Skip to content

Commit

Permalink
Modify Get-SimpleUnifiedAuditLog to handle null object error.
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonnybottles
jonnybottles committed Dec 8, 2024
1 parent 3eb3bf6 commit 51546a6
Show file tree
Hide file tree
Showing 2 changed files with 59 additions and 33 deletions.
2 changes: 1 addition & 1 deletion Hawk/Hawk.psd1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
RootModule = 'Hawk.psm1'

# Version number of this module.
ModuleVersion = '3.1.1'
ModuleVersion = '3.1.2'

# ID used to uniquely identify this module
GUID = '1f6b6b91-79c4-4edf-83a1-66d2dc8c3d85'
Expand Down
90 changes: 58 additions & 32 deletions Hawk/internal/functions/Get-SimpleUnifiedAuditLog.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,53 +2,79 @@
[CmdletBinding()]
Param(
[Parameter(Mandatory = $true, ValueFromPipeline = $true)]
$UALRecord
[PSObject]$UALRecord
)

Begin {
Write-Verbose "Starting Get-SimpleUnifiedAuditLog processing"
$Results = @()
}

Process {
try {
# The AuditData is already JSON in the UALRecord object
$AuditRecord = $UALRecord.AuditData | ConvertFrom-Json
foreach ($record in $UALRecord) {
try {
Write-Verbose "Processing record with ID: $($record.Identity)"

# Check if we got valid data
if ($AuditRecord) {
# Extract the user who ran the command
$User = if ([string]::IsNullOrEmpty($AuditRecord.UserId)) {
"***"
} else {
$AuditRecord.UserId
}
# The AuditData is a JSON string, so convert it
if ($record.AuditData) {
$AuditRecord = $record.AuditData | ConvertFrom-Json

# Create result object
$obj = [PSCustomObject]@{
Caller = $User
Cmdlet = $AuditRecord.Operation
FullCommand = "$($AuditRecord.Operation) $(($AuditRecord.Parameters | ForEach-Object { "-$($_.Name) '$($_.Value)'" }) -join ' ')"
'RunDate(UTC)' = $AuditRecord.CreationTime
ObjectModified = $AuditRecord.ObjectId
}
# Create result object with data from audit record
$obj = [PSCustomObject]@{
Caller = if ($AuditRecord.UserId) { $AuditRecord.UserId } else { "***" }
Cmdlet = $AuditRecord.Operation
FullCommand = $AuditRecord.Operation
'RunDate(UTC)' = $AuditRecord.CreationTime
ObjectModified = $AuditRecord.ObjectId
}

$Results += $obj
# Add parameters to FullCommand if they exist
if ($AuditRecord.Parameters) {
$paramString = foreach ($param in $AuditRecord.Parameters) {
# Handle different parameter value types appropriately
$value = if ($param.Value -match '\s') {
# If value contains spaces, quote it
"'$($param.Value)'"
} elseif ($param.Value -match '^(True|False)$') {
# If boolean, format with $
"`$$($param.Value.ToLower())"
} else {
$param.Value
}
"-$($param.Name) $value"
}
$obj.FullCommand = "$($obj.Cmdlet) $($paramString -join ' ')"
}

$Results += $obj
Write-Verbose "Successfully processed record"
}
else {
Write-Verbose "No AuditData found for record"
$Results += [PSCustomObject]@{
Caller = "***"
Cmdlet = "Unknown"
FullCommand = "No audit data available"
'RunDate(UTC)' = $null
ObjectModified = $null
}
}
}
}
catch {
Write-Verbose "Error processing record: $_"
# Add empty record to maintain count
$Results += [PSCustomObject]@{
Caller = "***"
Cmdlet = $null
FullCommand = $null
'RunDate(UTC)' = $null
ObjectModified = $null
catch {
Write-Verbose "Error processing record: $_"
$Results += [PSCustomObject]@{
Caller = "***"
Cmdlet = "Error"
FullCommand = "Error processing audit record: $_"
'RunDate(UTC)' = $null
ObjectModified = $null
}
}
}
}

End {
$Results
Write-Verbose "Completed processing. Returning $($Results.Count) records"
return $Results
}
}

0 comments on commit 51546a6

Please sign in to comment.