Search code examples
powershellloggingoffice365audit

PowerShell: ConvertFrom-Json to export multiple objects to csv

As you probably understand from the title, I'm new to PowerShell, having a hard time even trying to describe my question. So please forgive my terminology.

Scenario

I am using PowerShell to query the audit log of Office 365. The cmdlet Search-UnifiedAuditLog returns "multiple sets of objects"(?), one of which has an array of other objects(?). The output is JSON if I got this right.

Here is an example of what is returned (I will call it one "Set of Objects"):

RunspaceId   : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
RecordType   : AzureActiveDirectoryStsLogon
CreationDate : 21/02/2017 12:05:23
UserIds      : xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Operations   : UserLoggedIn
AuditData    : {"CreationTime":"2017-02-21T12:05:23","Id":"{"ID":"00000000000000000","Type":3}],"ActorContextId":"xxxxxxxxxxxxxxxxxxxxxxxxx","ActorIpAddress":"xxxxxxxxxxxxx","InterSystemsId":"xxxxxxxxxxxxxxxxx","IntraSystemId":"000000000000-000000-000","Target":[{"ID":"00-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"xxxxxxxxxxxxxxxxxx","ApplicationId":"xxxxxxxxxxxxxxxxxxxxxxxxxx"}
ResultIndex  : 1
ResultCount  : 16
Identity     : xxxxxxxxxxxxxxxxxxxxxxxxxxx
IsValid      : True
ObjectState  : Unchanged

Now, I want some of the content of the AuditData line exported to a csv (normally containing much more data than copied here). This works fine for one "set of objects" (like the one above). To do this I use:

$LogOutput = Search-UnifiedAuditLog -StartDate 2/20/2017 -EndDate 2/23/2017 -ResultSize 1
$ConvertedOutput = ConvertFrom-Json -InputObject $LogOutput.AuditData
$ConvertedOutput | Select-Object CreationTime,UserId,ClientIP | Export-Csv -Path "C:\users\some.user\desktop\users.csv

ResultSize returns 1 instead of multiple "sets of objects". The ConvertFrom-Json does not work if I remove ResultSize.

So the question is:

Can I loop through all the "set of objects" and convert from json and have this exported line-by-line on a csv? Resulting in something like this:

UserId,Activity,UserIP
[email protected], loggedIn, 10.10.10.10
[email protected], accessedFile, 11.11.11.11

A pedagogic answer would be very, very much appreciated. Many thanks!

Solution

  • Instead of -ResultSize, try using Search-UnifiedAuditLog <args> | Select-Object -ExpandProperty AuditData | ConvertFrom-Json

    This will make only the AuditData property get forwarded into ConvertFrom-Json and ignore the rest of the object from Search-UnifiedAuditLog