Rollback audit logs to 8.7.2

JohnDuprey · JohnDuprey · commit 34e071528006 · 2025-12-17T17:25:45.000-05:00
diff --git a/Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearches.ps1 b/Modules/CIPPCore/Public/AuditLogs/Get-CippAuditLogSearches.ps1
@@ -13,52 +13,30 @@ function Get-CippAuditLogSearches {
         [Parameter()]
         [switch]$ReadyToProcess
     )
-
-    Measure-CippTask -TaskName 'GetAuditLogSearches' -EventName 'CIPP.AuditLogsProfile' -Script {
-        $AuditLogSearchesTable = Get-CippTable -TableName 'AuditLogSearches'
-
-        if ($ReadyToProcess.IsPresent) {
-            Measure-CippTask -TaskName 'QueryReadyToProcess' -EventName 'CIPP.AuditLogsProfile' -Script {
-                $15MinutesAgo = (Get-Date).AddMinutes(-15).ToUniversalTime()
-                $1DayAgo = (Get-Date).AddDays(-1).ToUniversalTime()
-                Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "PartitionKey eq 'Search' and Tenant eq '$TenantFilter'" | Where-Object {
-                    $_.Timestamp -ge $1DayAgo -and (
-                        $_.CippStatus -eq 'Pending' -or
-                        ($_.CippStatus -eq 'Processing' -and $_.Timestamp -le $15MinutesAgo)
-                    )
-                } | Sort-Object Timestamp
-            }
-        } else {
-            Measure-CippTask -TaskName 'QueryAllSearches' -EventName 'CIPP.AuditLogsProfile' -Script {
-                $7DaysAgo = (Get-Date).AddDays(-7).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
-                Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "Tenant eq '$TenantFilter' and Timestamp ge datetime'$7DaysAgo'"
-            }
-        }
+    $AuditLogSearchesTable = Get-CippTable -TableName 'AuditLogSearches'
+    if ($ReadyToProcess.IsPresent) {
+        $15MinutesAgo = (Get-Date).AddMinutes(-15).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+        $1DayAgo = (Get-Date).AddDays(-1).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+        $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "PartitionKey eq 'Search' and Tenant eq '$TenantFilter' and (CippStatus eq 'Pending' or (CippStatus eq 'Processing' and Timestamp le datetime'$15MinutesAgo')) and Timestamp ge datetime'$1DayAgo'" | Sort-Object Timestamp
+    } else {
+        $7DaysAgo = (Get-Date).AddDays(-7).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ')
+        $PendingQueries = Get-CIPPAzDataTableEntity @AuditLogSearchesTable -Filter "Tenant eq '$TenantFilter' and Timestamp ge datetime'$7DaysAgo'"
     }
 
-    Measure-CippTask -TaskName 'BuildBulkRequests' -EventName 'CIPP.AuditLogsProfile' -Script {
-        $BulkRequests = foreach ($PendingQuery in $PendingQueries) {
-            @{
-                id     = $PendingQuery.RowKey
-                url    = 'security/auditLog/queries/' + $PendingQuery.RowKey
-                method = 'GET'
-            }
+    $BulkRequests = foreach ($PendingQuery in $PendingQueries) {
+        @{
+            id     = $PendingQuery.RowKey
+            url    = 'security/auditLog/queries/' + $PendingQuery.RowKey
+            method = 'GET'
         }
-        $BulkRequests
     }
-
     if ($BulkRequests.Count -eq 0) {
         return @()
     }
-
-    $Queries = Measure-CippTask -TaskName 'ExecuteBulkGraphRequests' -EventName 'CIPP.AuditLogsProfile' -Script {
-        New-GraphBulkRequest -Requests @($BulkRequests) -AsApp $true -TenantId $TenantFilter | Select-Object -ExpandProperty body
-    }
+    $Queries = New-GraphBulkRequest -Requests @($BulkRequests) -AsApp $true -TenantId $TenantFilter | Select-Object -ExpandProperty body
 
     if ($ReadyToProcess.IsPresent) {
-        $Queries = Measure-CippTask -TaskName 'FilterSucceededQueries' -EventName 'CIPP.AuditLogsProfile' -Script {
-            $Queries | Where-Object { $PendingQueries.RowKey -contains $_.id -and $_.status -eq 'succeeded' }
-        }
+        $Queries = $Queries | Where-Object { $PendingQueries.RowKey -contains $_.id -and $_.status -eq 'succeeded' }
     }
 
     return $Queries
diff --git a/Modules/CIPPCore/Public/AuditLogs/New-CIPPAuditLogSearchResultsCache.ps1 b/Modules/CIPPCore/Public/AuditLogs/New-CIPPAuditLogSearchResultsCache.ps1
@@ -13,111 +13,91 @@ function New-CIPPAuditLogSearchResultsCache {
         [string]$TenantFilter,
         [string]$SearchId
     )
+    try {
+        $FailedDownloadsTable = Get-CippTable -TableName 'FailedAuditLogDownloads'
+        $fourHoursAgo = (Get-Date).AddHours(-4).ToUniversalTime()
+        $failedEntity = Get-CIPPAzDataTableEntity @FailedDownloadsTable -Filter "PartitionKey eq '$TenantFilter' and SearchId eq '$SearchId' and Timestamp ge datetime'$($fourHoursAgo.ToString('yyyy-MM-ddTHH:mm:ssZ'))'"
 
-    Measure-CippTask -TaskName 'AuditLogSearchResultsCache' -EventName 'CIPP.AuditLogsProfileRoot' -Script {
-        Measure-CippTask -TaskName 'CheckFailedDownloads' -EventName 'CIPP.AuditLogsProfile' -Script {
-            try {
-                $FailedDownloadsTable = Get-CippTable -TableName 'FailedAuditLogDownloads'
-                $fourHoursAgo = (Get-Date).AddHours(-4).ToUniversalTime()
-                $failedEntity = Get-CIPPAzDataTableEntity @FailedDownloadsTable -Filter "PartitionKey eq '$TenantFilter' and SearchId eq '$SearchId' and Timestamp ge datetime'$($fourHoursAgo.ToString('yyyy-MM-ddTHH:mm:ssZ'))'"
+        if ($failedEntity) {
+            $message = "Skipping search ID: $SearchId for tenant: $TenantFilter - Previous attempt failed within the last 4 hours"
+            Write-LogMessage -API 'AuditLog' -tenant $TenantFilter -message $message -Sev 'Info'
+            Write-Information $message
+            exit 0
+        }
+    } catch {
+        Write-Information "Error checking for failed downloads: $($_.Exception.Message)"
+    }
 
-                if ($failedEntity) {
-                    $message = "Skipping search ID: $SearchId for tenant: $TenantFilter - Previous attempt failed within the last 4 hours"
-                    Write-LogMessage -API 'AuditLog' -tenant $TenantFilter -message $message -Sev 'Info'
-                    Write-Information $message
-                    exit 0
-                }
-            } catch {
-                Write-Information "Error checking for failed downloads: $($_.Exception.Message)"
-            }
+    try {
+        Write-Information "Starting audit log cache process for tenant: $TenantFilter"
+        $CacheWebhooksTable = Get-CippTable -TableName 'CacheWebhooks'
+        $CacheWebhookStatsTable = Get-CippTable -TableName 'CacheWebhookStats'
+        # Check if we haven't already downloaded this search by checking the cache table
+        $searchEntity = Get-CIPPAzDataTableEntity @CacheWebhooksTable -Filter "PartitionKey eq '$TenantFilter' and SearchId eq '$SearchId'"
+        if ($searchEntity) {
+            Write-Information "Search ID: $SearchId already cached for tenant: $TenantFilter"
+            exit 0
         }
 
+        # Record this attempt in the FailedAuditLogDownloads table BEFORE starting the download
+        # This way, if the function is killed before completion, the record will remain
         try {
-            Write-Information "Starting audit log cache process for tenant: $TenantFilter"
-
-            Measure-CippTask -TaskName 'CheckExistingCache' -EventName 'CIPP.AuditLogsProfile' -Script {
-                $CacheWebhooksTable = Get-CippTable -TableName 'CacheWebhooks'
-                $CacheWebhookStatsTable = Get-CippTable -TableName 'CacheWebhookStats'
-                # Check if we haven't already downloaded this search by checking the cache table
-                $searchEntity = Get-CIPPAzDataTableEntity @CacheWebhooksTable -Filter "PartitionKey eq '$TenantFilter' and SearchId eq '$SearchId'"
-                if ($searchEntity) {
-                    Write-Information "Search ID: $SearchId already cached for tenant: $TenantFilter"
-                    exit 0
-                }
-            }
-
-            # Record this attempt in the FailedAuditLogDownloads table BEFORE starting the download
-            # This way, if the function is killed before completion, the record will remain
-            Measure-CippTask -TaskName 'RecordDownloadAttempt' -EventName 'CIPP.AuditLogsProfile' -Script {
-                try {
-                    $FailedDownloadsTable = Get-CippTable -TableName 'FailedAuditLogDownloads'
-                    $attemptId = [guid]::NewGuid().ToString()
-                    $failedEntity = @{
-                        RowKey       = $attemptId
-                        PartitionKey = $TenantFilter
-                        SearchId     = $SearchId
-                        ErrorMessage = 'Download attempt in progress'
-                    }
-                    Add-CIPPAzDataTableEntity @FailedDownloadsTable -Entity $failedEntity -Force
-                    Write-Information "Recorded download attempt for search ID: $SearchId, tenant: $TenantFilter"
-                } catch {
-                    Write-Information "Failed to record download attempt: $($_.Exception.Message)"
-                }
+            $FailedDownloadsTable = Get-CippTable -TableName 'FailedAuditLogDownloads'
+            $attemptId = [guid]::NewGuid().ToString()
+            $failedEntity = @{
+                RowKey       = $attemptId
+                PartitionKey = $TenantFilter
+                SearchId     = $SearchId
+                ErrorMessage = 'Download attempt in progress'
             }
+            Add-CIPPAzDataTableEntity @FailedDownloadsTable -Entity $failedEntity -Force
+            Write-Information "Recorded download attempt for search ID: $SearchId, tenant: $TenantFilter"
+        } catch {
+            Write-Information "Failed to record download attempt: $($_.Exception.Message)"
+        }
 
-            $downloadStartTime = Get-Date
-            Measure-CippTask -TaskName 'DownloadAndCacheResults' -EventName 'CIPP.AuditLogsProfile' -Script {
-                try {
-                    Write-Information "Processing search ID: $($SearchId) for tenant: $TenantFilter"
-                    $searchResults = Get-CippAuditLogSearchResults -TenantFilter $TenantFilter -QueryId $SearchId
-                    foreach ($searchResult in $searchResults) {
-                        $cacheEntity = @{
-                            RowKey       = $searchResult.id
-                            PartitionKey = $TenantFilter
-                            SearchId     = $SearchId
-                            JSON         = [string]($searchResult | ConvertTo-Json -Depth 10)
-                        }
-                        Add-CIPPAzDataTableEntity @CacheWebhooksTable -Entity $cacheEntity -Force
-                    }
-                    Write-Information "Successfully cached search ID: $($SearchId) for tenant: $TenantFilter"
-
-                    Measure-CippTask -TaskName 'RemoveFailedRecord' -EventName 'CIPP.AuditLogsProfile' -Script {
-                        try {
-                            $FailedDownloadsTable = Get-CippTable -TableName 'FailedAuditLogDownloads'
-                            $failedEntities = Get-CIPPAzDataTableEntity @FailedDownloadsTable -Filter "PartitionKey eq '$TenantFilter' and SearchId eq '$SearchId'"
-                            if ($failedEntities) {
-                                Remove-AzDataTableEntity @FailedDownloadsTable -Entity $failedEntities -Force
-                                Write-Information "Removed failed download records for search ID: $SearchId, tenant: $TenantFilter"
-                            }
-                        } catch {
-                            Write-Information "Failed to remove download attempt record: $($_.Exception.Message)"
-                        }
-                    }
-
-                    $searchResults
-                } catch {
-                    throw $_
+        $downloadStartTime = Get-Date
+        try {
+            Write-Information "Processing search ID: $($SearchId) for tenant: $TenantFilter"
+            $searchResults = Get-CippAuditLogSearchResults -TenantFilter $TenantFilter -QueryId $SearchId
+            foreach ($searchResult in $searchResults) {
+                $cacheEntity = @{
+                    RowKey       = $searchResult.id
+                    PartitionKey = $TenantFilter
+                    SearchId     = $SearchId
+                    JSON         = [string]($searchResult | ConvertTo-Json -Depth 10)
                 }
+                Add-CIPPAzDataTableEntity @CacheWebhooksTable -Entity $cacheEntity -Force
             }
-
-            $downloadEndTime = Get-Date
-            $downloadSeconds = ($downloadEndTime - $downloadStartTime).TotalSeconds
-
-            Measure-CippTask -TaskName 'RecordStats' -EventName 'CIPP.AuditLogsProfile' -Script {
-                $statsEntity = @{
-                    RowKey       = $TenantFilter
-                    PartitionKey = 'Stats'
-                    DownloadSecs = [string]$downloadSeconds
-                    SearchCount  = [string]($searchResults ? $searchResults.Count : 0)
+            Write-Information "Successfully cached search ID: $($SearchId) for tenant: $TenantFilter"
+            try {
+                $FailedDownloadsTable = Get-CippTable -TableName 'FailedAuditLogDownloads'
+                $failedEntities = Get-CIPPAzDataTableEntity @FailedDownloadsTable -Filter "PartitionKey eq '$TenantFilter' and SearchId eq '$SearchId'"
+                if ($failedEntities) {
+                    Remove-AzDataTableEntity @FailedDownloadsTable -Entity $failedEntities -Force
+                    Write-Information "Removed failed download records for search ID: $SearchId, tenant: $TenantFilter"
                 }
-                Add-CIPPAzDataTableEntity @CacheWebhookStatsTable -Entity $statsEntity -Force
-                Write-Information "Completed audit log cache process for tenant: $TenantFilter. Download time: $downloadSeconds seconds"
+            } catch {
+                Write-Information "Failed to remove download attempt record: $($_.Exception.Message)"
             }
-
-            return ($searchResults ? $searchResults.Count : 0)
         } catch {
-            Write-Information "Error in New-CIPPAuditLogSearchResultsCache for tenant: $TenantFilter. Error: $($_.Exception.Message)"
             throw $_
         }
+
+        $downloadEndTime = Get-Date
+        $downloadSeconds = ($downloadEndTime - $downloadStartTime).TotalSeconds
+
+        $statsEntity = @{
+            RowKey       = $TenantFilter
+            PartitionKey = 'Stats'
+            DownloadSecs = [string]$downloadSeconds
+            SearchCount  = [string]($searchResults ? $searchResults.Count : 0)
+        }
+        Add-CIPPAzDataTableEntity @CacheWebhookStatsTable -Entity $statsEntity -Force
+        Write-Information "Completed audit log cache process for tenant: $TenantFilter. Download time: $downloadSeconds seconds"
+        return ($searchResults ? $searchResults.Count : 0)
+    } catch {
+        Write-Information "Error in New-CIPPAuditLogSearchResultsCache for tenant: $TenantFilter. Error: $($_.Exception.Message)"
+        throw $_
     }
 }
diff --git a/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenantDownload.ps1 b/Modules/CIPPCore/Public/Entrypoints/Activity Triggers/Webhooks/Push-AuditLogTenantDownload.ps1
@@ -43,15 +43,15 @@ function Push-AuditLogTenantDownload {
             Write-Information ('Audit Logs: Found {0} searches, begin downloading' -f $LogSearches.Count)
             foreach ($Search in $LogSearches) {
                 $SearchEntity = Get-CIPPAzDataTableEntity @LogSearchesTable -Filter "Tenant eq '$($TenantFilter)' and RowKey eq '$($Search.id)'"
-                $SearchEntity | Add-Member -NotePropertyName CippStatus -NotePropertyValue 'Processing' -Force
+                $SearchEntity.CippStatus = 'Processing'
                 Add-CIPPAzDataTableEntity @LogSearchesTable -Entity $SearchEntity -Force
                 try {
                     Write-Information "Audit Log search: Processing search ID: $($Search.id) for tenant: $TenantFilter"
                     $Downloads = New-CIPPAuditLogSearchResultsCache -TenantFilter $TenantFilter -searchId $Search.id
-                    $SearchEntity | Add-Member -NotePropertyName CippStatus -NotePropertyValue 'Downloaded' -Force
+                    $SearchEntity.CippStatus = 'Downloaded'
                 } catch {
                     if ($_.Exception.Message -match 'Request rate is large. More Request Units may be needed, so no changes were made. Please retry this request later.') {
-                        $SearchEntity | Add-Member -NotePropertyName CippStatus -NotePropertyValue 'Pending' -Force
+                        $SearchEntity.CippStatus = 'Pending'
                         Write-Information "Audit Log search: Rate limit hit for $($SearchEntity.RowKey)."
                         if ($SearchEntity.PSObject.Properties.Name -contains 'RetryCount') {
                             $SearchEntity.RetryCount++
@@ -60,8 +60,8 @@ function Push-AuditLogTenantDownload {
                         }
                     } else {
                         $Exception = [string](ConvertTo-Json -Compress -InputObject (Get-CippException -Exception $_))
-                        $SearchEntity | Add-Member -MemberType NoteProperty -Name Error -Value $Exception -Force
-                        $SearchEntity | Add-Member -NotePropertyName CippStatus -NotePropertyValue 'Failed' -Force
+                        $SearchEntity | Add-Member -MemberType NoteProperty -Name Error -Value $Exception
+                        $SearchEntity.CippStatus = 'Failed'
                         Write-Information "Error processing audit log rules: $($_.Exception.Message)"
                     }
 
