-
Notifications
You must be signed in to change notification settings - Fork 120
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Revert Get-HawkUserMailBoxAuditing to old / original code.
- Loading branch information
1 parent
9eac914
commit 959ce41
Showing
1 changed file
with
90 additions
and
100 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,121 +1,111 @@ | ||
function Get-HawkUserMailboxAuditing { | ||
<# | ||
.SYNOPSIS | ||
Gathers Mailbox Audit data if enabled for the user. | ||
.DESCRIPTION | ||
Checks if mailbox auditing is enabled for the user. | ||
If it is, pulls the mailbox audit logs from the specified time period. | ||
Will pull from the Unified Audit Log (UAL) and the Mailbox Audit Log. | ||
.PARAMETER UserPrincipalName | ||
Single UPN of a user, comma-separated list of UPNs, or array of objects that contain UPNs. | ||
.OUTPUTS | ||
File: Exchange_UAL_Audit.csv | ||
Path: <User> | ||
Description: All Exchange related audit events found in the Unified Audit Log. | ||
File: Exchange_Mailbox_Audit.csv | ||
Path: <User> | ||
Description: All Exchange related audit events found in the Mailbox Audit Log. | ||
.EXAMPLE | ||
Get-HawkUserMailboxAuditing -UserPrincipalName [email protected] | ||
Search for all Mailbox Audit logs from [email protected]. | ||
.EXAMPLE | ||
Get-HawkUserMailboxAuditing -UserPrincipalName (Get-Mailbox -Filter {Customattribute1 -eq "C-level"}) | ||
Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1. | ||
#> | ||
|
||
[CmdletBinding()] | ||
param | ||
( | ||
[Parameter(Mandatory = $true)] | ||
[array]$UserPrincipalName | ||
) | ||
|
||
Function Get-MailboxAuditLogsFiveDaysAtATime { | ||
param( | ||
[Parameter(Mandatory = $true)] | ||
[datetime]$StartDate, | ||
[Parameter(Mandatory = $true)] | ||
[datetime]$EndDate, | ||
[Parameter(Mandatory = $true)] | ||
$User | ||
) | ||
.SYNOPSIS | ||
Gathers Mailbox Audit data if enabled for the user. | ||
.DESCRIPTION | ||
Check if mailbox auditing is enabled for the user. | ||
If it is pulls the mailbox audit logs from the time period specified for the investigation. | ||
# Setup the initial start date | ||
[datetime]$RangeStart = $StartDate | ||
[array]$Results = @() | ||
Will pull from the Unified Audit Log and the Mailbox Audit Log | ||
.PARAMETER UserPrincipalName | ||
Single UPN of a user, commans seperated list of UPNs, or array of objects that contain UPNs. | ||
.OUTPUTS | ||
do { | ||
# Get the end of the 5-day range | ||
[datetime] $RangeEnd = ($RangeStart.AddDays(5)) | ||
Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd) | ||
File: Exchange_UAL_Audit.csv | ||
Path: \<User> | ||
Description: All Exchange related audit events found in the Unified Audit Log. | ||
[array]$PartialResults = Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -Identity $User -ShowDetails -ResultSize 250000 | ||
if ($PartialResults) { | ||
$Results += $PartialResults | ||
} | ||
File: Exchange_Mailbox_Audit.csv | ||
Path: \<User> | ||
Description: All Exchange related audit events found in the Mailbox Audit Log. | ||
.EXAMPLE | ||
# Advance to the next range | ||
$RangeStart = $RangeEnd | ||
} | ||
while ($RangeStart -le $EndDate) | ||
Get-HawkUserMailboxAuditing -UserPrincipalName [email protected] | ||
Return $Results | ||
} | ||
Search for all Mailbox Audit logs from [email protected] | ||
.EXAMPLE | ||
### MAIN ### | ||
Test-EXOConnection | ||
Send-AIEvent -Event "CmdRun" | ||
Get-HawkUserMailboxAuditing -UserPrincipalName (get-mailbox -Filter {Customattribute1 -eq "C-level"}) | ||
# Verify our UPN input | ||
[array]$UserArray = Test-UserObject -ToTest $UserPrincipalName | ||
Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1 | ||
#> | ||
|
||
foreach ($Object in $UserArray) { | ||
[string]$User = $Object.UserPrincipalName | ||
param | ||
( | ||
[Parameter(Mandatory = $true)] | ||
[array]$UserPrincipalName | ||
) | ||
|
||
Out-LogFile ("Attempting to Gather Mailbox Audit logs " + $User) -action | ||
Function Get-MailboxAuditLogsFiveDaysAtATime { | ||
param( | ||
[Parameter(Mandatory = $true)] | ||
[datetime]$StartDate, | ||
[Parameter(Mandatory = $true)] | ||
[datetime]$EndDate, | ||
[Parameter(Mandatory = $true)] | ||
$User | ||
) | ||
|
||
|
||
# Setup the initial start date | ||
[datetime]$RangeStart = $StartDate | ||
|
||
do { | ||
# Get the end of the Range we are going to gather data for | ||
[datetime] $RangeEnd = ($RangeStart.AddDays(5)) | ||
# Do the actual search | ||
Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd) | ||
[array]$Results += Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -identity $User -ShowDetails -ResultSize 250000 | ||
|
||
# Set the RangeStart = to the RangeEnd so we do the next range | ||
$RangeStart = $RangeEnd | ||
} | ||
# While the start range is less than the end date we need to keep pulling in 5 day increments | ||
while ($RangeStart -le $EndDate) | ||
|
||
# Test if mailbox auditing is enabled | ||
$mbx = Get-Mailbox -Identity $User | ||
if ($mbx.AuditEnabled -eq $true) { | ||
Out-LogFile "Mailbox Auditing is enabled." | ||
Out-LogFile "Searching Unified Audit Log for Exchange Related Events" | ||
# Return the results object | ||
Return $Results | ||
|
||
# Search unified audit logs for Exchange related events | ||
# Using RecordType ExchangeItem or ExchangeMailbox as needed | ||
# For now, we'll assume ExchangeItem is appropriate as the old code used ExchangeItem | ||
$UnifiedAuditResults = Search-UnifiedAuditLog -UserIds $User -RecordType ExchangeItem -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -Operations "*" -ResultSize 5000 | ||
} | ||
|
||
Out-LogFile ("Found " + $UnifiedAuditResults.Count + " Exchange audit records.") | ||
### MAIN ### | ||
Test-EXOConnection | ||
Send-AIEvent -Event "CmdRun" | ||
|
||
# Determine the user's output folder | ||
$UserFolder = (Get-HawkUserPath -User $User) | ||
# Verify our UPN input | ||
[array]$UserArray = Test-UserObject -ToTest $UserPrincipalName | ||
|
||
# Write raw JSON to file | ||
$RawJsonPath = Join-Path $UserFolder "Exchange_UAL_Audit_Raw.json" | ||
$UnifiedAuditResults | Select-Object -ExpandProperty AuditData | Out-File $RawJsonPath | ||
foreach ($Object in $UserArray) { | ||
[string]$User = $Object.UserPrincipalName | ||
|
||
# Parse the results using Get-SimpleUnifiedAuditLog | ||
$ParsedUAL = $UnifiedAuditResults | Get-SimpleUnifiedAuditLog | ||
Out-LogFile ("Attempting to Gather Mailbox Audit logs " + $User) -action | ||
|
||
# Output the parsed data | ||
$ParsedUAL | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json | ||
# Test if mailbox auditing is enabled | ||
$mbx = Get-Mailbox -identity $User | ||
if ($mbx.AuditEnabled -eq $true) { | ||
# if enabled pull the mailbox auditing from the unified audit logs | ||
Out-LogFile "Mailbox Auditing is enabled." | ||
Out-LogFile "Searching Unified Audit Log for Exchange Related Events" | ||
|
||
# Now search the mailbox audit logs | ||
Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)" | ||
$MailboxAuditLogs = Get-MailboxAuditLogsFiveDaysAtATime -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -User $User | ||
Out-LogFile ("Found " + $MailboxAuditLogs.Count + " Exchange Mailbox audit records.") | ||
$UnifiedAuditLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -UserIDs " + $User + " -RecordType ExchangeItem") | select-object -Expandproperty AuditData | convertfrom-json | ||
Out-LogFile ("Found " + $UnifiedAuditLogs.Count + " Exchange audit records.") | ||
|
||
# Output mailbox audit logs as before | ||
$MailboxAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_Mailbox_Audit" -User $User -csv -json | ||
} | ||
else { | ||
Out-LogFile ("Auditing not enabled for " + $User) | ||
# Output the data we found | ||
$UnifiedAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json | ||
|
||
# Search the MailboxAuditLogs as well since they may have different/more information | ||
Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)" | ||
|
||
$MailboxAuditLogs = Get-MailboxAuditLogsFiveDaysAtATime -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -User $User | ||
Out-LogFile ("Found " + $MailboxAuditLogs.Count + " Exchange Mailbox audit records.") | ||
|
||
# Output the data we found | ||
$MailboxAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_Mailbox_Audit" -User $User -csv -json | ||
|
||
} | ||
# If auditing is not enabled log it and move on | ||
else { | ||
Out-LogFile ("Auditing not enabled for " + $User) | ||
} | ||
} | ||
} | ||
} | ||
} |