Osprey

1.0.3

functions/Tenant/Get-OspreyTenantEDiscoveryDetails.ps1

                                <#

.DESCRIPTION

    Searches for all roles that have e-discovery cmdlets.

    Searches for all users / groups that have access to those roles.

    Searches the UAL for eDiscovery events

.OUTPUTS

    eDiscoveryRoles.csv / eDiscoveryRoles.xml / eDiscoveryRoles.json

    eDiscoveryRoleAssignments.csv / eDiscoveryRoleAssignments.xml / eDiscoveryRoleAssignments.json

    eDiscoveryLogs.csv

#>

Function Get-OspreyTenantEDiscoveryDetails {

    Test-EXOConnection

    $InformationPreference = "Continue"

    Out-LogFile "Gathering Tenant information about eDiscovery Configuration" -action

    # Nulling our our role arrays

    [array]$Roles = $null

    [array]$RoleAssignments = $null

    # Look for E-Discovery Roles and who they might be assigned to

    $EDiscoveryCmdlets = "New-MailboxSearch", "Search-Mailbox"

    # Find any roles that have these critical ediscovery cmdlets in them

    # Bad actors with sufficient rights could have created new roles so we search for them

    Foreach ($cmdlet in $EDiscoveryCmdlets) {

        [array]$Roles = $Roles + (Get-ManagementRoleEntry ("*\" + $cmdlet))

    }

    # Select just the unique entries based on role name

    $UniqueRoles = Select-UniqueObject -ObjectArray $Roles -Property Role

    Out-LogFile ("Found " + $UniqueRoles.count + " Roles with eDiscovery Rights")

    $UniqueRoles | Out-MultipleFileType -FilePrefix "eDiscoveryRoles" -csv -xml -json

    # Get everyone who is assigned one of these roles

    Foreach ($Role in $UniqueRoles) {

        [array]$RoleAssignments = $RoleAssignments + (Get-ManagementRoleAssignment -Role $Role.role -Delegating $false)

    }

    Out-LogFile ("Found " + $RoleAssignments.count + " Role Assignments for these Roles")

    $RoleAssignments | Out-MultipleFileType -FilePreFix "eDiscoveryRoleAssignments" -csv -xml -json

    Out-LogFile "Gathering any eDiscovery logs" -action

    # Search UAL audit logs for any eDiscovery activity

    $eDiscoveryLogs = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -RecordType 'Discovery'")

    # If null we found no changes to nothing to do here

    if ($null -eq $eDiscoveryLogs) {

        Out-LogFile "No eDiscovery Logs found"

    }

    # If not null then we must have found some events so flag them

    else {

        Out-LogFile "eDiscovery Activity has been found! Please review eDiscoveryLogs.csv to validate if the activity is legitimate." -Notice

        # Go thru each even and prepare it to output to CSV

        $eDiscoveryOutput = Foreach ($log in $eDiscoveryLogs) {

            $log1 = $log.auditdata | ConvertFrom-Json

            [PSCustomObject]@{

                CreationTime = $log1.CreationTime

                Id           = $log1.Id

                Name         = $log1.ObjectId

                Operation    = $log1.Operation

                UserID       = $log1.UserID

            }

        }

        $eDiscoveryOutput | Out-MultipleFileType -fileprefix "eDiscoveryLogs" -csv

    }

}