanation)"
+            Domain           = $_.Domain
+            ScorePercentage  = $_.ScorePercentage
+            ScoreExplanation = $_.ScoreExplanation
+            Tenant           = $TenantFilter
+        }
     }
 
     if ($LowScoreDomains) {

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertMFAAdmins.ps1

@@ -4,7 +4,7 @@ function Get-CIPPAlertMFAAdmins {
         Entrypoint
     #>
     [CmdletBinding()]
-    Param (
+    param (
         [Parameter(Mandatory = $false)]
         [Alias('input')]
         $InputValue,
@@ -18,9 +18,20 @@ function Get-CIPPAlertMFAAdmins {
             }
         }
         if (!$DuoActive) {
-            $users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true | Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
-            if ($users.UserPrincipalName) {
-                $AlertData = "The following admins do not have MFA registered: $($users.UserPrincipalName -join ', ')"
+            $Users = New-GraphGETRequest -uri "https://graph.microsoft.com/beta/reports/authenticationMethods/userRegistrationDetails?`$top=999&filter=IsAdmin eq true and isMfaRegistered eq false and userType eq 'member'&`$select=id,userDisplayName,userPrincipalName,lastUpdatedDateTime,isMfaRegistered,IsAdmin" -tenantid $($TenantFilter) -AsApp $true |
+                Where-Object { $_.userDisplayName -ne 'On-Premises Directory Synchronization Service Account' }
+            if ($Users.UserPrincipalName) {
+                $AlertData = foreach ($user in $Users) {
+                    [PSCustomObject]@{
+                        Message           = "Admin user $($user.userDisplayName) ($($user.userPrincipalName)) does not have MFA registered."
+                        UserPrincipalName = $user.userPrincipalName
+                        DisplayName       = $user.userDisplayName
+                        Id                = $user.id
+                        LastUpdated       = $user.lastUpdatedDateTime
+                        Tenant            = $TenantFilter
+                    }
+                }
+
                 Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData
 
             }

Modules/CIPPCore/Public/Alerts/Get-CIPPAlertNewRiskyUsers.ps1

@@ -33,35 +33,34 @@ function Get-CIPPAlertNewRiskyUsers {
         Add-CIPPAzDataTableEntity @DeltaTable -Entity $DeltaEntity -Force
 
         if ($RiskyUsersDelta) {
-            $AlertData = $NewDelta | Where-Object {
-                $_.userPrincipalName -notin $RiskyUsersDelta.userPrincipalName
-            } | ForEach-Object {
-                $riskHistory = if ($_.history) {
+            $AlertData = $NewDelta | Where-Object { $_.userPrincipalName -notin $RiskyUsersDelta.userPrincipalName } | ForEach-Object {
+                $RiskHistory = if ($_.history) {
                     $latestHistory = $_.history | Sort-Object -Property riskLastUpdatedDateTime -Descending | Select-Object -First 1
                     "Previous Risk Level: $($latestHistory.riskLevel), Last Updated: $($latestHistory.riskLastUpdatedDateTime)"
                 } else {
                     'No previous risk history'
                 }
 
                 # Map risk level to severity
-                $severity = switch ($_.riskLevel) {
+                $Severity = switch ($_.riskLevel) {
                     'high' { 'Critical' }
                     'medium' { 'Warning' }
                     'low' { 'Info' }
                     default { 'Info' }
                 }
 
-                @{
+                [PSCustomObject]@{
                     Message = "New risky user detected: $($_.userPrincipalName)"
                     Details = @{
                         RiskLevel    = $_.riskLevel
                         RiskState    = $_.riskState
                         RiskDetail   = $_.riskDetail
                         LastUpdated  = $_.riskLastUpdatedDateTime
                         IsProcessing = $_.isProcessing
-                        RiskHistory  = $riskHistory
-                        Severity     = $severity
+                        RiskHistory  = $RiskHistory
+                        Severity     = $Severity
                     }
+                    Tenant  = $TenantFilter
                 }
             }