Merge pull request #382 from KelvinTegelaar/dev

pull[bot] · web-flow · commit 9113bf17952d · 2025-07-26T00:41:07.000Z
[pull] dev from KelvinTegelaar:dev
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenantDownload.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenantDownload.ps1
@@ -1,6 +1,5 @@
 function Push-AuditLogTenantDownload {
-    Param($Item)
-    $ConfigTable = Get-CippTable -TableName 'WebhookRules'
+    param($Item)
     $TenantFilter = $Item.TenantFilter
 
     try {
@@ -37,47 +36,43 @@ function Push-AuditLogTenantDownload {
             } else { $CIPPURL = 'https://{0}' -f $CippConfig.Value }
         }
 
-        # Get webhook rules
-        $ConfigEntries = Get-CIPPAzDataTableEntity @ConfigTable
         $LogSearchesTable = Get-CippTable -TableName 'AuditLogSearches'
 
-        $Configuration = $ConfigEntries | Where-Object { ($_.Tenants -match $TenantFilter -or $_.Tenants -match 'AllTenants') }
-        if ($Configuration) {
-            try {
-                $LogSearches = Get-CippAuditLogSearches -TenantFilter $TenantFilter -ReadyToProcess | Select-Object -First 10
-                Write-Information ('Audit Logs: Found {0} searches, begin downloading' -f $LogSearches.Count)
-                foreach ($Search in $LogSearches) {
-                    $SearchEntity = Get-CIPPAzDataTableEntity @LogSearchesTable -Filter "Tenant eq '$($TenantFilter)' and RowKey eq '$($Search.id)'"
-                    $SearchEntity.CippStatus = 'Processing'
-                    Add-CIPPAzDataTableEntity @LogSearchesTable -Entity $SearchEntity -Force
-                    try {
-                        Write-Information "Audit Log search: Processing search ID: $($Search.id) for tenant: $TenantFilter"
-                        $Downloads = New-CIPPAuditLogSearchResultsCache -TenantFilter $TenantFilter -searchId $Search.id
-                        $SearchEntity.CippStatus = 'Downloaded'
-                    } catch {
-                        if ($_.Exception.Message -match 'Request rate is large. More Request Units may be needed, so no changes were made. Please retry this request later.') {
-                            $SearchEntity.CippStatus = 'Pending'
-                            Write-Information "Audit Log search: Rate limit hit for $($SearchEntity.RowKey)."
-                            if ($SearchEntity.PSObject.Properties.Name -contains 'RetryCount') {
-                                $SearchEntity.RetryCount++
-                            } else {
-                                $SearchEntity | Add-Member -MemberType NoteProperty -Name RetryCount -Value 1
-                            }
+        try {
+            $LogSearches = Get-CippAuditLogSearches -TenantFilter $TenantFilter -ReadyToProcess | Select-Object -First 10
+            Write-Information ('Audit Logs: Found {0} searches, begin downloading' -f $LogSearches.Count)
+            foreach ($Search in $LogSearches) {
+                $SearchEntity = Get-CIPPAzDataTableEntity @LogSearchesTable -Filter "Tenant eq '$($TenantFilter)' and RowKey eq '$($Search.id)'"
+                $SearchEntity.CippStatus = 'Processing'
+                Add-CIPPAzDataTableEntity @LogSearchesTable -Entity $SearchEntity -Force
+                try {
+                    Write-Information "Audit Log search: Processing search ID: $($Search.id) for tenant: $TenantFilter"
+                    $Downloads = New-CIPPAuditLogSearchResultsCache -TenantFilter $TenantFilter -searchId $Search.id
+                    $SearchEntity.CippStatus = 'Downloaded'
+                } catch {
+                    if ($_.Exception.Message -match 'Request rate is large. More Request Units may be needed, so no changes were made. Please retry this request later.') {
+                        $SearchEntity.CippStatus = 'Pending'
+                        Write-Information "Audit Log search: Rate limit hit for $($SearchEntity.RowKey)."
+                        if ($SearchEntity.PSObject.Properties.Name -contains 'RetryCount') {
+                            $SearchEntity.RetryCount++
                         } else {
-                            $Exception = [string](ConvertTo-Json -Compress -InputObject (Get-CippException -Exception $_))
-                            $SearchEntity | Add-Member -MemberType NoteProperty -Name Error -Value $Exception
-                            $SearchEntity.CippStatus = 'Failed'
-                            Write-Information "Error processing audit log rules: $($_.Exception.Message)"
+                            $SearchEntity | Add-Member -MemberType NoteProperty -Name RetryCount -Value 1
                         }
-
+                    } else {
+                        $Exception = [string](ConvertTo-Json -Compress -InputObject (Get-CippException -Exception $_))
+                        $SearchEntity | Add-Member -MemberType NoteProperty -Name Error -Value $Exception
+                        $SearchEntity.CippStatus = 'Failed'
+                        Write-Information "Error processing audit log rules: $($_.Exception.Message)"
                     }
-                    Add-CIPPAzDataTableEntity @LogSearchesTable -Entity $SearchEntity -Force
+
                 }
-            } catch {
-                Write-Information ('Audit Log search: Error {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message)
-                exit 0
+                Add-CIPPAzDataTableEntity @LogSearchesTable -Entity $SearchEntity -Force
             }
+        } catch {
+            Write-Information ('Audit Log search: Error {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message)
+            exit 0
         }
+
     } catch {
         Write-Information ('Push-AuditLogTenant: Error {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message)
         exit 0
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenantProcess.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenantProcess.ps1
@@ -1,5 +1,5 @@
 function Push-AuditLogTenantProcess {
-    Param($Item)
+    param($Item)
     $TenantFilter = $Item.TenantFilter
     $RowIds = $Item.RowIds
 
@@ -20,12 +20,13 @@ function Push-AuditLogTenantProcess {
         if ($Rows.Count -gt 0) {
             Write-Information "Retrieved $($Rows.Count) rows from cache for processing"
             Test-CIPPAuditLogRules -TenantFilter $TenantFilter -Rows $Rows
-            exit 0
+            return $true
         } else {
             Write-Information 'No rows found in cache for the provided row IDs'
-            exit 0
+            return $false
         }
     } catch {
         Write-Information ('Push-AuditLogTenant: Error {0} line {1} - {2}' -f $_.InvocationInfo.ScriptName, $_.InvocationInfo.ScriptLineNumber, $_.Exception.Message)
+        return $false
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-ExecAuditLogSearch.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-ExecAuditLogSearch.ps1
@@ -10,78 +10,123 @@ function Invoke-ExecAuditLogSearch {
 
     $APIName = $Request.Params.CIPPEndpoint
     $Headers = $Request.Headers
+    $Action = $Request.Query.Action ?? $Request.Body.Action
+
     Write-LogMessage -headers $Headers -API $APIName -message 'Accessed this API' -Sev 'Debug'
 
-    $Query = $Request.Body
-    if (!$Query.TenantFilter) {
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::BadRequest
-                Body       = 'TenantFilter is required'
-            })
-        return
-    }
-    if (!$Query.StartTime -or !$Query.EndTime) {
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::BadRequest
-                Body       = 'StartTime and EndTime are required'
-            })
-        return
-    }
+    switch ($Action) {
+        'ProcessLogs' {
+            $SearchId = $Request.Query.SearchId ?? $Request.Body.SearchId
+            $TenantFilter = $Request.Query.tenantFilter ?? $Request.Body.tenantFilter
+            if (!$SearchId) {
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::BadRequest
+                        Body       = 'SearchId is required'
+                    })
+                return
+            }
 
-    # Convert StartTime and EndTime to DateTime from unixtime
-    if ($Query.StartTime -match '^\d+$') {
-        $Query.StartTime = [DateTime]::UnixEpoch.AddSeconds([long]$Query.StartTime)
-    } else {
-        $Query.StartTime = [DateTime]$Query.StartTime
-    }
+            $Search = New-GraphGetRequest -Uri "https://graph.microsoft.com/beta/security/auditLog/queries/$SearchId" -AsApp $true -TenantId $TenantFilter
+            Write-Information ($Search | ConvertTo-Json -Depth 10)
 
-    if ($Query.EndTime -match '^\d+$') {
-        $Query.EndTime = [DateTime]::UnixEpoch.AddSeconds([long]$Query.EndTime)
-    } else {
-        $Query.EndTime = [DateTime]$Query.EndTime
-    }
+            $Entity = [PSCustomObject]@{
+                PartitionKey = [string]'Search'
+                RowKey       = [string]$SearchId
+                Tenant       = [string]$TenantFilter
+                DisplayName  = [string]$Search.displayName
+                StartTime    = [datetime]$Search.filterStartDateTime
+                EndTime      = [datetime]$Search.filterEndDateTime
+                Query        = [string]($Search | ConvertTo-Json -Compress)
+                CippStatus   = [string]'Pending'
+            }
+            $Table = Get-CIPPTable -TableName 'AuditLogSearches'
+            Add-CIPPAzDataTableEntity @Table -Entity $Entity -Force | Out-Null
 
-    $Command = Get-Command New-CippAuditLogSearch
-    $AvailableParameters = $Command.Parameters.Keys
-    $BadProps = foreach ($Prop in $Query.PSObject.Properties.Name) {
-        if ($AvailableParameters -notcontains $Prop) {
-            $Prop
+            Write-LogMessage -headers $Headers -API $APIName -message "Queued search for processing: $($Search.displayName)" -Sev 'Info' -tenant $TenantFilter
+
+            Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                    StatusCode = [HttpStatusCode]::OK
+                    Body       = @{
+                        resultText = "Search '$($Search.displayName)' queued for processing."
+                        state      = 'success'
+                    } | ConvertTo-Json -Depth 10 -Compress
+                })
         }
-    }
-    if ($BadProps) {
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::BadRequest
-                Body       = "Invalid parameters: $($BadProps -join ', ')"
-            })
-        return
-    }
+        default {
+            $Query = $Request.Body
+            if (!$Query.TenantFilter) {
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::BadRequest
+                        Body       = 'TenantFilter is required'
+                    })
+                return
+            }
+            if (!$Query.StartTime -or !$Query.EndTime) {
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::BadRequest
+                        Body       = 'StartTime and EndTime are required'
+                    })
+                return
+            }
 
-    try {
-        Write-Information "Executing audit log search with parameters: $($Query | ConvertTo-Json -Depth 10)"
+            # Convert StartTime and EndTime to DateTime from unixtime
+            if ($Query.StartTime -match '^\d+$') {
+                $Query.StartTime = [DateTime]::UnixEpoch.AddSeconds([long]$Query.StartTime)
+            } else {
+                $Query.StartTime = [DateTime]$Query.StartTime
+            }
 
-        $Query = $Query | ConvertTo-Json -Depth 10 | ConvertFrom-Json -AsHashtable
-        $NewSearch = New-CippAuditLogSearch @Query
+            if ($Query.EndTime -match '^\d+$') {
+                $Query.EndTime = [DateTime]::UnixEpoch.AddSeconds([long]$Query.EndTime)
+            } else {
+                $Query.EndTime = [DateTime]$Query.EndTime
+            }
 
-        if ($NewSearch) {
-            $Results = @{
-                resultText = "Created audit log search: $($NewSearch.displayName)"
-                state      = 'success'
-                details    = $NewSearch
+            $Command = Get-Command New-CippAuditLogSearch
+            $AvailableParameters = $Command.Parameters.Keys
+            $BadProps = foreach ($Prop in $Query.PSObject.Properties.Name) {
+                if ($AvailableParameters -notcontains $Prop) {
+                    $Prop
+                }
             }
-        } else {
-            $Results = @{
-                resultText = 'Failed to initiate search'
-                state      = 'error'
+            if ($BadProps) {
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::BadRequest
+                        Body       = "Invalid parameters: $($BadProps -join ', ')"
+                    })
+                return
+            }
+
+            try {
+                Write-Information "Executing audit log search with parameters: $($Query | ConvertTo-Json -Depth 10)"
+
+                $Query = $Query | ConvertTo-Json -Depth 10 | ConvertFrom-Json -AsHashtable
+                $NewSearch = New-CippAuditLogSearch @Query
+
+                if ($NewSearch) {
+                    Write-LogMessage -headers $Headers -API $APIName -message "Created audit log search: $($NewSearch.displayName)" -Sev 'Info' -tenant $TenantFilter
+                    $Results = @{
+                        resultText = "Created audit log search: $($NewSearch.displayName)"
+                        state      = 'success'
+                        details    = $NewSearch
+                    }
+                } else {
+                    Write-LogMessage -headers $Headers -API $APIName -message 'Failed to create audit log search' -Sev 'Error' -tenant $TenantFilter
+                    $Results = @{
+                        resultText = 'Failed to initiate search'
+                        state      = 'error'
+                    }
+                }
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::OK
+                        Body       = $Results
+                    })
+            } catch {
+                Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
+                        StatusCode = [HttpStatusCode]::BadRequest
+                        Body       = $_.Exception.Message
+                    })
             }
         }
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::OK
-                Body       = $Results
-            })
-    } catch {
-        Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
-                StatusCode = [HttpStatusCode]::BadRequest
-                Body       = $_.Exception.Message
-            })
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-ListAuditLogSearches.ps1 b/Modules/CIPPCore/Public/Entrypoints/HTTP Functions/Tenant/Administration/Alerts/Invoke-ListAuditLogSearches.ps1
@@ -18,7 +18,6 @@ function Invoke-ListAuditLogSearches {
     $Days = $Request.Query.Days
     $Type = $Request.Query.Type
 
-
     if ($TenantFilter) {
         switch ($Type) {
             'Searches' {
diff --git a/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1 b/Modules/CIPPCore/Public/Entrypoints/Orchestrator Functions/Start-AuditLogOrchestrator.ps1
@@ -16,7 +16,7 @@ function Start-AuditLogOrchestrator {
 
         if (($AuditLogSearches | Measure-Object).Count -eq 0) {
             Write-Information 'No audit log searches available'
-        } elseif (($WebhookRules | Measure-Object).Count -eq 0) {
+        } elseif (($AuditLogSearches | Measure-Object).Count -eq 0 -and ($WebhookRules | Measure-Object).Count -eq 0) {
             Write-Information 'No webhook rules defined'
         } else {
             Write-Information "Audit Logs: Downloading $($AuditLogSearches.Count) searches"
diff --git a/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1 b/Modules/CIPPCore/Public/Webhooks/Test-CIPPAuditLogRules.ps1
