Public/Auditlog/Get-ABRAuditlog.ps1
|
<#
.SYNOPSIS Retrieve a list of auditlogs .DESCRIPTION Retrieve a list of all auditlogs with information like installs, uninstalls, elevated application, computer, ... .PARAMETER Id Returns one auditlog entry .PARAMETER ComputerName Returns an array of auditlog entries for a certain computer .PARAMETER UserName Returns an array of auditlog entries for a certain user (user account or full name) .PARAMETER Delta Returns an array of changed auditlog entries since last call .PARAMETER StartId The starting ID you wish to receive. Can be used for incremental offload of data to your own system .PARAMETER Take Maximum number of resources to return. Default is 50 to preserve bandwidth, maximum is 10000. For queries with more than 10000 records, pagination is mandatory .PARAMETER Last Entries are retrieved in ascending order by default. Last returns the latest X number of entries in descending order. Maximum is 10000 .PARAMETER WantScanDetails Use this filter, if you wish to receive detailed lists of scan results. The default is to give you the overall result only .PARAMETER Type Only return either 'Run As Admin' (-Type App) or 'Admin Sessions' (-Type Session) entries .PARAMETER Status Only return entries from Requests (possible values: Pending, Denied, Approved, Quarantined) .PARAMETER Days By default, entries up to 30 days are returned, unless specied otherwise. If startdate is specified, days is not used .PARAMETER StartDate Only return entries after the specified start date .PARAMETER EndDate Only return entries before and including the specified end date .PARAMETER DeltaTime Use -Delta without parameters one time to get an initial 'timeNow'. Use this time to get delta data since last call .EXAMPLE PS C:\> Get-ABRAuditlog Get all auditlogs (either from the last 30 days or 50 results) .EXAMPLE PS C:\> Get-ABRAuditlog -Id 1234567 Get the auditlog with the Id 1234567 .EXAMPLE PS C:\> Get-ABRAuditlog -ComputerName 'Computer1' -Last 10 Get the last 10 auditlogs from Computer1 .EXAMPLE PS C:\> Get-ABRAuditlog -UserName 'Doe John' -StartDate '2023-01-01' Get all the auditlogs for user 'Doe John' starting from 2023-01-01 .EXAMPLE PS C:\> Get-ABRAuditlog -Delta -DeltaTime '637795099840708375' Get all the auditlogs since the latest change (DeltaTime) #> Function Get-ABRAuditlog { [CmdletBinding(DefaultParameterSetName = 'All')] Param ( [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Id', Position = 0)] [ValidateNotNullOrEmpty()] [int] $Id, [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer', Position = 0)] [ValidateNotNullOrEmpty()] [string] $ComputerName, [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User', Position = 0)] [ValidateNotNullOrEmpty()] [string] $UserName, [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Delta', Position = 0)] [switch] $Delta, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [ValidateNotNullOrEmpty()] [int] $StartId, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [Alias('Limit')] [ValidateRange(1, 10000)] [int] $Take, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [ValidateRange(1, 10000)] [int] $Last, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Id')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [switch] $WantScanDetails, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [ValidateSet('App', 'Session')] [string] $Type, [Parameter(ValueFromPipelineByPropertyName = $True, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [ValidateSet('Approved', 'Denied', 'Pending', 'Quarantined')] [string] $Status, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [ValidateRange(1, 10000)] [int] $Days, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [ValidateNotNullOrEmpty()] [datetime] $StartDate, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'All')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Computer')] [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'User')] [ValidateNotNullOrEmpty()] [datetime] $EndDate, [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'Delta')] [ValidateNotNullOrEmpty()] [string] $DeltaTime ) Process { $URL = '/auditlog' $Headers = @{} Switch ($PSCmdlet.ParameterSetName) { 'Id' { If ($Id -gt 0) { $URL += '/{0}' -f $Id } Break } 'Computer' { $URL = '/computers/{0}/auditlog' -f ([System.Uri]::EscapeUriString($ComputerName)) Break } 'User' { $URL = '/users/{0}/auditlog' -f ([System.Uri]::EscapeUriString($UserName)) Break } 'Delta' { $URL += '/delta' Break } } If ($PSBoundParameters.ContainsKey('StartId')) { $Headers.Add('startid', $StartId) } If ($PSBoundParameters.ContainsKey('Take')) { $Headers.Add('take', $Take) } If ($PSBoundParameters.ContainsKey('Last')) { $Headers.Add('last', $Last) } If ($WantScanDetails.IsPresent) { $Headers.Add('wantscandetails', 1) } If ($PSBoundParameters.ContainsKey('Type')) { $Headers.Add('type', $Type.toLower()) } If ($PSBoundParameters.ContainsKey('Status')) { $Headers.Add('status', $status.toLower()) } If ($PSBoundParameters.ContainsKey('Days')) { $Headers.Add('days', $Days) } If ($PSBoundParameters.ContainsKey('StartDate')) { $Headers.Add('startdate', $StartDate.ToString('yyyy-MM-dd')) } If ($PSBoundParameters.ContainsKey('EndDate')) { $Headers.Add('enddate', $EndDate.ToString('yyyy-MM-dd')) } If ($PSBoundParameters.ContainsKey('DeltaTime')) { $Headers.Add('deltaTime', $DeltaTime) } $InvokeABRRequest_Splat = @{ URI = $URL } If ($Headers.Count -gt 0) { $InvokeABRRequest_Splat.Add('Headers', $Headers) } Invoke-ABRRequest @InvokeABRRequest_Splat } } |