-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path37-Search-UALActivityByUser.ps1
130 lines (113 loc) · 5.17 KB
/
37-Search-UALActivityByUser.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Bitpusher
# \`._,'/
# (_- -_)
# \o/
# The Digital
# Fox
# https://theTechRelay.com
# https://github.com/bitpusher2k
#
# Search-UALActivityByUser.ps1 - By Bitpusher/The Digital Fox
# v2.8 last updated 2024-05-03
# Script to exports data from the Unified Audit Log for specified users.
#
# Usage:
# powershell -executionpolicy bypass -f .\Search-UALActivityByUser.ps1 -OutputPath "Default" -UserIds "compromisedaccount@contoso.com" -DaysAgo "10"
#
# Run with already existing connection to M365 tenant through
# PowerShell modules.
#
# Uses ExchangePowerShell commands.
#
#comp #m365 #security #bec #script #irscript #powershell #unified #audit #log #search #user
#Requires -Version 5.1
param(
[string]$OutputPath,
[string]$UserIds,
[int]$DaysAgo,
[datetime]$StartDate,
[datetime]$EndDate,
[string]$Encoding = "utf8bom" # "ascii","ansi","bigendianunicode","unicode","utf8","utf8","utf8NoBOM","utf32"
)
if ($PSVersionTable.PSVersion.Major -eq 5 -and ($Encoding -eq "utf8bom" -or $Encoding -eq "utf8nobom")) { $Encoding = "utf8" }
$date = Get-Date -Format "yyyyMMddHHmmss"
$CheckLog = (Get-AdminAuditLogConfig).UnifiedAuditLogIngestionEnabled
if (!$CheckLog) {
Write-Output "The Unified Audit Log does not appear to be enabled on this tenant. Export of UAL activities may fail. Try running 'Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true' if export fails."
}
## If OutputPath variable is not defined, prompt for it
if (!$OutputPath) {
Write-Output ""
$OutputPath = Read-Host "Enter the output base path, e.g. $($env:userprofile)\Desktop\Investigation (default)"
If ($OutputPath -eq '') { $OutputPath = "$($env:userprofile)\Desktop\Investigation" }
Write-Output "Output base path will be in $OutputPath"
} elseif ($OutputPath -eq 'Default') {
Write-Output ""
$OutputPath = "$($env:userprofile)\Desktop\Investigation"
Write-Output "Output base path will be in $OutputPath"
}
# If OutputPath does not exist, create it
$CheckOutputPath = Get-Item $OutputPath -ErrorAction SilentlyContinue
if (!$CheckOutputPath) {
Write-Output ""
Write-Output "`nOutput path does not exist. Directory will be created."
mkdir $OutputPath
}
# Get Primary Domain Name for output subfolder
$PrimaryDomain = Get-AcceptedDomain | Where-Object Default -EQ $true
$DomainName = $PrimaryDomain.DomainName
$CheckSubDir = Get-Item $OutputPath\$DomainName -ErrorAction SilentlyContinue
if (!$CheckSubDir) {
Write-Output "`nDomain sub-directory does not exist. Sub-directory will be created."
mkdir $OutputPath\$DomainName
}
## If UserIds variable is not defined, prompt for it
if (!$UserIds) {
Write-Output ""
$UserIds = Read-Host "Enter the user's primary email address (UPN). Comma-separated to search for entries from multiple users"
}
## If DaysAgo variable is not defined, prompt for it
if (!$DaysAgo) {
Write-Output ""
$DaysAgo = Read-Host 'Enter how many days back to retrieve ALL available UAL entries associated with these user(s) (default: 10, maximum: 90)'
if ($DaysAgo -eq '') { $DaysAgo = "10" } elseif ($DaysAgo -gt 90) { $DaysAgo = "90" }
}
if ($DaysAgo -gt 90) { $DaysAgo = "90" }
Write-Output "`nWill search UAC $DaysAgo days back from today for relevant events."
$StartDate = (Get-Date).AddDays(- $DaysAgo)
$EndDate = (Get-Date).AddDays(1)
$resultSize = 5000 #Maximum number of records that can be retrieved per query
$OutputCSV = "$OutputPath\$DomainName\UnifiedAuditLogEntries_$($UserIds)_going_back_$($DaysAgo)_days_from_$($date).csv"
$sesid = Get-Random # Get random session number
Write-Output "Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -UserIds $UserIds -SessionId $sesid -SessionCommand ReturnLargeSet -ResultSize $resultSize"
$count = 1
do {
Write-Output "Getting unified audit logs page $count - Please wait"
try {
$currentOutput = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -UserIds $UserIds -SessionId $sesid -SessionCommand ReturnLargeSet -ResultSize $resultSize
} catch {
Write-Output "`n[002] - Search Unified Log error. Typically not connected to Exchange Online. Please connect and re-run script`n"
Write-Output "Exception message:", $_.Exception.Message, "`n"
exit 2 # Terminate script
}
$AuditOutput += $currentoutput # Build total results array
++ $count # Increment page count
} until ($currentoutput.count -eq 0) # Until there are no more logs in range to get
if (!$AuditOutput) {
Write-Output "`nThere are no activities in the audit log for the time period specified`n"
} else {
$AuditOutput | Export-Csv -Path $OutputCSV -NoTypeInformation -Encoding $Encoding
Write-Output "`nSee user activities report in the output path.`n"
}
if ((Test-Path -Path $OutputCSV) -eq "True") {
Write-Output `n" The Output file is available at:"
Write-Output $OutputCSV
# $Prompt = New-Object -ComObject wscript.shell
# $UserIdsInput = $Prompt.popup("Do you want to open output file?",0,"Open Output File",4)
# If ($UserIdsInput -eq 6) {
# Invoke-Item "$OutputCSV"
# }
}
Write-Output "`nDone! Check output path for results."
Invoke-Item "$OutputPath\$DomainName"
exit