functions/Tenant/Get-HawkTenantMailItemsAccessed.ps1

Function Get-HawkTenantMailItemsAccessed {
<#
.SYNOPSIS
    This will export MailboxItemsAccessed operations from the Unified Audit Log (UAL). Must be connected to Exchange Online
    using the Connect-EXO or Connect-ExchangeOnline module. M365 E5 or G5 license is required for this function to work.
    This telemetry will ONLY be availabe if Advanced Auditing is enabled for the M365 tenant.
.DESCRIPTION
    Recent attacker activities have illuminated the use of the Graph API to read user mailbox contents. This will export
    logs that will be present if the attacker is using the Graph API for such actions. Note: NOT all graph API actions against
    a mailbox are malicious. Review the results of this function and look for Application IDs that are associated with a
    suspicious application ID.
.PARAMETER ApplicationID
    Malicious Application ID that you're investigating
.EXAMPLE
    Get-HawkTenantMailItemsAccessed
    Gets MailItemsAccess from Unified Audit Log (UAL) that corresponds to the App ID that is provided
.OUTPUTS
    MailItemsAccessed.csv
 
.LINK
    https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/
 
.NOTES
    "OperationnProperties" and "Folders" will return "System.Object" as they are nested JSON within the AuditData field.
    You will need to conduct individual log pull and review via PowerShell or other SIEM to determine values
    for those fields.
 
#>

    [cmdletbinding()]
    param(
        [parameter(Mandatory)]
        [string]$ApplicationID

    )
BEGIN {
    Out-LogFile "Starting Unified Audit Log (UAL) search for 'MailItemsAccessed'"

}#End Begin

PROCESS{
    $MailboxItemsAccessed = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -Operations 'MailItemsAccessed' -FreeText $ApplicationID ")

    $MailboxItemsAccessed | Select-Object -ExpandProperty AuditData | Convertfrom-Json | Out-MultipleFileType -FilePrefix "MailItemsAccessed" -csv -json
}#End Process

END{

    Out-Logfile "Completed exporting MailItemsAccessed logs"
}#End End


}#End Function