From 959ce4128a88944b877db845ede4d97ecf742cc9 Mon Sep 17 00:00:00 2001
From: Jonathan Butler <xxbutler86xx@gmail.com>
Date: Tue, 10 Dec 2024 13:32:48 -0500
Subject: [PATCH] Revert Get-HawkUserMailBoxAuditing to old / original code.
---
.../User/Get-HawkUserMailboxAuditing.ps1 | 190 +++++++++---------
1 file changed, 90 insertions(+), 100 deletions(-)
diff --git a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1 b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1
index dfbd58a..096ad9e 100644
--- a/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1
+++ b/Hawk/functions/User/Get-HawkUserMailboxAuditing.ps1
@@ -1,121 +1,111 @@
function Get-HawkUserMailboxAuditing {
<#
-.SYNOPSIS
- Gathers Mailbox Audit data if enabled for the user.
-.DESCRIPTION
- Checks if mailbox auditing is enabled for the user.
- If it is, pulls the mailbox audit logs from the specified time period.
- Will pull from the Unified Audit Log (UAL) and the Mailbox Audit Log.
-.PARAMETER UserPrincipalName
- Single UPN of a user, comma-separated list of UPNs, or array of objects that contain UPNs.
-.OUTPUTS
-
- File: Exchange_UAL_Audit.csv
- Path: <User>
- Description: All Exchange related audit events found in the Unified Audit Log.
-
- File: Exchange_Mailbox_Audit.csv
- Path: <User>
- Description: All Exchange related audit events found in the Mailbox Audit Log.
-
-.EXAMPLE
- Get-HawkUserMailboxAuditing -UserPrincipalName user@contoso.com
-
- Search for all Mailbox Audit logs from user@contoso.com.
-
-.EXAMPLE
- Get-HawkUserMailboxAuditing -UserPrincipalName (Get-Mailbox -Filter {Customattribute1 -eq "C-level"})
-
- Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1.
-#>
-
- [CmdletBinding()]
- param
- (
- [Parameter(Mandatory = $true)]
- [array]$UserPrincipalName
- )
-
- Function Get-MailboxAuditLogsFiveDaysAtATime {
- param(
- [Parameter(Mandatory = $true)]
- [datetime]$StartDate,
- [Parameter(Mandatory = $true)]
- [datetime]$EndDate,
- [Parameter(Mandatory = $true)]
- $User
- )
+ .SYNOPSIS
+ Gathers Mailbox Audit data if enabled for the user.
+ .DESCRIPTION
+ Check if mailbox auditing is enabled for the user.
+ If it is pulls the mailbox audit logs from the time period specified for the investigation.
- # Setup the initial start date
- [datetime]$RangeStart = $StartDate
- [array]$Results = @()
+ Will pull from the Unified Audit Log and the Mailbox Audit Log
+ .PARAMETER UserPrincipalName
+ Single UPN of a user, commans seperated list of UPNs, or array of objects that contain UPNs.
+ .OUTPUTS
- do {
- # Get the end of the 5-day range
- [datetime] $RangeEnd = ($RangeStart.AddDays(5))
- Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd)
+ File: Exchange_UAL_Audit.csv
+ Path: \<User>
+ Description: All Exchange related audit events found in the Unified Audit Log.
- [array]$PartialResults = Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -Identity $User -ShowDetails -ResultSize 250000
- if ($PartialResults) {
- $Results += $PartialResults
- }
+ File: Exchange_Mailbox_Audit.csv
+ Path: \<User>
+ Description: All Exchange related audit events found in the Mailbox Audit Log.
+ .EXAMPLE
- # Advance to the next range
- $RangeStart = $RangeEnd
- }
- while ($RangeStart -le $EndDate)
+ Get-HawkUserMailboxAuditing -UserPrincipalName user@contoso.com
- Return $Results
- }
+ Search for all Mailbox Audit logs from user@contoso.com
+ .EXAMPLE
- ### MAIN ###
- Test-EXOConnection
- Send-AIEvent -Event "CmdRun"
+ Get-HawkUserMailboxAuditing -UserPrincipalName (get-mailbox -Filter {Customattribute1 -eq "C-level"})
- # Verify our UPN input
- [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName
+ Search for all Mailbox Audit logs for all users who have "C-Level" set in CustomAttribute1
+ #>
- foreach ($Object in $UserArray) {
- [string]$User = $Object.UserPrincipalName
+ param
+ (
+ [Parameter(Mandatory = $true)]
+ [array]$UserPrincipalName
+ )
- Out-LogFile ("Attempting to Gather Mailbox Audit logs " + $User) -action
+ Function Get-MailboxAuditLogsFiveDaysAtATime {
+ param(
+ [Parameter(Mandatory = $true)]
+ [datetime]$StartDate,
+ [Parameter(Mandatory = $true)]
+ [datetime]$EndDate,
+ [Parameter(Mandatory = $true)]
+ $User
+ )
+
+
+ # Setup the initial start date
+ [datetime]$RangeStart = $StartDate
+
+ do {
+ # Get the end of the Range we are going to gather data for
+ [datetime] $RangeEnd = ($RangeStart.AddDays(5))
+ # Do the actual search
+ Out-LogFile ("Searching Range " + [string]$RangeStart + " To " + [string]$RangeEnd)
+ [array]$Results += Search-MailboxAuditLog -StartDate $RangeStart -EndDate $RangeEnd -identity $User -ShowDetails -ResultSize 250000
+
+ # Set the RangeStart = to the RangeEnd so we do the next range
+ $RangeStart = $RangeEnd
+ }
+ # While the start range is less than the end date we need to keep pulling in 5 day increments
+ while ($RangeStart -le $EndDate)
- # Test if mailbox auditing is enabled
- $mbx = Get-Mailbox -Identity $User
- if ($mbx.AuditEnabled -eq $true) {
- Out-LogFile "Mailbox Auditing is enabled."
- Out-LogFile "Searching Unified Audit Log for Exchange Related Events"
+ # Return the results object
+ Return $Results
- # Search unified audit logs for Exchange related events
- # Using RecordType ExchangeItem or ExchangeMailbox as needed
- # For now, we'll assume ExchangeItem is appropriate as the old code used ExchangeItem
- $UnifiedAuditResults = Search-UnifiedAuditLog -UserIds $User -RecordType ExchangeItem -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -Operations "*" -ResultSize 5000
+ }
- Out-LogFile ("Found " + $UnifiedAuditResults.Count + " Exchange audit records.")
+ ### MAIN ###
+ Test-EXOConnection
+ Send-AIEvent -Event "CmdRun"
- # Determine the user's output folder
- $UserFolder = (Get-HawkUserPath -User $User)
+ # Verify our UPN input
+ [array]$UserArray = Test-UserObject -ToTest $UserPrincipalName
- # Write raw JSON to file
- $RawJsonPath = Join-Path $UserFolder "Exchange_UAL_Audit_Raw.json"
- $UnifiedAuditResults | Select-Object -ExpandProperty AuditData | Out-File $RawJsonPath
+ foreach ($Object in $UserArray) {
+ [string]$User = $Object.UserPrincipalName
- # Parse the results using Get-SimpleUnifiedAuditLog
- $ParsedUAL = $UnifiedAuditResults | Get-SimpleUnifiedAuditLog
+ Out-LogFile ("Attempting to Gather Mailbox Audit logs " + $User) -action
- # Output the parsed data
- $ParsedUAL | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json
+ # Test if mailbox auditing is enabled
+ $mbx = Get-Mailbox -identity $User
+ if ($mbx.AuditEnabled -eq $true) {
+ # if enabled pull the mailbox auditing from the unified audit logs
+ Out-LogFile "Mailbox Auditing is enabled."
+ Out-LogFile "Searching Unified Audit Log for Exchange Related Events"
- # Now search the mailbox audit logs
- Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)"
- $MailboxAuditLogs = Get-MailboxAuditLogsFiveDaysAtATime -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -User $User
- Out-LogFile ("Found " + $MailboxAuditLogs.Count + " Exchange Mailbox audit records.")
+ $UnifiedAuditLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -UserIDs " + $User + " -RecordType ExchangeItem") | select-object -Expandproperty AuditData | convertfrom-json
+ Out-LogFile ("Found " + $UnifiedAuditLogs.Count + " Exchange audit records.")
- # Output mailbox audit logs as before
- $MailboxAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_Mailbox_Audit" -User $User -csv -json
- }
- else {
- Out-LogFile ("Auditing not enabled for " + $User)
+ # Output the data we found
+ $UnifiedAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_UAL_Audit" -User $User -csv -json
+
+ # Search the MailboxAuditLogs as well since they may have different/more information
+ Out-LogFile "Searching Exchange Mailbox Audit Logs (this can take some time)"
+
+ $MailboxAuditLogs = Get-MailboxAuditLogsFiveDaysAtATime -StartDate $Hawk.StartDate -EndDate $Hawk.EndDate -User $User
+ Out-LogFile ("Found " + $MailboxAuditLogs.Count + " Exchange Mailbox audit records.")
+
+ # Output the data we found
+ $MailboxAuditLogs | Out-MultipleFileType -FilePrefix "Exchange_Mailbox_Audit" -User $User -csv -json
+
+ }
+ # If auditing is not enabled log it and move on
+ else {
+ Out-LogFile ("Auditing not enabled for " + $User)
+ }
}
- }
-}
+ }
\ No newline at end of file