#安全與合規中心審覈日誌,經常使用於分析用戶帳號被盜用的狀況。能夠根據IP地址,帳號查詢用戶Azure AD,Exchange Online, Teams, OneDrive,Sharepoint的全部操做日誌shell
#Security and compliance center audit log, often used to analyze the situation of user account theft. You can query all operation logs of users Azure AD, Exchange Online, Teams, OneDrive, Sharepoint based on IP address and account安全
Version 1.4```session
Added function morethan5000 Added option 5 Written by v-tolin@microsoft.com Modified by v-tolin@microsoft.com on 11/4/2019 15:30 $CSV = "" $results = "" $StartDate = "" $endDate = "" $ObjectIds = "" $UserIds = "" $recordTypes = @() $showRecordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer") Function MoreThan5000() { If($results) { Write-host ("There are more than 5000 records for " + ($CSV+"\$recordtype.csv") ) -fore Green If(CSVorNot) { $results | Export-csv -path ($CSV+"\$recordtype" + $runDate +".csv") -NoTypeInformation -append }else{ $results } } } Function CSVorNot() { if($CSV) { return $true; }else{ return $false; } } Function ExportReports() { Foreach($RecordType in $RecordTypes) { If($ObjectIds -AND ($UserIds -eq "")) { $results = search-unifiedauditlog -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000 ExportToCSV while ($results) { $results = search-unifiedauditlog -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000 MoreThan5000 } }elseif($UserIds -AND ($ObjectIds -eq "")) { $results = search-unifiedauditlog -UserIds $UserIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000 ExportToCSV while ($results) { $results = search-unifiedauditlog -UserIds $UserIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000 MoreThan5000 } }elseif($ObjectIds -AND $UserIds){ $results = search-unifiedauditlog -UserIds $UserIds -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000 ExportToCSV while ($results) { $results = search-unifiedauditlog -UserIds $UserIds -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000 MoreThan5000 } }else{ $results = search-unifiedauditlog -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000 ExportToCSV while ($results) { $results = search-unifiedauditlog -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000 MoreThan5000 } } } } Function ExportToCSV() { If($results) { If(CSVorNot) { $results | Export-csv -path ($CSV+"\$recordtype.csv") -NoTypeInformation -append Write-host ("File has been created under " + ($CSV+"\$recordtype.csv") ) -fore Green }else{ $results } }else{ Write-host ("The log for " + $recordtype + " is empty") -fore Yellow } } Function ExportReportsIPs() { Foreach($RecordType in $RecordTypes) { $results = search-unifiedauditlog -IPAddresses $IPAddresses -startdate $StartDate -enddate $endDate -sessioncommand ReturnLargeSet -recordtype $RecordType If($results) { ExportToCSV }else{ Write-host ("The log for " + $recordtype + " is empty") -fore Yellow } } } Write-host " Unified Audit Logs --------------------------- Connect to EXO PowerShell without MFA enabled Connect to EXO PowerShell with MFA enabled(Please make sure you opened PowerShell ISE) Search & Export Unified Audit Log based on IP ONLY Search & Export Unified Audit Log for specific user Search & Export Unified Audit Log for yesterday only "-ForeGround "Cyan" ---------------- Script ---------------- Write-Host " " $runDate = (Get-Date).tostring("MM/dd/yyyy-hh:mm") $number = Read-Host "Choose the task" switch ($number) { { Write-host ("Connecting to EXO powershell, please make sure MFA is not enabled") -fore Green $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session -DisableNameChecking ;Break } { Write-host ("Please make sure you opened PowerShell ISE") -fore Green Connect-EXOPSSession Write-host ("If you are facing any issue, please kindly check the below link for reference: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps ") -fore Green ;Break } { $StartDate = Get-Date (Read-Host -Prompt 'Enter the start date, Eg. 08/31/2019') -ErrorAction 'SilentlyContinue' $endDate = Get-Date (Read-Host -Prompt 'Enter the end date, Eg. 09/30/2019') -ErrorAction 'SilentlyContinue' $StartDate = $StartDate.tostring("MM/dd/yyyy") $endDate = $endDate.tostring("MM/dd/yyyy") $IPAddresses = Read-Host "Please enter the IP address you'd like to search for (E.g 192.168.5.21)" Write-host ("Please press ENTER directly if you don't want to set up for the below attributes") -fore Yellow $CSV= Read-Host "Enter the export file location (E.g C:\temp\UnifiedLogs)" Write-host ("Valid record types are: ") -fore Yellow Write-host ($showRecordTypes) -fore Green $recordTypes += Read-Host "ENTER the report type you'd like to search" if($recordTypes){ If($IPAddresses) { ExportReportsIPs; Write-host ("File has been created under " + ($CSV+"\$recordtype.csv") ) -fore Green }else{ Write-host ("Please ENTER the IP address you'd like to search") -fore Yellow } }else{ $recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer") If($IPAddresses) { ExportReportsIPs; }else{ Write-host ("Please ENTER the IP address you'd like to search") -fore Yellow } } ;Break } { $StartDate = Get-Date (Read-Host -Prompt 'Enter the start date, Eg. 08/31/2019') -ErrorAction 'SilentlyContinue' $endDate = Get-Date (Read-Host -Prompt 'Enter the end date, Eg. 09/30/2019') -ErrorAction 'SilentlyContinue' $StartDate = $StartDate.tostring("MM/dd/yyyy") $endDate = $endDate.tostring("MM/dd/yyyy") Write-host ("Please press ENTER directly if you don't want to set up for the below attributes") -fore Yellow $CSV= Read-Host "Enter the export file location (E.g C:\temp\UnifiedLogs)" $ObjectIds = Read-Host "ENTER the target ID for the search" $UserIds = Read-Host "ENTER the user whom performed the activity" Write-host ("Valid record types are: ") -fore Yellow Write-host ($showRecordTypes) -fore Green $recordTypes = Read-Host "ENTER the report type you'd like to search" if($recordTypes){ ExportReports; }else{ $recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer") ExportReports; } ;Break } $runDate = (Get-Date).tostring("MM/dd/yyyy") $startDate = (Get-Date).adddays(-1).tostring("MM/dd/yyyy") $endDate = (Get-Date).tostring("MM/dd/yyyy") $CSV= Read-Host "Enter the export file location (E.g C:\temp\UnifiedLogs)" $recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer") ExportReports; ;Break } Default {Write-Host "No matches found , Enter Options from 1 to 5" -ForeGround "red"} }