search

microsoftgraph / msgraph-sdk-powershell

Powershell SDK for Microsoft Graph
https://www.powershellgallery.com/packages/Microsoft.Graph
Other
691 stars 165 forks source link

Get-MgBetaSecurityAuditLogQueryRecord not working : JSON closing } error #2855

Open EmilienCourt opened 1 month ago

EmilienCourt commented 1 month ago

Describe the bug

Hi,

Please note that this is the same issue as https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2677 (and https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2689), which was closed as completed due to author inactivity.

The bug arises when using Get-MgBetaSecurityAuditLogQueryRecord on a production tenant : some of the events in the Purview backend were apparently not ingested correctly, resulting in a bug, preventing the use of that cmdlet.

When this bug arises, it crashes the Purview Web console, the Graph API, the Powershell SDK, etc.

Expected behavior

How to reproduce

SDK Version

2.20.0

Latest version known to work for scenario above?

None

Known Workarounds

None

Debug output

First example : 

Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId $auditLogQueryId -Debug -Verbose
DEBUG: [CmdletBeginProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: '<REDACTED>'.
DEBUG: [Authentication]: - Scopes: [AuditLogsQuery.Read.All, AuditLog.Read.All].
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/<REDACTED>/records

Headers:
FeatureFlag                   : 00000043
Cache-Control                 : no-store, no-cache
User-Agent                    : Mozilla/5.0,(Linux; Ubuntu 22.04.4 LTS; en-US),PowerShell/7.4.2
Accept-Encoding               : gzip
SdkVersion                    : graph-powershell-beta/2.19.0
client-request-id             : <REDACTED>

Body:

DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Vary                          : Accept-Encoding
Strict-Transport-Security     : max-age=31536000
request-id                    : <REDACTED>
client-request-id             : <REDACTED>
x-ms-ags-diagnostic           : <REDACTED>
odata-version                 : 4.0
Date                          : Mon, 01 Jul 2024 12:18:27 GM

Body:
{
  "@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('<REDACTED>')/records",
  "@odata.count": 150,
  "@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/<REDACTED>/records?$skiptoken=<REDACTED>",
  "value": [
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {<REDACTED>},
    {
      "id": "<REDACTED>",
      "createdDateTime": "2024-07-01T11:47:43Z",
      "auditLogRecordType": "Yammer",
      "operation": "FileVisited",
      "organizationId": "<REDACTED>",
      "userType": "Regular",
      "userId": "<REDACTED>",
      "service": "Yammer",
      "objectId": "<REDACTED>",
      "userPrincipalName": "<REDACTED>",
      "clientIp": null,
      "administrativeUnits":[""]{"error":{"code":"UnknownError","message":"Unexpected Jsontoken. Check response for property value[12].auditData.FileId","innerError":{"date":"2024-07-01T12:18:28","request-id":"<REDACTED>","client-request-id":"<REDACTED>"}}}

DEBUG: [CmdletException]: Received exception with message 'ParserException - Expected String while reading Expected field name). Was LeftBrace: {. :    at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
   at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadArray()
   at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
   at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonNode.Parse(SourceReader sourceReader)
   at Microsoft.Graph.Beta.PowerShell.Security.<>c.<SecurityAuditLogQueryListRecord_Call>b__375_0(Task`1 body)
   at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
   at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
   at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
   at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.on2Xx(HttpResponseMessage responseMessage, Task`1 response)
   at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord(String auditLogQueryId, Nullable`1 Top, Nullable`1 Skip, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, IDictionary headers, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
   at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.ProcessRecordAsync()'
Get-MgBetaSecurityAuditLogQueryRecord_List: Expected String while reading Expected field name). Was LeftBrace: {.
DEBUG: [CmdletEndProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord end processing.

Second example :

{
  "id": "<REDACTED>",
  "createdDateTime": "2024-06-24T18:19:56Z",
  "auditLogRecordType": "SharePointFileOperation",
  "operation": "FileDownloaded",
  "organizationId": "<REDACTED>",
  "userType": "Regular",
  "userId": "<REDACTED>",
  "service": "OneDrive",
  "objectId": "<REDACTED>",
  "userPrincipalName": "<REDACTED>",
  "clientIp": null,
  "administrativeUnits": [""]{"error":{"code":"UnknownError","message":"Unexpected Jsontoken. Check response for property value[19].auditData.FileSizeBytes","innerError":{"date":"2024-07-04T08:47:09","request-id":"<REDACTED>","client-request-id":"<REDACTED>"}}}

Configuration

No response

Other information

No response

JoeyInvictus commented 1 month ago

Hi, I am having the same issues. I tried using the following two methods, but both result in similar errors:

$apiUrl = "https://graph.microsoft.com/beta/security/auditLog/queries/$scanId/records"
$response = Invoke-MgGraphRequest -Method Get -Uri $apiUrl -ContentType 'application/json'
$response.value | ConvertTo-Json -Depth 100 | Out-File -FilePath $filePath -Append

And using the same method you are using: Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId $auditLogQueryId