scripts/Search-IdentityNowAuditEvents.ps1

function Search-IdentityNowAuditEvents {
    <#
.SYNOPSIS
    Search IdentityNow Audit Event(s) using the v2 API.
 
.DESCRIPTION
    Search IdentityNow Audit Event(s) using the v2 API
 
.PARAMETER action
    (optional) Audit Action Event
    AddEntitlement,AddEntitlementFailure,APP_LAUNCH_SAML,APP_ADD,APP_CREATE,APP_DELETE,APP_EXPORT,APP_IMPORT,APP_REMOVE,APP_UPDATE,AUTHENTICATION-103,AUTHENTICATION-201,AUTHENTICATION-240,AUTHENTICATION-241,AUTHENTICATION-243,AUTHENTICATION-245,AUTHENTICATION-247,AUTHENTICATION-303,CREATE_ACCESS_PROFILE,CreateAccount,CreateAccountFailure,DELETE_ACCESS_PROFILE,DisableAccount,DisableAccountFailure,EnableAccount,EnableAccountFailure,IDENTITY_PROFILE_CREATE,IDENTITY_PROFILE_DELETE,IDENTITY_PROFILE_REFRESH,IDENTITY_PROFILE_UPDATE,IdentityStateChange,ModifyAccount,ModifyAccountFailure,RequestApp,RequestAppFailure,SAML_FORCE_AUTHN,SAML2-36,SAML2-37,SAML2-149,SAML2-156,SESSION-1,SESSION-2,SESSION-3,SESSION-4,SESSION-6,SOURCE_ACCOUNTS_EXPORT,SOURCE_ACTIVITY_EXPORT,SOURCE_EXTERNAL_PASSWORD_CHANGE,SOURCE_EXTERNAL_PASSWORD_CHANGE_ACTIVITY_EXPORT,SOURCE_RESET,USER_ACTIVATE,USER_ACTIVITY_EXPORT,USER_KBA_ANSWER_UPDATE,USER_PASSWORD_UPDATE,USER_STEP_UP_AUTH
 
.PARAMETER type
    (optional) type (the audit category. Valid values are “AUTH”, “SSO”, “PROVISIONING”, “PASSWORD_CHANGE” or “SOURCE” Ex: type=AUTH)
 
.PARAMETER user
    (optional) Case insensitive exact match of the UID of an identity contained in either “source” or “target” properties in the logs where source indicates the person who took the action and target indicates the person who was affected by the action. Ex: user=guybrush.threepwood
 
.PARAMETER application
    (optional) Case insensitive name of the source you're querying for
 
.PARAMETER days
    (optional) days (Only return results whose timestamp is within this previous number of days; defaults to 7.)
 
.PARAMETER since
    (optional) since (Returns only results from days since the entered date, or date and time combination, in ISO-8601 format.)
    e.g yyyy-mm-ddThh:mm:ss
 
.PARAMETER searchLimit
    (optional - default 2500) Max results to return
 
.EXAMPLE
    Search-Search-IdentityNowAuditEvents
 
.EXAMPLE
    Search-Search-IdentityNowAuditEvents -action USER_STEP_UP_AUTH
 
.EXAMPLE
    Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z'
    Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z' -searchLimit 10
    Search-IdentityNowAuditEvents -since '2019-09-30T12:30:50.450Z' -searchLimit 2501
 
.EXAMPLE
    Search-IdentityNowAuditEvents -days 1
    Search-IdentityNowAuditEvents -days 1 -searchLimit 5000
    Search-IdentityNowAuditEvents -days 1 -action 'AUTHENTICATION-103'
 
.EXAMPLE
    Search-IdentityNowAuditEvents -type AUTH
    Search-IdentityNowAuditEvents -type AUTH -days 1
    Search-IdentityNowAuditEvents -type AUTH -days 1 -searchLimit 5000
    Search-IdentityNowAuditEvents -type AUTH -days 1 -action 'AUTHENTICATION-103'
 
.EXAMPLE
    Search-IdentityNowAuditEvents -user 'customer_admin'
    Search-IdentityNowAuditEvents -user 'customer_admin' -searchLimit 10
    Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z'
    Search-IdentityNowAuditEvents -user 'customer_admin' -days 1
    Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -searchLimit 2510
    Search-IdentityNowAuditEvents -user 'customer_admin' -action 'AUTHENTICATION-103'
    Search-IdentityNowAuditEvents -user 'customer_admin' -type 'AUTH'
    Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -action 'AUTHENTICATION-103'
    Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH'
    Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH' -action 'AUTHENTICATION-103'
    Search-IdentityNowAuditEvents -user 'customer_admin' -days 1 -type 'AUTH' -action 'AUTHENTICATION-103' -searchLimit 50
    Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z' -action 'AUTHENTICATION-103'
    Search-IdentityNowAuditEvents -user 'customer_admin' -since '2019-10-30T12:30:50.450Z' -type 'AUTH' -action 'AUTHENTICATION-103'
 
.EXAMPLE
    Search-IdentityNowAuditEvents -application 'Workday (Dev)'
    Search-IdentityNowAuditEvents -application 'Workday (Dev)' -days 2
    Search-IdentityNowAuditEvents -application 'Workday (Dev)' -action 'SOURCE_ACCOUNT_AGGREGATION'
    Search-IdentityNowAuditEvents -application 'Workday (Dev)' -action 'SOURCE_ACCOUNT_AGGREGATION' -days 2
    Search-IdentityNowAuditEvents -application 'Workday (Dev)' -type 'PROVISIONING'
 
.EXAMPLE
    Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z'
    Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z' -action 'SOURCE_ACCOUNT_AGGREGATION'
    Search-IdentityNowAuditEvents -application 'Workday (Dev)' -since '2019-10-30T12:30:50.450Z' -action 'SOURCE_ACCOUNT_AGGREGATION' -type 'PROVISIONING'
 
.LINK
    http://darrenjrobinson.com/sailpoint-identitynow
 
#>


    [cmdletbinding()]
    param(
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [ValidateSet("AddEntitlement", "AddEntitlementFailure", "APP_LAUNCH_SAML", "APP_ADD", "APP_CREATE", "APP_DELETE,APP_EXPORT", "APP_IMPORT", "APP_PURGED", "APP_REMOVE", "APP_UPDATE", "AUTHENTICATION-103", "AUTHENTICATION-201", "AUTHENTICATION-240", "AUTHENTICATION-241", "AUTHENTICATION-243", "AUTHENTICATION-245", "AUTHENTICATION-247", "AUTHENTICATION-303", "CampaignFilterCreate", "certificationsPhased", "CLIENT_MANUAL_VA_JOB", "CLIENT_REQUEST_CREDENTIALS", "CLIENT_TOKEN_ISSUE", "CREATE_ACCESS_PROFILE", "create", "CreateAccount", "CreateAccountFailure", "delete", "DELETE_ACCESS_PROFILE", "DisableAccount", "DisableAccountFailure", "emailSent", "EnableAccount", "EnableAccountFailure", "IDENTITY_PROFILE_CREATE", "IDENTITY_PROFILE_DELETE", "IDENTITY_PROFILE_REFRESH", "IDENTITY_PROFILE_UPDATE", "IdentityStateChange", "ModifyAccount", "ModifyAccountFailure", "PasswordChange", "PasswordChangeSuccess", "reassign", "remediate", "RemoveEntitlement", "RequestApp", "RequestAppFailure", "SAML_FORCE_AUTHN", "SAML2-36", "SAML2-37", "SAML2-149", "SAML2-156", "SESSION-1", "SESSION-2", "SESSION-3", "SESSION-4", "SESSION-6", "SetEntitlement", "signoff", "SOURCE_ACCOUNT_AGGREGATION", "SOURCE_ACCOUNTS_EXPORT", "SOURCE_ENTITLEMENT_AGGREGATION", "SOURCE_ACCOUNTS_EXPORT,SOURCE_ACTIVITY_EXPORT", "SOURCE_EXTERNAL_PASSWORD_CHANGE", "SOURCE_EXTERNAL_PASSWORD_CHANGE_ACTIVITY_EXPORT", "SOURCE_RESET", "SOURCE_UPDATE", "taskResultsPruned", "update", "USER_ACTIVATE", "USER_ACTIVITY_EXPORT", "USER_CERT_ADMIN_GRANT", "USER_DELETE", "USER_HELPDESK_GRANT", "USER_INVITE", "USER_KBA_ANSWERS", "USER_KBA_ANSWER_UPDATE", "USER_PASSWORD_UPDATE", "USER_PASSWORD_UPDATE_PASSED", "USER_REGISTRATION", "USER_REGISTRATION_LINK", "USER_STEP_UP_AUTH", "USER_STEP_UP_AUTH_FAILURE")]
        [string]$action,
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [ValidateSet("AUTH", "SSO", "PROVISIONING", "PASSWORD_CHANGE", "SOURCE")]
        [string]$type,
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [string]$user,
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [string]$application,
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [ValidateRange(1,365)]
        [int]$days,
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [string]$since,
        [Parameter(Mandatory = $false, ValueFromPipeline = $true)]
        [int]$searchLimit = 2500
    )

    # v2 Auth
    $clientSecretv2 = [System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR($IdentityNowConfiguration.v2.Password))
    $Bytes = [System.Text.Encoding]::utf8.GetBytes("$($IdentityNowConfiguration.v2.UserName):$($clientSecretv2)") 
    $encodedAuth = [Convert]::ToBase64String($Bytes)     
    $Headersv2 = @{Authorization = "Basic $($encodedAuth)"; "Content-Type" = "application/json" }
        
    try {
        $sourceObjects = @()   
        if ($searchLimit -gt 2500) {
            $iterations = $searchLimit / 2500
            $offset = 2500
        }
        
        if ($searchLimit -gt 2500) { $limit = 2500 } else { $limit = $searchLimit }
        switch ($action, $type, $user, $days, $since) {            
            { $since } {                 
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&since=$($since)" 
            }
            { $since -and $action } { 
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&since=$($since)&actn=$($action)" 
            }
            { $days } {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&days=$($days)" 
            }
            { $days -and $action} {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&days=$($days)&actn=$($action)" 
            }
            { $type } {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&type=$($type)" 
            }
            { $type -and $days} {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&type=$($type)&days=$($days)" 
            }
            { $type -and $since} {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&type=$($type)&since=$($since)" 
            }
            { $type -and $days -and $action} {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&type=$($type)&days=$($days)&actn=$($action)" 
            }
            { $type -and $since -and $action} {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&type=$($type)&since=$($since)&actn=$($action)" 
            }
            { $user } {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)" 
            }
            { $user -and $since } {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&since=$($since)" 
            }
            { $user -and $days } {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&days=$($days)" 
            }
            { $user -and $action } {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&actn=$($action)" 
            }
            { $user -and $type } {
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&type=$($type)" 
            }
            { $user -and $days -and $action}{
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&days=$($days)&actn=$($action)" 
            }
            { $user -and $days -and $type}{
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&days=$($days)&type=$($type)" 
            }
            { $user -and $days -and $type -and $action}{
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&days=$($days)&type=$($type)&actn=$($action)" 
            }
            { $user -and $since -and $action}{
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&since=$($since)&actn=$($action)" 
            }
            { $user -and $since -and $type}{
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&since=$($since)&type=$($type)" 
            }
            { $user -and $since -and $type -and $action}{
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&user=$($user)&since=$($since)&type=$($type)&actn=$($action)" 
            }
            { $application } {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($applicationEncoded)" 
            }
            { $application -and $days } {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($applicationEncoded)&days=$($days)" 
            }
            { $application -and $action } {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($applicationEncoded)&actn=$($action)" 
            }
            { $application -and $type } {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($applicationEncoded)&type=$($type)" 
            }
            { $application -and $days -and $action} {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($applicationEncoded)&days=$($days)&actn=$($action)" 
            }
            { $application -and $days -and $action -and $type} {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($applicationEncoded)&days=$($days)&actn=$($action)&type=$($type)" 
            }
            { $application -and $since } {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($application)&since=$($since)" 
            }
            { $application -and $since -and $action} {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($applicationEncoded)&since=$($since)&actn=$($action)" 
            }
            { $application -and $since -and $action -and $type} {
                Add-Type -AssemblyName System.Web
                $applicationEncoded = [System.Web.HttpUtility]::UrlEncode($application)                
                $searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)&application=$($applicationEncoded)&since=$($since)&actn=$($action)&type=$($type)" 
            }
            Default {$searchURLBase = "https://$($IdentityNowConfiguration.orgName).api.identitynow.com/v2/audit/auditEvents?limit=$($limit)" }
        }

        $loop = 0
        if ($iterations -gt 1) {
            # Get First
            $results = Invoke-RestMethod -Method Get -Uri $searchURLBase -Headers $Headersv2                                        
            $loop++

            if ($results) {
                $sourceObjects += $results
            }

            # Get Rest
            do {
                if (($searchLimit - $offset) -gt 2500) {  
                    $results = Invoke-RestMethod -Method Get -Uri "$($searchURLBase)&start=$($offset)" -Headers $Headersv2
                    $loop++
                    $offset += $results.items.count 
                    if ($results) {
                        $sourceObjects += $results
                    }
                    else {
                        break 
                    }
                }
                else {
                    $limitCount = ($searchLimit - $sourceObjects.items.count)
                    $searchURL = $searchURLBase.Replace("limit=2500", "limit=$($limitCount)")
                    $results = Invoke-RestMethod -Method Get -Uri "$($searchURL)&start=$($offset)" -Headers $Headersv2
                    if ($results) {
                        $sourceObjects += $results
                    }
                    else {
                        break 
                    }
                    $loop++
                }
            } until (($loop -gt $iterations))
        }
        else {
            # Get full set (<2500)
            $results = Invoke-RestMethod -Method Get -Uri $searchURLBase -Headers $Headersv2                                        
            $loop++

            if ($results) {
                $sourceObjects += $results
            }
        }
        return $sourceObjects.items 
    }
    catch {
        Write-Error "Audit Event(s) not found? Check search criteria. $($_)" 
    }
}