Skip to content

Instantly share code, notes, and snippets.

@neil-sabol
Created April 20, 2023 22:11
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save neil-sabol/ff529d8dbe43a28de57c62d3c4d42e4a to your computer and use it in GitHub Desktop.
function parse-m365-auditlogsearch-results {
# Collect the input and output files
Param (
[Parameter(Mandatory=$true)]
[string] $auditlogsearchresultfile = "",
[Parameter(Mandatory=$true)]
[string] $outputcsvfilepath = ""
)
# Import the Audit Log Search Result CSV file exported from Microsoft Purview
$importedCSV = Import-Csv $auditlogsearchresultfile
# Convert the nested JSON in the AuditData column from the CSV to JSON
$csvToJSON = $importedCSV.AuditData | ConvertFrom-Json
# Extract all of the possible field names from the JSON and export to the new CSV file
$csvFields = $csvToJSON | Get-Member | ?{ $_.MemberType -eq "NoteProperty" } | select -ExpandProperty Name | Sort -Unique
$csvFields -join "," | add-content -path $outputcsvfilepath
# Iterate through the JSON and build the new CSV file, populating fields/values that are present
$csvToJSON | %{
$currentEntry = $_
[string[]]$row = @()
$csvFields | %{
$row += $([string]$currentEntry.$_).replace(',','|')
}
$row -join "," | add-content -path $outputcsvfilepath
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment