I have a script that grabs records from the Unified Audit log and finds when a file has its AIP Sensitivity Label Downgraded.
the returned object looks like this
RunspaceId : 1ed71237-60d3-47d9-b7ee-b99bf5c01db2
RecordType : AipSensitivityLabelAction
CreationDate : 11/04/2022 14:30:39
UserIds : firstname.surname@keyman .com
Operations : SensitivityLabelUpdated
AuditData : {"SensitiveInfoTypeData":[],"ProtectionEventData":{"IsProtected":false,"IsProtectedBefore":false},"Commo
n":{"ApplicationId":"c00e9d32-3c8d-4a7d-832b-029040e7db99","ApplicationName":"Microsoft Azure
Information Protection Word Add-In","ProcessName":"WINWORD","Platform":1,"DeviceName":"D99999999.domain.com
","Location":"On-premises file shares","ProductVersion":"2.13.49.0"},"DataState":"Use","Se
nsitivityLabelEventData":{"SensitivityLabelId":"9999999-d514-4220-b58f-525b27a4a097","OldSensitivityLab
elId":"9999999-0f6f-492f-b899-82535fbd2b4b","LabelEventType":2,"ActionSource":3,"JustificationText":"Pr
evious label was incorrect"},"ObjectId":"C:\Users\userid\folder\Public Word file - Copy.docx","UserI
d":"firstname.lastname@keyman .com","ClientIP":"999.99.999.99","Id":"99999999-9d93-9d22-9fcd-886ef6f92a
6b","RecordType":94,"CreationTime":"2022-04-11T14:30:39","Operation":"SensitivityLabelUpdated","Organiza
tionId":"99999999-2b82-4a00-bcdb-f1f6782a0f6e","UserType":0,"UserKey":"firstname.lastname@keyman .com",
"Workload":"Aip","Version":1,"Scope":1}
ResultIndex : 1
ResultCount : 23
Identity : a64b14e5-9d93-9d22-9fcd-886ef6f92a6b
IsValid : True
ObjectState : Unchanged
I want to report on the audit data. Currently I am reading values by splitting on the comma separator and discarding the braces like this
# **** initialize and parse the logs ****
$out=@{}
$ii=0
foreach ($log in $logs){
$audit = $log.auditdata -split ',(?=(?:[^"]|"[^"]*")*$)' #splits on comma ignoring any in double quotes (in case used in justification text)
#$audit = $audit.replace('"','')
$audit = $audit.replace('{','')
$audit = $audit.replace('}','')
$detail=@{}
foreach ($row in $audit){
$temp = $row -split ':(?=(?:[^"]|"[^"]*")*$)'
if($temp.count -eq 2){
$tempclean = $temp[0].replace('"','')
If ($tempclean -in $details) {
$detail.add($tempclean,$temp[1])
}
} else {
$tempclean = $temp[1].replace('"','')
if ($tempclean -in $details) {
$detail.add($tempclean,$temp[2])
}
}
}
$ii++
$out.add($ii,$detail)
}
Whilst it works ok, it feels pretty inefficient and doesn't manage nested braces very well.
Is there any easier way of taking the AuditData object and breaking into key value pairs?
When I pipe $logs[0].AuditData | Get-Member it returns TypeName: System.String
$logs[0].Auditdata.GetType() returns IsPublic IsSerial Name BaseType
-------- -------- ---- --------
True True String System.Object