This suite of scripts incorporates two completely different scripts that can be utilized to amass the Microsoft 365 Unified Audit Log
Learn the accompanying weblog put up on https://invictus-ir.medium.com/introduction-of-the-microsoft-365-extractor-suite-b85e148d4bfe
- Microsoft365_Extractor, the unique script stems from the Workplace 365 Extractor and offers all options and full customization. Select this in the event you’re unsure what to make use of.
- Microsoft365_Extractor_light, light-weight model of the Microsoft365_Extractor that requires minimal configuration and grabs all accessible logging for the entire interval.
Microsoft 365 Extractor
This script makes it attainable to extract log information out of a Microsoft 365 setting. The script has 4 choices, which allow the investigator to simply extract logging out of an Microsoft 365 setting.
- Present accessible log sources and quantity of logging
- Extract all audit logging
- Extract group audit logging
- Extract Particular audit logging (superior mode)
Present accessible log sources and quantity of logging
Fairly simple a search is executed and the overall variety of logs throughout the
set timeframe will probably be displayed and written to a csv file known as “Amount_Of_Audit_Logs.csv” the file is prefixed with a random quantity to forestall duplicates.
Extract all audit logs
Extract all audit logs” this feature wil get all accessible audit logs throughout the set timeframe and written out to a file known as AuditRecords.CSV.
Extract group logging
Extract a gaggle of logs. You’ll be able to for instance extract all Alternate or Azure logging in a single go
Extract particular audit logs
Extract particular audit logs” Use this feature if you wish to extract a subset of the audit logs. To configure what logs will probably be extracted the software must
be configured with the required Document Varieties. A full listing of recordtypes might be discovered on the backside of this web page.
The output recordsdata will probably be writen in a listing known as ‘Log_Directory” and will probably be given the identify of their recordtype e.g. (ExchangeItem_AuditRecords.csv)
Conditions
– PowerShell
– Microsoft 365 account with privileges to entry/extract audit logging
– An OS that helps Powershell you have to be good. There are some points with PowerShell on MacOS/Linux associated to WinRM so the best choice is to make use of Home windows.
Permissions
You must be assigned the View-Solely Audit Logs or Audit Logs function in Alternate On-line to go looking the Microsoft 365 audit log. By default, these roles are assigned to the Compliance Administration and Group Administration function teams on the Permissions web page within the Alternate admin middle. To provide a person the flexibility to go looking the Workplace 365 audit log with the minimal stage of privileges, you’ll be able to create a customized function group in Alternate On-line, add the View-Solely Audit Logs or Audit Logs function, after which add the person as a member of the brand new function group. For extra info, see Handle function teams in Alternate On-line.
(https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance)
The right way to use Microsoft365_extractor
1. Obtain Microsoft365_Extractor.ps1
2. Open PowerShell navigate to the script and run it or proper click on on the script and press “Run with PowerShell”.
3. Choose your prefered possibility.
4. The logs will probably be written to ‘Log_Directory’ within the folder the place the script is situated.
See instance video:
The right way to use Microsoft365_extractor_light
1. Obtain Microsoft365_Extractor.ps1
2. Open PowerShell navigate to the script and run it or proper click on on the script and press “Run with PowerShell”.
3. Choose StartDate, EndDate and Interval or use the defaults and the script will purchase all logs for the outlined interval.
4. The logs will probably be written to ‘Log_Directory’ within the folder the place the script is situated.
See instance video:
Output
Amount_Of_Audit_Logs.csv:
Will present what logs can be found and what number of for every RecordType.
AuditLog.txt:
The AuditLog shops beneficial info for debugging.
AuditRecords.csv:
When all logs are extracted they are going to be written to this file.
[RecordType]__AuditRecords:
When extracting particular RecordTypes, logs are sorted on RecordType and written to a CSV file.
The identify of this file is the RecordType + _AuditRecords.
Out there RecordTypes
ExchangeAdmin
ExchangeItem
ExchangeItemGroup
SharePoint
SyntheticProbe
SharePointFileOperation
OneDrive
AzureActiveDirectory
AzureActiveDirectoryAccountLogon
DataCenterSecurityCmdlet
ComplianceDLPSharePoint
Sway
ComplianceDLPExchange
SharePointSharingOperation
AzureActiveDirectoryStsLogon
SkypeForBusinessPSTNUsage
SkypeForBusinessUsersBlocked
SecurityComplianceCenterEOPCmdlet
ExchangeAggregatedOperation
PowerBIAudit
CRM
Yammer
SkypeForBusinessCmdlets
Discovery
MicrosoftTeams
ThreatIntelligence
MailSubmission
MicrosoftFlow
AeD
MicrosoftStream
ComplianceDLPSharePointClassification
ThreatFinder
Venture
SharePointListOperation
SharePointCommentOperation
DataGovernance
Kaizala
SecurityComplianceAlerts
ThreatIntelligenceUrl
SecurityComplianceInsights
MIPLabel
WorkplaceAnalytics
PowerAppsApp
PowerAppsPlan
ThreatIntelligenceAtpContent
TeamsHealthcare
ExchangeItemAggregated
HygieneEvent
DataInsightsRestApiAudit
InformationBarrierPolicyApplication
SharePointListItemOperation
SharePointContentTypeOperation
SharePointFieldOperation
MicrosoftTeamsAdmin
HRSignal
MicrosoftTeamsDevice
MicrosoftTeamsAnalytics
InformationWorkerProtection
Marketing campaign
DLPEndpoint
AirInvestigation
Quarantine
MicrosoftForms
LabelContentExplorer
ApplicationAudit
ComplianceSupervisionExchange
CustomerKeyServiceEncryption
OfficeNative
MipAutoLabelSharePointItem
MipAutoLabelSharePointPolicyLocation
MicrosoftTeamsShifts
MipAutoLabelExchangeItem
CortanaBriefing
Search
WDATPAlerts
MDATPAudit
SensitivityLabelPolicyMatch
SensitivityLabelAction
SensitivityLabeledFileAction
AttackSim
AirManualInvestigation
SecurityComplianceRBAC
UserTraining
AirAdminActionInvestigation
MSTIC
PhysicalBadgingSignal
AipDiscover
AipSensitivityLabelAction
AipProtectionAction
AipFileDeleted
AipHeartBeat
MCASAlerts
OnPremisesFileShareScannerDlp
OnPremisesSharePointScannerDlp
ExchangeSearch
SharePointSearch
PrivacyInsights
MyAnalyticsSettings
SecurityComplianceUserChange
ComplianceDLPExchangeClassification
MipExactDataMatch
MS365DCustomDetection
CoreReportingSettings
ComplianceConnector
Supply:https://docs.microsoft.com/en-us/workplace/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype
Often Requested Questions
If I allow mailbox auditing now can I see historic data?
No, additionaly in the event you allow auditing now it could actually take as much as 24 hours earlier than occasions will probably be logged.
I logged right into a mailbox with auditing turned on however I do not see my occasions?
It may possibly take as much as 24 hours earlier than an occasion is saved within the UAL.
Which date format does the script accepts as enter?
The script will inform what the right date format is. For Begin and Finish information variables it would present between brackets what the format is (yyyy-MM-dd).
Do I have to configure the time interval?
No in the event you do not specify a time interval the script will use the default In the event you do not embody a timestamp within the worth for the StartDate or EndDate parameters, the default timestamp 12:00 AM (midnight) is used.
What about timestamps?
The audit logs are in UTC, and they are going to be exported as such
What’s the retention interval?
Workplace 365 E3 – Audit data are retained for 90 days. Which means you’ll be able to search the audit log for actions that had been carried out throughout the final 90 days.
Workplace 365 E5 – Audit data are retained for three hundred and sixty five days (one 12 months). Which means you’ll be able to search the audit log for actions that had been carried out throughout the final 12 months. Retaining audit data for one 12 months can be accessible for customers which are assigned an E3/Alternate On-line Plan 1 license and have an Workplace 365 Superior Compliance add-on license.
What if I’ve E5 or different license that has greater than 90 days?
Simply outline a guide startdate as a substitute of the ‘most’ as a result of the variable most is about to 90 days, which is the default for nearly everybody.
Can this script additionally purchase Message Hint Logs?
In the meanwhile it can’t, however there are a number of open-source scripts accessible that may enable you with getting the MTL One instance might be discovered right here: https://gallery.technet.microsoft.com/scriptcenter/Export-Mail-logs-to-CSV-d5b6c2d6
Recognized errors
StartDate is later than EndDate
This error happens typically on the remaining step of the script if in case you have not outlined an endDate. Doublecheck if in case you have all of the logs utilizing Possibility 1 to validate if in case you have all logs. Different: Outline an endDate
Import-PSSession : No command proxies have been created, as a result of the entire requested distant….
This error is triggered when the script didn’t shut appropriately and an lively session will probably be operating within the background. The script tries to import/load all modules once more, however this isn’t needed since it’s already loaded. This error message has no impression on the script and will probably be gone when the open session will get closed. This may be achieved by restarting the PowerShell Home windows or getting into the next command: Get-PSSession | Take away-PSSession
Audit logging is enabled within the Workplace 365 setting however no logs are getting displayed?
The person should be assigned an Workplace 365 E5 license. Alternatively, customers with an Workplace 365 E1 or E3 license might be assigned an Superior eDiscovery standalone license. Directors and compliance officers who’re assigned to circumstances and use Superior eDiscovery to investigate information do not want an E5 license.
Audit log search argument begin date needs to be after
The beginning date needs to be earlier then the tip date.
New-PSSession: [outlook.office365.com] Connecting to take away server outlook.office365.com failed with the next error message: Entry is denied.
The password/username mixture are incorrect or the person has not sufficient privileges to extract the audit logging.
Invalid Argument “Can’t convert worth” to kind “System.Int32”
Protected to disregard, solely noticed this on PowerShell on macOS, the script will work nice and proceed.
