Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improve performance of Defender query to count users without advanced auditing #1406

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

improve performance of Defender query to count users without advanced auditing #1406

wants to merge 1 commit into from

Conversation

tkol2022
Copy link
Collaborator

@tkol2022 tkol2022 commented Nov 6, 2024

🗣 Description

This PR fixes a bug in Defender that is observed in larger tenants. Defender runs a query via Get-MgBetaUser to get a count of users that do not have the advanced auditing feature assigned to them. Instead of just retrieving the count from the REST API, the current query downloads all the users that match the filter. If a tenant has thousands of users without advanced audit this can result in significant slowness. I added the Top = 1 parameter so that only a single record is returned and verified that the count still works. See the linked issue below for full details and screenshots.

Closes #1404

🧪 Testing

See the screenshots in the linked issue above for details on the before and after testing that I performed with the fix against a tenant with over 2,000 users.

✅ Pre-approval checklist

  • This PR has an informative and human-readable title.
  • PR targets the correct parent branch (e.g., main or release-name) for merge.
  • Changes are limited to a single goal - eschew scope creep!
  • Changes are sized such that they do not touch excessive number of files.
  • All future TODOs are captured in issues, which are referenced in code comments.
  • These code changes follow the ScubaGear content style guide.
  • Related issues these changes resolve are linked preferably via closing keywords.
  • All relevant type-of-change labels added.
  • All relevant project fields are set.
  • All relevant repo and/or project documentation updated to reflect these changes.
  • Unit tests added/updated to cover PowerShell and Rego changes.
  • Functional tests added/updated to cover PowerShell and Rego changes.
  • All relevant functional tests passed.
  • All automated checks (e.g., linting, static analysis, unit/smoke tests) passed.

✅ Pre-merge checklist

  • PR passed smoke test check.

  • Feature branch has been rebased against changes from parent branch, as needed

    Use Rebase branch button below or use this reference to rebase from the command line.

  • Resolved all merge conflicts on branch

  • Notified merge coordinator that PR is ready for merge via comment mention

✅ Post-merge checklist

  • Feature branch deleted after merge to clean up repository.
  • Verified that all checks pass on parent branch (e.g., main or release-name) after merge.

@tkol2022 tkol2022 linked an issue Nov 6, 2024 that may be closed by this pull request
Defender export provider inadvertently downloads user data when retrieving a count of users without advanced auditing #1404
Open
@tkol2022
Copy link
Collaborator Author

tkol2022 commented Nov 6, 2024

Testing Instructions for Reviewers

The goals of testing this PR are to ensure:

  • The new code produces an accurate count of users without advanced audit assigned.

  • The new code runs faster than the old code.

  • Test tenant 3 has been prepared with over 2,000 users to help create a "larger" tenant scenario and you should definitely test against it, but it would be good to test the code against some of the other tenants as well to ensure the count gets calculated as expected and tease out any nuances that would only be seen in other tenant types.

Install dependencies

Install the Powershell profiler module.
Install-Module Profiler

Take measurements using the main branch (status quo)

  1. Download the main branch
  2. Run the profiler against the main branch when running Defender
Import-Module -Name .\PowerShell\ScubaGear

$trace = trace-script -scriptblock { Invoke-SCuBA -ProductNames defender -CertificateThumbPrint "55fd41a761f434f12ee8ac3ff771347597435641" -AppID "ab791fde-1ff0-493f-be3d-03d9ba6cb091" -Organization "contoso.onmicrosoft.com" }

$trace.top50duration | fl | Out-File -FilePath .\MainBranchPerformance.txt
  1. Open the file MainBranchPerformance.txt and search for the profiler data for the Get-MgBetaUser cmdlet and jot down the value from the Duration field:

image

  1. Open the output file ScubaResults.json and search for the field total_users_without_advanced_audit. Jot down the value of the field.

image

Take measurements using the fix branch (associated with this PR)

  1. Download the fix branch
  2. Repeat the same steps that you performed against the main branch and take measurements using the fix branch code.

Validate that the fix works as expected

  1. Compare the execution times of the Get-MgBetaUser cmdlet between the main branch versus the fix branch. Ensure that the fix branch is faster. Note: a more pronounced difference in execution time will be observed when the tenant is larger.
  2. Compare the counts of the total_users_without_advanced_audit field in ScubaResults.json between the main branch versus the fix branch. They should be identical.

@tkol2022 tkol2022 self-assigned this Nov 6, 2024
@tkol2022 tkol2022 added the enhancement This issue or pull request will add new or improve existing functionality label Nov 6, 2024
@tkol2022 tkol2022 added this to the Kraken milestone Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@schrolla schrolla Awaiting requested review from schrolla

@james-garriss james-garriss Awaiting requested review from james-garriss

At least 2 approving reviews are required to merge this pull request.

Assignees

@tkol2022 tkol2022

Labels
enhancement This issue or pull request will add new or improve existing functionality
Projects
None yet
Milestone
Kraken
1 participant
@tkol2022