Functions/Public/Get-AMAuditEvent.ps1

function Get-AMAuditEvent {
    <#
        .SYNOPSIS
            Gets AutoMate Enterprise audit events.
 
        .DESCRIPTION
            Get-AMAuditEvent gets audit events for AutoMate Enterprise objects.
 
        .PARAMETER InputObject
            The object(s) to retrieve audit events for.
 
        .PARAMETER StartDate
            The first date of events to retrieve (Default: 1 day ago).
 
        .PARAMETER EndDate
            The last date of events to retrieve (Default: now).
 
        .PARAMETER EventType
            The type of event(s) to be retrieved. Use auto-complete or see types.ps1 for a full list.
 
        .PARAMETER FilterSet
            The parameters to filter the search on. Supply hashtable(s) with the following properties: Property, Operator, Value.
            Valid values for the Operator are: =, !=, <, >, contains (default - no need to supply Operator when using 'contains')
 
        .PARAMETER FilterSetMode
            If multiple filter sets are provided, FilterSetMode determines if the filter sets should be evaluated with an AND or an OR
 
        .PARAMETER SortProperty
            The object property to sort results on. Do not use ConnectionAlias, since it is a custom property added by this module, and not exposed in the API.
 
        .PARAMETER SortDescending
            If specified, this will sort the output on the specified SortProperty in descending order. Otherwise, ascending order is assumed.
 
        .PARAMETER AuditUserActivity
            If this switch is supplied, then this function returns any audited events that were performed by the piped in user. Otherwise,
                audit events related to the user object are returned.
 
        .PARAMETER Connection
            The AutoMate Enterprise management server.
 
        .INPUTS
            Audit events for the following objects can be retrieved by this function:
            Workflow
            Task
            Condition
            Process
            TaskAgent
            ProcessAgent
            AgentGroup
            User
            UserGroup
            Folder
 
        .OUTPUTS
            AuditEvent
 
        .EXAMPLE
            # Get events for workflow "My Workflow"
            Get-AMWorkflow "My Workflow" | Get-AMAuditEvent
 
        .EXAMPLE
            # Get audit events using filter sets
            Get-AMAuditEvent -FilterSet @{Property = 'EventText'; Operator = 'contains'; Value = 'connection from IP 10.1.1.10'}
 
        .LINK
            https://github.com/AutomatePS/AutomatePS
    #>

    [CmdletBinding(DefaultParameterSetName="All")]
    [OutputType([System.Object[]])]
    param (
        [Parameter(Position = 0, ParameterSetName = "ByPipeline", ValueFromPipeline = $true)]
        [ValidateNotNullOrEmpty()]
        $InputObject,

        [ValidateNotNullOrEmpty()]
        [DateTime]$StartDate = (Get-Date).AddDays(-1),

        [ValidateNotNullOrEmpty()]
        [DateTime]$EndDate = (Get-Date),

        [ValidateNotNullOrEmpty()]
        [AMAuditEventType]$EventType = [AMAuditEventType]::All,

        [ValidateNotNull()]
        [Hashtable[]]$FilterSet = @(),

        [ValidateSet("And","Or")]
        [string]$FilterSetMode = "And",

        [ValidateNotNullOrEmpty()]
        [string[]]$SortProperty = "EventDateTime",

        [ValidateNotNullOrEmpty()]
        [switch]$SortDescending = $false,

        [Parameter(ParameterSetName = "ByPipeline")]
        [ValidateNotNullOrEmpty()]
        [switch]$AuditUserActivity = $false,

        [ValidateNotNullOrEmpty()]
        $Connection
    )

    BEGIN {
        if ($StartDate -gt $EndDate) {
            throw "StartDate must be before EndDate!"
        }
        $splat = @{
            RestMethod = "Get"
        }
        if ($PSBoundParameters.ContainsKey("Connection")) {
            $Connection = Get-AMConnection -Connection $Connection
            $splat.Add("Connection",$Connection)
        }
        $result = @()
        if ($EventType -ne [AMAuditEventType]::All) {
            $FilterSet += @{Property = "EventType"; Operator = "="; Value = $EventType.value__}
        }
    }

    PROCESS {
        switch($PSCmdlet.ParameterSetName) {
            "All" {
                $splat += @{ Resource = Format-AMUri -Path "audit_events/get" -RangeStart $StartDate -RangeEnd $EndDate -FilterSet $FilterSet -FilterSetMode $FilterSetMode -SortProperty $SortProperty -SortDescending:$SortDescending.ToBool() }
                $result = Invoke-AMRestMethod @splat
            }
            "ByPipeline" {
                foreach ($obj in $InputObject) {
                    $tempSplat = $splat
                    if (-not $tempSplat.ContainsKey("Connection")) {
                        $tempSplat += @{ Connection = $obj.ConnectionAlias }
                    } else {
                        $tempSplat["Connection"] = $obj.ConnectionAlias
                    }
                    Write-Verbose "Processing $($obj.Type) '$($obj.Name)'"
                    switch ($obj.Type) {
                        {($_ -in @("Workflow","Task","Process","Condition","Folder","Agent","AgentGroup","User","UserGroup"))} {
                            if ($obj.Type -eq "User" -and $AuditUserActivity) {
                                $tempFilterSet = $FilterSet + @{Property = "UserID"; Operator = "="; Value = $obj.ID}
                            } else {
                                $tempFilterSet = $FilterSet + @{Property = "PrimaryConstructID"; Operator = "="; Value = $obj.ID}
                                if ($AuditUserActivity) {
                                    Write-Warning "The -AuditUserActivity switch is only used when a user is piped in."
                                }
                            }
                            $tempSplat += @{ Resource = Format-AMUri -Path "audit_events/get" -RangeStart $StartDate -RangeEnd $EndDate -FilterSet $tempFilterSet -FilterSetMode $FilterSetMode -SortProperty $SortProperty -SortDescending:$SortDescending.ToBool() }
                            $result += Invoke-AMRestMethod @tempSplat
                        }
                        default {
                            $unsupportedType = $obj.GetType().FullName
                            if ($_) {
                                $unsupportedType = $_
                            } elseif (-not [string]::IsNullOrEmpty($obj.Type)) {
                                $unsupportedType = $obj.Type
                            }
                            Write-Error -Message "Unsupported input type '$unsupportedType' encountered!" -TargetObject $obj
                        }
                    }
                }
            }
        }
    }

    END {
        $SortProperty += "ConnectionAlias", "ID"
        return $result | Sort-Object $SortProperty -Unique -Descending:$SortDescending.ToBool()
    }
}