diff --git a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 index dfbd58a..096ad9e 100644 --- a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 +++ b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 @@ -1,121 +1,111 @@ function Get-HawkUserMailboxAuditing { <# -.SYNOPSIS - Gathers Mailbox Audit data if enabled for the user. -.DESCRIPTION - Checks if mailbox auditing is enabled for the user. - If it is, pulls the mailbox audit logs from the specified time period. - Will pull from the Unified Audit Log (UAL) and the Mailbox Audit Log. -.PARAMETER UserPrincipalName - Single UPN of a user, comma-separated list of UPNs, or array of objects that contain UPNs. -.OUTPUTS - - File: Exchange_UAL_Audit.csv - Path: - Description: All Exchange related audit events found in the Unified Audit Log. - - File: Exchange_Mailbox_Audit.csv - Path: - Description: All Exchange related audit events found in the Mailbox Audit Log. - -.EXAMPLE - Get-HawkUserMailboxAuditing -UserPrincipalName user@contoso.com - - Search for all Mailbox Audit logs from user@contoso.com. - -.EXAMPLE - Get-HawkUserMailboxAuditing -UserPrincipalName (Get-Mailbox -Filter {Customattribute1 -eq "C-level"}) - - Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1. -#> - - [CmdletBinding()] - param - ( - [Parameter(Mandatory = $true)] - [array]$UserPrincipalName - ) - - Function Get-MailboxAuditLogsFiveDaysAtATime { - param( - [Parameter(Mandatory = $true)] - [datetime]$StartDate, - [Parameter(Mandatory = $true)] - [datetime]$EndDate, - [Parameter(Mandatory = $true)] - $User - ) + .SYNOPSIS + Gathers Mailbox Audit data if enabled for the user. + .DESCRIPTION + Check if mailbox auditing is enabled for the user. + If it is pulls the mailbox audit logs from the time period specified for the investigation. - # Setup the initial start date - [datetime]$RangeStart = $StartDate - [array]$Results = @() + Will pull from the Unified Audit Log and the Mailbox Audit Log + .PARAMETER UserPrincipalName + Single UPN of a user, commans seperated list of UPNs, or array of objects that contain UPNs. + .OUTPUTS - do { - # Get the end of the 5-day range - [datetime] $RangeEnd = ($RangeStart.AddDays(5)) - Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd) + File: Exchange_UAL_Audit.csv + Path: \ + Description: All Exchange related audit events found in the Unified Audit Log. - [array]$PartialResults = Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -Identity $User -ShowDetails -ResultSize 250000 - if ($PartialResults) { - $Results += $PartialResults - } + File: Exchange_Mailbox_Audit.csv + Path: \ + Description: All Exchange related audit events found in the Mailbox Audit Log. + .EXAMPLE - # Advance to the next range - $RangeStart = $RangeEnd - } - while ($RangeStart -le $EndDate) + Get-HawkUserMailboxAuditing -UserPrincipalName user@contoso.com - Return $Results - } + Search for all Mailbox Audit logs from user@contoso.com + .EXAMPLE - ### MAIN ### - Test-EXOConnection - Send-AIEvent -Event "CmdRun" + Get-HawkUserMailboxAuditing -UserPrincipalName (get-mailbox -Filter {Customattribute1 -eq "C-level"}) - # Verify our UPN input - [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName + Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1 + #> - foreach ($Object in $UserArray) { - [string]$User = $Object.UserPrincipalName + param + ( + [Parameter(Mandatory = $true)] + [array]$UserPrincipalName + ) - Out-LogFile ("Attempting to Gather Mailbox Audit logs " + $User) -action + Function Get-MailboxAuditLogsFiveDaysAtATime { + param( + [Parameter(Mandatory = $true)] + [datetime]$StartDate, + [Parameter(Mandatory = $true)] + [datetime]$EndDate, + [Parameter(Mandatory = $true)] + $User + ) + + + # Setup the initial start date + [datetime]$RangeStart = $StartDate + + do { + # Get the end of the Range we are going to gather data for + [datetime] $RangeEnd = ($RangeStart.AddDays(5)) + # Do the actual search + Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd) + [array]$Results += Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -identity $User -ShowDetails -ResultSize 250000 + + # Set the RangeStart = to the RangeEnd so we do the next range + $RangeStart = $RangeEnd + } + # While the start range is less than the end date we need to keep pulling in 5 day increments + while ($RangeStart -le $EndDate) - # Test if mailbox auditing is enabled - $mbx = Get-Mailbox -Identity $User - if ($mbx.AuditEnabled -eq $true) { - Out-LogFile "Mailbox Auditing is enabled." - Out-LogFile "Searching Unified Audit Log for Exchange Related Events" + # Return the results object + Return $Results - # Search unified audit logs for Exchange related events - # Using RecordType ExchangeItem or ExchangeMailbox as needed - # For now, we'll assume ExchangeItem is appropriate as the old code used ExchangeItem - $UnifiedAuditResults = Search-UnifiedAuditLog -UserIds $User -RecordType ExchangeItem -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -Operations "*" -ResultSize 5000 + } - Out-LogFile ("Found " + $UnifiedAuditResults.Count + " Exchange audit records.") + ### MAIN ### + Test-EXOConnection + Send-AIEvent -Event "CmdRun" - # Determine the user's output folder - $UserFolder = (Get-HawkUserPath -User $User) + # Verify our UPN input + [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName - # Write raw JSON to file - $RawJsonPath = Join-Path $UserFolder "Exchange_UAL_Audit_Raw.json" - $UnifiedAuditResults | Select-Object -ExpandProperty AuditData | Out-File $RawJsonPath + foreach ($Object in $UserArray) { + [string]$User = $Object.UserPrincipalName - # Parse the results using Get-SimpleUnifiedAuditLog - $ParsedUAL = $UnifiedAuditResults | Get-SimpleUnifiedAuditLog + Out-LogFile ("Attempting to Gather Mailbox Audit logs " + $User) -action - # Output the parsed data - $ParsedUAL | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json + # Test if mailbox auditing is enabled + $mbx = Get-Mailbox -identity $User + if ($mbx.AuditEnabled -eq $true) { + # if enabled pull the mailbox auditing from the unified audit logs + Out-LogFile "Mailbox Auditing is enabled." + Out-LogFile "Searching Unified Audit Log for Exchange Related Events" - # Now search the mailbox audit logs - Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)" - $MailboxAuditLogs = Get-MailboxAuditLogsFiveDaysAtATime -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -User $User - Out-LogFile ("Found " + $MailboxAuditLogs.Count + " Exchange Mailbox audit records.") + $UnifiedAuditLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -UserIDs " + $User + " -RecordType ExchangeItem") | select-object -Expandproperty AuditData | convertfrom-json + Out-LogFile ("Found " + $UnifiedAuditLogs.Count + " Exchange audit records.") - # Output mailbox audit logs as before - $MailboxAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_Mailbox_Audit" -User $User -csv -json - } - else { - Out-LogFile ("Auditing not enabled for " + $User) + # Output the data we found + $UnifiedAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json + + # Search the MailboxAuditLogs as well since they may have different/more information + Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)" + + $MailboxAuditLogs = Get-MailboxAuditLogsFiveDaysAtATime -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -User $User + Out-LogFile ("Found " + $MailboxAuditLogs.Count + " Exchange Mailbox audit records.") + + # Output the data we found + $MailboxAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_Mailbox_Audit" -User $User -csv -json + + } + # If auditing is not enabled log it and move on + else { + Out-LogFile ("Auditing not enabled for " + $User) + } } - } -} + } \ No newline at end of file