From 2864416894c5d4c27112519efdec857dd7fc686b Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 8 Dec 2025 06:12:57 +0000 Subject: [PATCH 1/3] Initial plan From cdeefe914b62c2210034654dda91e205ae84dc5a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 8 Dec 2025 06:16:10 +0000 Subject: [PATCH 2/3] Add Get-CIPPAlertCheckExtensionAlerts function Co-authored-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com> --- .../Get-CIPPAlertCheckExtensionAlerts.ps1 | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 Modules/CIPPCore/Public/Alerts/Get-CIPPAlertCheckExtensionAlerts.ps1 diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertCheckExtensionAlerts.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertCheckExtensionAlerts.ps1 new file mode 100644 index 000000000000..8f4f6ab175d0 --- /dev/null +++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertCheckExtensionAlerts.ps1 @@ -0,0 +1,72 @@ +function Get-CIPPAlertCheckExtensionAlerts { + <# + .FUNCTIONALITY + Entrypoint + #> + [CmdletBinding()] + Param ( + [Parameter(Mandatory = $false)] + [Alias('input')] + $InputValue, + $TenantFilter + ) + + try { + # Default to 24 hours if no input value is provided + if ([int]$InputValue -gt 0) { + $IntervalHours = [int]$InputValue + } else { + $IntervalHours = 24 + } + + # Calculate the timestamp threshold + $ThresholdTime = (Get-Date).AddHours(-$IntervalHours) + + # Get the CheckExtensionAlerts table + $Table = Get-CIPPTable -tablename CheckExtensionAlerts + + # Query alerts for this tenant + $Filter = "PartitionKey eq 'CheckAlert' and tenantFilter eq '$TenantFilter'" + $AllAlerts = Get-CIPPAzDataTableEntity @Table -Filter $Filter + + if (!$AllAlerts) { + return + } + + # Filter alerts by timestamp - only include alerts within the interval + $RecentAlerts = $AllAlerts | Where-Object { + $_.Timestamp -gt $ThresholdTime + } + + if (!$RecentAlerts -or $RecentAlerts.Count -eq 0) { + return + } + + # Combine all recent alerts into a list + $AlertData = [System.Collections.Generic.List[PSCustomObject]]::new() + + foreach ($Alert in $RecentAlerts) { + $AlertDetails = [PSCustomObject]@{ + Message = $Alert.message + Type = $Alert.type + Url = $Alert.url + Reason = $Alert.reason + Score = $Alert.score + Threshold = $Alert.threshold + PotentialUserName = $Alert.potentialUserName + PotentialUserDisplayName = $Alert.potentialUserDisplayName + ReportedByIP = $Alert.reportedByIP + Timestamp = $Alert.Timestamp + Tenant = $TenantFilter + } + $AlertData.Add($AlertDetails) + } + + # Write the combined alert trace + Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData + + } catch { + Write-Host "Error processing check extension alerts for $($TenantFilter): $($_.Exception.Message)" + return + } +} From d7f3272ba6601ddc1aa7296de7b41286d4cda046 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 8 Dec 2025 06:55:47 +0000 Subject: [PATCH 3/3] Replace Write-Host with proper logging and optimize table query with timestamp filter Co-authored-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com> --- .../Get-CIPPAlertCheckExtensionAlerts.ps1 | 20 ++++++------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertCheckExtensionAlerts.ps1 b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertCheckExtensionAlerts.ps1 index 8f4f6ab175d0..fed9781bbde7 100644 --- a/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertCheckExtensionAlerts.ps1 +++ b/Modules/CIPPCore/Public/Alerts/Get-CIPPAlertCheckExtensionAlerts.ps1 @@ -20,23 +20,14 @@ function Get-CIPPAlertCheckExtensionAlerts { } # Calculate the timestamp threshold - $ThresholdTime = (Get-Date).AddHours(-$IntervalHours) + $ThresholdTime = (Get-Date).AddHours(-$IntervalHours).ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ssZ') # Get the CheckExtensionAlerts table $Table = Get-CIPPTable -tablename CheckExtensionAlerts - # Query alerts for this tenant - $Filter = "PartitionKey eq 'CheckAlert' and tenantFilter eq '$TenantFilter'" - $AllAlerts = Get-CIPPAzDataTableEntity @Table -Filter $Filter - - if (!$AllAlerts) { - return - } - - # Filter alerts by timestamp - only include alerts within the interval - $RecentAlerts = $AllAlerts | Where-Object { - $_.Timestamp -gt $ThresholdTime - } + # Query alerts for this tenant with timestamp filter for better performance + $Filter = "PartitionKey eq 'CheckAlert' and tenantFilter eq '$TenantFilter' and Timestamp ge datetime'$ThresholdTime'" + $RecentAlerts = Get-CIPPAzDataTableEntity @Table -Filter $Filter if (!$RecentAlerts -or $RecentAlerts.Count -eq 0) { return @@ -66,7 +57,8 @@ function Get-CIPPAlertCheckExtensionAlerts { Write-AlertTrace -cmdletName $MyInvocation.MyCommand -tenantFilter $TenantFilter -data $AlertData } catch { - Write-Host "Error processing check extension alerts for $($TenantFilter): $($_.Exception.Message)" + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message + Write-LogMessage -message "Failed to process check extension alerts: $ErrorMessage" -API 'Check Extension Alerts' -tenant $TenantFilter -sev Error return } }