O365 PowerShell Script安全与合规中心审核日志

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了O365 PowerShell Script安全与合规中心审核日志相关的知识,希望对你有一定的参考价值。

#安全与合规中心审核日志,常用于分析用户账号被盗用的情况。可以根据IP地址,账号查询用户Azure AD,Exchange Online, Teams, OneDrive,Sharepoint的所有操作日志

#Security and compliance center audit log, often used to analyze the situation of user account theft. You can query all operation logs of users Azure AD, Exchange Online, Teams, OneDrive, Sharepoint based on IP address and account

Version 1.4```


Added function morethan5000
Added option 5
Written by v-tolin@microsoft.com
Modified by v-tolin@microsoft.com on 11/4/2019 15:30 

$CSV = ""
$results = ""
$StartDate = ""
$endDate = ""
$ObjectIds = ""
$UserIds = ""
$recordTypes = @()
$showRecordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer")

Function MoreThan5000()
{
If($results)
{
Write-host ("There are more than 5000 records for " + ($CSV+"$recordtype.csv") ) -fore Green
If(CSVorNot)
{
$results | Export-csv -path ($CSV+"$recordtype" + $runDate +".csv") -NoTypeInformation -append
}else{
$results
}
}
}
Function CSVorNot()
{
if($CSV)
{
return $true;
}else{
return $false;
}
}
Function ExportReports()
{
Foreach($RecordType in $RecordTypes)
{
If($ObjectIds -AND ($UserIds -eq ""))
{
$results = search-unifiedauditlog -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
ExportToCSV
while ($results) {
$results = search-unifiedauditlog -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
MoreThan5000
}

}elseif($UserIds -AND ($ObjectIds -eq ""))
{
$results = search-unifiedauditlog -UserIds $UserIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
ExportToCSV
while ($results) {
$results = search-unifiedauditlog -UserIds $UserIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000   
MoreThan5000

}

}elseif($ObjectIds -AND $UserIds){

$results = search-unifiedauditlog -UserIds $UserIds -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
ExportToCSV    
while ($results) {
$results = search-unifiedauditlog -UserIds $UserIds -objectIds $ObjectIds -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
MoreThan5000
}

}else{

$results = search-unifiedauditlog -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
ExportToCSV
while ($results) {
$results = search-unifiedauditlog -startdate $StartDate -enddate $endDate -sessionid $runDate -sessioncommand ReturnLargeSet -recordtype $RecordType -resultsize 5000
MoreThan5000
}
}
}
} 

Function ExportToCSV()
{
If($results)
{
If(CSVorNot)
{
$results | Export-csv -path ($CSV+"$recordtype.csv") -NoTypeInformation -append
Write-host ("File has been created under " + ($CSV+"$recordtype.csv") ) -fore Green
}else{
$results
}
}else{
Write-host ("The log for " + $recordtype + " is empty") -fore Yellow
}
}
Function ExportReportsIPs()
{
Foreach($RecordType in $RecordTypes)
{
$results = search-unifiedauditlog -IPAddresses $IPAddresses -startdate $StartDate -enddate $endDate -sessioncommand ReturnLargeSet -recordtype $RecordType

If($results)
{
ExportToCSV

}else{
Write-host ("The log for " + $recordtype + " is empty") -fore Yellow
}
} 
}

Write-host " 

Unified Audit Logs
--------------------------- 
Connect to EXO PowerShell without MFA enabled
Connect to EXO PowerShell with MFA enabled(Please make sure you opened PowerShell ISE)
Search & Export Unified Audit Log based on IP ONLY
Search & Export Unified Audit Log for specific user
Search & Export Unified Audit Log for yesterday only
"-ForeGround "Cyan" 

---------------- 
Script 
---------------- 

Write-Host "               " 
$runDate = (Get-Date).tostring("MM/dd/yyyy-hh:mm")

$number = Read-Host "Choose the task" 

switch ($number)  
{ 
{

Write-host ("Connecting to EXO powershell, please make sure MFA is not enabled") -fore Green

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

;Break
}

{
Write-host ("Please make sure you opened PowerShell ISE") -fore Green
Connect-EXOPSSession

Write-host ("If you are facing any issue, please kindly check the below link for reference:
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps
") -fore Green

;Break
}

{
$StartDate = Get-Date (Read-Host -Prompt ‘Enter the start date, Eg.  08/31/2019‘) -ErrorAction ‘SilentlyContinue‘
$endDate =  Get-Date (Read-Host -Prompt ‘Enter the end date, Eg.  09/30/2019‘) -ErrorAction ‘SilentlyContinue‘

$StartDate = $StartDate.tostring("MM/dd/yyyy") 
$endDate = $endDate.tostring("MM/dd/yyyy") 

$IPAddresses = Read-Host "Please enter the IP address you‘d like to search for (E.g 192.168.5.21)"
Write-host ("Please press ENTER directly if you don‘t want to set up for the below attributes") -fore Yellow
$CSV= Read-Host "Enter the export file location (E.g C:	empUnifiedLogs)" 
Write-host ("Valid record types are: ") -fore Yellow
Write-host ($showRecordTypes) -fore Green
$recordTypes += Read-Host "ENTER the report type you‘d like to search"
if($recordTypes){
If($IPAddresses)
{
ExportReportsIPs;
Write-host ("File has been created under " + ($CSV+"$recordtype.csv") ) -fore Green

}else{

Write-host ("Please ENTER the IP address you‘d like to search") -fore Yellow

}            
}else{
$recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer")
If($IPAddresses)
{
ExportReportsIPs;    
}else{

Write-host ("Please ENTER the IP address you‘d like to search") -fore Yellow

}            
}

;Break
} 

{
$StartDate = Get-Date (Read-Host -Prompt ‘Enter the start date, Eg.  08/31/2019‘) -ErrorAction ‘SilentlyContinue‘
$endDate =  Get-Date (Read-Host -Prompt ‘Enter the end date, Eg.  09/30/2019‘) -ErrorAction ‘SilentlyContinue‘

$StartDate = $StartDate.tostring("MM/dd/yyyy") 
$endDate = $endDate.tostring("MM/dd/yyyy") 

Write-host ("Please press ENTER directly if you don‘t want to set up for the below attributes") -fore Yellow

$CSV= Read-Host "Enter the export file location (E.g C:	empUnifiedLogs)" 
$ObjectIds = Read-Host "ENTER the target ID for the search"
$UserIds = Read-Host "ENTER the user whom performed the activity"

Write-host ("Valid record types are: ") -fore Yellow
Write-host ($showRecordTypes) -fore Green

$recordTypes = Read-Host "ENTER the report type you‘d like to search"
if($recordTypes){
ExportReports;
}else{
$recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer")
ExportReports;
}

;Break
}

$runDate = (Get-Date).tostring("MM/dd/yyyy")

$startDate = (Get-Date).adddays(-1).tostring("MM/dd/yyyy")

$endDate = (Get-Date).tostring("MM/dd/yyyy")

$CSV= Read-Host "Enter the export file location (E.g C:	empUnifiedLogs)" 

$recordTypes = @("AeD","AzureActiveDirectory","AzureActiveDirectoryAccountLogon","AzureActiveDirectoryStsLogon","ComplianceDLPExchange","ComplianceDLPSharePoint","CRM","DataCenterSecurityCmdlet","Discovery","ExchangeAdmin","ExchangeAggregatedOperation","ExchangeItem","ExchangeItemGroup","MicrosoftTeams","OneDrive","PowerBIAudit","SecurityComplianceAlerts","SecurityComplianceCenterEOPCmdlet","SecurityComplianceInsights","SharePoint","SharePointFileOperation","SharePointListOperation","SharePointSharingOperation","SkypeForBusinessCmdlets","SkypeForBusinessPSTNUsage","SkypeForBusinessUsersBlocked","Sway","ThreatIntelligence","ThreatIntelligenceAtpContent","ThreatIntelligenceUrl","WorkplaceAnalytics","Yammer")

ExportReports;

;Break

}
Default {Write-Host "No matches found , Enter Options from 1 to 5" -ForeGround "red"} 
}

以上是关于O365 PowerShell Script安全与合规中心审核日志的主要内容,如果未能解决你的问题,请参考以下文章

O365 PowerShell Script邮件跟踪报告

O365 PowerShell Script邮箱及OneDrive使用报告

powershell 授予O365日历访问权限

使用PowerShell获取 O365 Onedrive for business列表

使用PowerShell 批量修改O365 用户UPN

使用PowerShell deprovision O365 资源