#Security and compliance center audit log, often used to analyze the situation of user account theft. You can query all operation logs of users Azure AD, Exchange Online, Teams, OneDrive, Sharepoint based on IP address and account
Version 1.4```
Added function morethan5000
Added option 5
Written by v-tolin@microsoft.com
Modified by v-tolin@microsoft.com on 11/4/2019 15:30
$CSV = ""
$results = ""
$StartDate = ""
$endDate = ""
$ObjectIds = ""
$UserIds = ""
$recordTypes = @()
$showRecordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer")
Function MoreThan5000()
{
If($results)
{
Write-host ("There are more than 5000 records for " + ($CSV+"\$recordtype.csv") ) -fore Green
If(CSVorNot)
{
$results | Export-csv -path ($CSV+"\$recordtype" + $runDate +".csv") -NoTypeInformation -append
}else{
$results
}
}
}
Function CSVorNot()
{
if($CSV)
{
return $true;
}else{
return $false;
}
}
Function ExportReports()
{
Foreach($RecordType in $RecordTypes)
{
If($ObjectIds -AND ($UserIds -eq ""))
{
$results = search-unifiedauditlog -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
ExportToCSV
while ($results) {
$results = search-unifiedauditlog -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
MoreThan5000
}
}elseif($UserIds -AND ($ObjectIds -eq ""))
{
$results = search-unifiedauditlog -UserIds $UserIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
ExportToCSV
while ($results) {
$results = search-unifiedauditlog -UserIds $UserIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
MoreThan5000
}
}elseif($ObjectIds -AND $UserIds){
$results = search-unifiedauditlog -UserIds $UserIds -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
ExportToCSV
while ($results) {
$results = search-unifiedauditlog -UserIds $UserIds -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
MoreThan5000
}
}else{
$results = search-unifiedauditlog -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
ExportToCSV
while ($results) {
$results = search-unifiedauditlog -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
MoreThan5000
}
}
}
}
Function ExportToCSV()
{
If($results)
{
If(CSVorNot)
{
$results | Export-csv -path ($CSV+"\$recordtype.csv") -NoTypeInformation -append
Write-host ("File has been created under " + ($CSV+"\$recordtype.csv") ) -fore Green
}else{
$results
}
}else{
Write-host ("The log for " + $recordtype + " is empty") -fore Yellow
}
}
Function ExportReportsIPs()
{
Foreach($RecordType in $RecordTypes)
{
$results = search-unifiedauditlog -IPAddresses $IPAddresses -startdate $StartDate -enddate $endDate -sessioncommand ReturnLargeSet -recordtype $RecordType
If($results)
{
ExportToCSV
}else{
Write-host ("The log for " + $recordtype + " is empty") -fore Yellow
}
}
}
Write-host "
Unified Audit Logs
---------------------------
Connect to EXO PowerShell without MFA enabled
Connect to EXO PowerShell with MFA enabled(Please make sure you opened PowerShell ISE)
Search & Export Unified Audit Log based on IP ONLY
Search & Export Unified Audit Log for specific user
Search & Export Unified Audit Log for yesterday only
"-ForeGround "Cyan"
----------------
Script
----------------
Write-Host " "
$runDate = (Get-Date).tostring("MM/dd/yyyy-hh:mm")
$number = Read-Host "Choose the task"
switch ($number)
{
{
Write-host ("Connecting to EXO powershell, please make sure MFA is not enabled") -fore Green
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking
;Break
}
{
Write-host ("Please make sure you opened PowerShell ISE") -fore Green
Connect-EXOPSSession
Write-host ("If you are facing any issue, please kindly check the below link for reference:
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps
") -fore Green
;Break
}
{
$StartDate = Get-Date (Read-Host -Prompt ‘Enter the start date, Eg. 08/31/2019‘) -ErrorAction ‘SilentlyContinue‘
$endDate = Get-Date (Read-Host -Prompt ‘Enter the end date, Eg. 09/30/2019‘) -ErrorAction ‘SilentlyContinue‘
$StartDate = $StartDate.tostring("MM/dd/yyyy")
$endDate = $endDate.tostring("MM/dd/yyyy")
$IPAddresses = Read-Host "Please enter the IP address you‘d like to search for (E.g 192.168.5.21)"
Write-host ("Please press ENTER directly if you don‘t want to set up for the below attributes") -fore Yellow
$CSV= Read-Host "Enter the export file location (E.g C:\temp\UnifiedLogs)"
Write-host ("Valid record types are: ") -fore Yellow
Write-host ($showRecordTypes) -fore Green
$recordTypes += Read-Host "ENTER the report type you‘d like to search"
if($recordTypes){
If($IPAddresses)
{
ExportReportsIPs;
Write-host ("File has been created under " + ($CSV+"\$recordtype.csv") ) -fore Green
}else{
Write-host ("Please ENTER the IP address you‘d like to search") -fore Yellow
}
}else{
$recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer")
If($IPAddresses)
{
ExportReportsIPs;
}else{
Write-host ("Please ENTER the IP address you‘d like to search") -fore Yellow
}
}
;Break
}
{
$StartDate = Get-Date (Read-Host -Prompt ‘Enter the start date, Eg. 08/31/2019‘) -ErrorAction ‘SilentlyContinue‘
$endDate = Get-Date (Read-Host -Prompt ‘Enter the end date, Eg. 09/30/2019‘) -ErrorAction ‘SilentlyContinue‘
$StartDate = $StartDate.tostring("MM/dd/yyyy")
$endDate = $endDate.tostring("MM/dd/yyyy")
Write-host ("Please press ENTER directly if you don‘t want to set up for the below attributes") -fore Yellow
$CSV= Read-Host "Enter the export file location (E.g C:\temp\UnifiedLogs)"
$ObjectIds = Read-Host "ENTER the target ID for the search"
$UserIds = Read-Host "ENTER the user whom performed the activity"
Write-host ("Valid record types are: ") -fore Yellow
Write-host ($showRecordTypes) -fore Green
$recordTypes = Read-Host "ENTER the report type you‘d like to search"
if($recordTypes){
ExportReports;
}else{
$recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer")
ExportReports;
}
;Break
}
$runDate = (Get-Date).tostring("MM/dd/yyyy")
$startDate = (Get-Date).adddays(-1).tostring("MM/dd/yyyy")
$endDate = (Get-Date).tostring("MM/dd/yyyy")
$CSV= Read-Host "Enter the export file location (E.g C:\temp\UnifiedLogs)"
$recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer")
ExportReports;
;Break
}
Default {Write-Host "No matches found , Enter Options from 1 to 5" -ForeGround "red"}
}