msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
microsoftgraph
Get-MgBetaSecurityAuditLogQueryRecord not working : JSON closing } error
Describe the bug
Hi,
Please note that this is the same issue as https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2677 (and https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/2689), which was closed as completed due to author inactivity.
The bug arises when using Get-MgBetaSecurityAuditLogQueryRecord on a production tenant : some of the events in the Purview backend were apparently not ingested correctly, resulting in a bug, preventing the use of that cmdlet.
When this bug arises, it crashes the Purview Web console, the Graph API, the Powershell SDK, etc.
Expected behavior
- The underlying Graph API should be fixed
- The cmdlet should account for the Graph API error in the meantime
- The
-Skipparameter, which could help in working around that bug, should be implemented
How to reproduce
- Create a big Purview request on a production tenant
- Try to get the results using Get-MgBetaSecurityAuditLogQueryRecord
SDK Version
2.20.0
Latest version known to work for scenario above?
None
Known Workarounds
None
Debug output
First example :
Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId $auditLogQueryId -Debug -Verbose
DEBUG: [CmdletBeginProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord begin processing with parameterSet 'List'.
DEBUG: [Authentication]: - AuthType: 'AppOnly', TokenCredentialType: 'ClientCertificate', ContextScope: 'Process', AppName: '<REDACTED>'.
DEBUG: [Authentication]: - Scopes: [AuditLogsQuery.Read.All, AuditLog.Read.All].
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://graph.microsoft.com/beta/security/auditLog/queries/<REDACTED>/records
Headers:
FeatureFlag : 00000043
Cache-Control : no-store, no-cache
User-Agent : Mozilla/5.0,(Linux; Ubuntu 22.04.4 LTS; en-US),PowerShell/7.4.2
Accept-Encoding : gzip
SdkVersion : graph-powershell-beta/2.19.0
client-request-id : <REDACTED>
Body:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Vary : Accept-Encoding
Strict-Transport-Security : max-age=31536000
request-id : <REDACTED>
client-request-id : <REDACTED>
x-ms-ags-diagnostic : <REDACTED>
odata-version : 4.0
Date : Mon, 01 Jul 2024 12:18:27 GM
Body:
{
"@odata.context": "https://graph.microsoft.com/beta/$metadata#security/auditLog/queries('<REDACTED>')/records",
"@odata.count": 150,
"@odata.nextLink": "https://graph.microsoft.com/beta/security/auditLog/queries/<REDACTED>/records?$skiptoken=<REDACTED>",
"value": [
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{<REDACTED>},
{
"id": "<REDACTED>",
"createdDateTime": "2024-07-01T11:47:43Z",
"auditLogRecordType": "Yammer",
"operation": "FileVisited",
"organizationId": "<REDACTED>",
"userType": "Regular",
"userId": "<REDACTED>",
"service": "Yammer",
"objectId": "<REDACTED>",
"userPrincipalName": "<REDACTED>",
"clientIp": null,
"administrativeUnits":[""]{"error":{"code":"UnknownError","message":"Unexpected Jsontoken. Check response for property value[12].auditData.FileId","innerError":{"date":"2024-07-01T12:18:28","request-id":"<REDACTED>","client-request-id":"<REDACTED>"}}}
DEBUG: [CmdletException]: Received exception with message 'ParserException - Expected String while reading Expected field name). Was LeftBrace: {. : at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadArray()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonParser.ReadObject()
at Microsoft.Graph.Beta.PowerShell.Runtime.Json.JsonNode.Parse(SourceReader sourceReader)
at Microsoft.Graph.Beta.PowerShell.Security.<>c.<SecurityAuditLogQueryListRecord_Call>b__375_0(Task`1 body)
at System.Threading.Tasks.ContinuationResultTaskFromResultTask`2.InnerInvoke()
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
--- End of stack trace from previous location ---
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.Tasks.Task.ExecuteWithThreadLocal(Task& currentTaskSlot, Thread threadPoolThread)
--- End of stack trace from previous location ---
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.on2Xx(HttpResponseMessage responseMessage, Task`1 response)
at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord_Call(HttpRequestMessage request, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.Beta.PowerShell.Security.SecurityAuditLogQueryListRecord(String auditLogQueryId, Nullable`1 Top, Nullable`1 Skip, String Search, String Filter, Nullable`1 Count, String[] Orderby, String[] Select, String[] Expand, IDictionary headers, Func`3 on2Xx, Func`3 onDefault, IEventListener eventListener, ISendAsync sender)
at Microsoft.Graph.Beta.PowerShell.Cmdlets.GetMgBetaSecurityAuditLogQueryRecord_List.ProcessRecordAsync()'
Get-MgBetaSecurityAuditLogQueryRecord_List: Expected String while reading Expected field name). Was LeftBrace: {.
DEBUG: [CmdletEndProcessing]: - Get-MgBetaSecurityAuditLogQueryRecord end processing.
Second example :
{
"id": "<REDACTED>",
"createdDateTime": "2024-06-24T18:19:56Z",
"auditLogRecordType": "SharePointFileOperation",
"operation": "FileDownloaded",
"organizationId": "<REDACTED>",
"userType": "Regular",
"userId": "<REDACTED>",
"service": "OneDrive",
"objectId": "<REDACTED>",
"userPrincipalName": "<REDACTED>",
"clientIp": null,
"administrativeUnits": [""]{"error":{"code":"UnknownError","message":"Unexpected Jsontoken. Check response for property value[19].auditData.FileSizeBytes","innerError":{"date":"2024-07-04T08:47:09","request-id":"<REDACTED>","client-request-id":"<REDACTED>"}}}
Configuration
No response
Other information
No response
Hi, I am having the same issues. I tried using the following two methods, but both result in similar errors:
$apiUrl = "https://graph.microsoft.com/beta/security/auditLog/queries/$scanId/records"
$response = Invoke-MgGraphRequest -Method Get -Uri $apiUrl -ContentType 'application/json'
$response.value | ConvertTo-Json -Depth 100 | Out-File -FilePath $filePath -Append
And using the same method you are using: Get-MgBetaSecurityAuditLogQueryRecord -AuditLogQueryId $auditLogQueryId
Not sure what is going on with the Graph module, but it seems like they removed the Get-MgBetaSecurityAuditLogQuery command as well. The documentation gives a 404 error code:
https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.beta.security/get-mgbetasecurityauditlogquery?view=graph-powershell-beta
When looking at this documentation: https://learn.microsoft.com/en-us/graph/api/security-auditlogquery-get?view=graph-rest-beta&tabs=python
They removed the PowerShell example. When you check the Create AuditLogQuery, it's still there, and I can still start the scan with New-MgBetaSecurityAuditLogQuery. Wondering what is going on around the Graph UAL haha. Still waiting on my support ticket for almost 2 months as well...