Skip to content

Commit

Permalink
Add initial parsing with Get-HawkUserMailBoxAuditing
Browse files Browse the repository at this point in the history
  • Loading branch information
@jonnybottles
jonnybottles committed Dec 8, 2024
1 parent 7a5dd2f commit 3ec4712
Showing 1 changed file with 42 additions and 32 deletions.
74 changes: 42 additions & 32 deletions Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1
View file
Original file line number Diff line number Diff line change
@@ -1,35 +1,35 @@
function Get-HawkUserMailboxAuditing {
<#
<#
.SYNOPSIS
Gathers Mailbox Audit data if enabled for the user.
.DESCRIPTION
Check if mailbox auditing is enabled for the user.
If it is pulls the mailbox audit logs from the time period specified for the investigation.
Will pull from the Unified Audit Log and the Mailbox Audit Log
Checks if mailbox auditing is enabled for the user.
If it is, pulls the mailbox audit logs from the specified time period.
Will pull from the Unified Audit Log (UAL) and the Mailbox Audit Log.
.PARAMETER UserPrincipalName
Single UPN of a user, commans seperated list of UPNs, or array of objects that contain UPNs.
Single UPN of a user, comma-separated list of UPNs, or array of objects that contain UPNs.
.OUTPUTS
File: Exchange_UAL_Audit.csv
Path: \<User>
Path: <User>
Description: All Exchange related audit events found in the Unified Audit Log.
File: Exchange_Mailbox_Audit.csv
Path: \<User>
Path: <User>
Description: All Exchange related audit events found in the Mailbox Audit Log.
.EXAMPLE
.EXAMPLE
Get-HawkUserMailboxAuditing -UserPrincipalName [email protected]
Search for all Mailbox Audit logs from [email protected]
.EXAMPLE
Search for all Mailbox Audit logs from [email protected].
Get-HawkUserMailboxAuditing -UserPrincipalName (get-mailbox -Filter {Customattribute1 -eq "C-level"})
.EXAMPLE
Get-HawkUserMailboxAuditing -UserPrincipalName (Get-Mailbox -Filter {Customattribute1 -eq "C-level"})
Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1
Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1.
#>

[CmdletBinding()]
param
(
[Parameter(Mandatory = $true)]
Expand All @@ -46,26 +46,26 @@
$User
)


# Setup the initial start date
[datetime]$RangeStart = $StartDate
[array]$Results = @()

do {
# Get the end of the Range we are going to gather data for
# Get the end of the 5-day range
[datetime] $RangeEnd = ($RangeStart.AddDays(5))
# Do the actual search
Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd)
[array]$Results += Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -identity $User -ShowDetails -ResultSize 250000

# Set the RangeStart = to the RangeEnd so we do the next range
[array]$PartialResults = Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -Identity $User -ShowDetails -ResultSize 250000
if ($PartialResults) {
$Results += $PartialResults
}

# Advance to the next range
$RangeStart = $RangeEnd
}
# While the start range is less than the end date we need to keep pulling in 5 day increments
while ($RangeStart -le $EndDate)

# Return the results object
Return $Results

}

### MAIN ###
Expand All @@ -81,29 +81,39 @@
Out-LogFile ("Attempting to Gather Mailbox Audit logs " + $User) -action

# Test if mailbox auditing is enabled
$mbx = Get-Mailbox -identity $User
$mbx = Get-Mailbox -Identity $User
if ($mbx.AuditEnabled -eq $true) {
# if enabled pull the mailbox auditing from the unified audit logs
Out-LogFile "Mailbox Auditing is enabled."
Out-LogFile "Searching Unified Audit Log for Exchange Related Events"

$UnifiedAuditLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -UserIDs " + $User + " -RecordType ExchangeItem") | select-object -Expandproperty AuditData | convertfrom-json
Out-LogFile ("Found " + $UnifiedAuditLogs.Count + " Exchange audit records.")
# Search unified audit logs for Exchange related events
# Using RecordType ExchangeItem or ExchangeMailbox as needed
# For now, we'll assume ExchangeItem is appropriate as the old code used ExchangeItem
$UnifiedAuditResults = Search-UnifiedAuditLog -UserIds $User -RecordType ExchangeItem -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -Operations "*" -ResultSize 5000

# Output the data we found
$UnifiedAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json
Out-LogFile ("Found " + $UnifiedAuditResults.Count + " Exchange audit records.")

# Search the MailboxAuditLogs as well since they may have different/more information
Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)"
# Determine the user's output folder
$UserFolder = (Get-HawkUserPath -User $User)

# Write raw JSON to file
$RawJsonPath = Join-Path $UserFolder "Exchange_UAL_Audit_Raw.json"
$UnifiedAuditResults | Select-Object -ExpandProperty AuditData | Out-File $RawJsonPath

# Parse the results using Get-SimpleUnifiedAuditLog
$ParsedUAL = $UnifiedAuditResults | Get-SimpleUnifiedAuditLog

# Output the parsed data
$ParsedUAL | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json

# Now search the mailbox audit logs
Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)"
$MailboxAuditLogs = Get-MailboxAuditLogsFiveDaysAtATime -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -User $User
Out-LogFile ("Found " + $MailboxAuditLogs.Count + " Exchange Mailbox audit records.")

# Output the data we found
# Output mailbox audit logs as before
$MailboxAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_Mailbox_Audit" -User $User -csv -json

}
# If auditing is not enabled log it and move on
else {
Out-LogFile ("Auditing not enabled for " + $User)
}
Expand Down

0 comments on commit 3ec4712

Please sign in to comment.