Public/Compliance/Search-AuditLog.ps1
|
function Search-AuditLog { <# .SYNOPSIS Search the unified admin audit log .DESCRIPTION Search the unified admin audit log .PARAMETER StartSearchHoursAgo Type the number of hours in the past to "Start" your search Using .01 is even acceptable .PARAMETER EndSearchHoursAgo Type the number of hours in the past to "End" your search Default is 0 - which is the present (now) .PARAMETER RecordType The RecordType parameter filters the log entries by record type. Valid values are: AeD AirInvestigation ApplicationAudit AzureActiveDirectory AzureActiveDirectoryAccountLogon AzureActiveDirectoryStsLogon Campaign ComplianceDLPExchange ComplianceDLPSharePoint ComplianceDLPSharePointClassification ComplianceSupervisionExchange CRM CustomerKeyServiceEncryption DataCenterSecurityCmdlet DataGovernance DataInsightsRestApiAudit Discovery DLPEndpoint ExchangeAdmin ExchangeAggregatedOperation ExchangeItem ExchangeItemAggregated ExchangeItemGroup HRSignal HygieneEvent InformationBarrierPolicyApplication InformationWorkerProtection Kaizala LabelExplorer MailSubmission MicrosoftFlow MicrosoftForms MicrosoftStream MicrosoftTeams MicrosoftTeamsAddOns MicrosoftTeamsAdmin MicrosoftTeamsAnalytics MicrosoftTeamsDevice MicrosoftTeamsSettingsOperation MipAutoLabelSharePointItem MipAutoLabelSharePointPolicyLocation MIPLabel OfficeNative OneDrive PowerAppsApp PowerAppsPlan PowerBIAudit Project Quarantine SecurityComplianceAlerts SecurityComplianceCenterEOPCmdlet SecurityComplianceInsights SharePoint SharePointCommentOperation SharePointContentTypeOperation SharePointFieldOperation SharePointFileOperation SharePointListItemOperation SharePointListOperation SharePointSharingOperation SkypeForBusinessCmdlets SkypeForBusinessPSTNUsage SkypeForBusinessUsersBlocked Sway SyntheticProbe TeamsHealthcare ThreatFinder ThreatIntelligence ThreatIntelligenceAtpContent ThreatIntelligenceUrl WorkplaceAnalytics Yammer .PARAMETER Operations The Operations parameter filters the log entries by operation. There are others that can be found here: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#audited-activities Let me know if you would like any others added besides this list Add user AddFolderPermissions AddMailboxPermissions ApplyRecordLabel Change user license Change user password ClientViewSignaled ComplianceRecordDelete ComplianceSettingChanged Copy Create Delete user DocumentSensitivityMismatchDetected FileAccessed FileAccessedExtended FileCheckedIn FileCheckedOut FileCheckOutDiscarded FileCopied FileDeleted FileDeletedFirstStageRecycleBin FileDeletedSecondStageRecycleBin FileDownloaded FileMalwareDetected FileModified FileModifiedExtended FileMoved FilePreviewed FileRenamed FileRestored FileUploaded FileVersionRecycled FileVersionsAllMinorsRecycled FileVersionsAllRecycled HardDelete LockRecord MailboxLogin MailItemsAccessed Move MoveToDeletedItems New-InboxRule PagePrefetched PageViewed PageViewedExtended RemoveFolderPermissions Remove-MailboxPermission Reset user password SearchQueryPerformed SendAs SendOnBehalf Set force change user password Set license properties Set-InboxRule SoftDelete UnlockRecord Update Update user UpdateCalendarDelegation UpdateFolderPermissions UpdateInboxRules .PARAMETER ResultSize Default is 5000 with built in paging. .EXAMPLE Search-AuditLog -StartSearchHoursAgo 24 -Operations AddFolderPermissions .NOTES General notes #> [CmdletBinding()] param ( [Parameter()] [Double] $StartSearchHoursAgo = ".25", [Parameter()] [Double] $EndSearchHoursAgo = "0", [Parameter()] [ValidateSet( 'AeD', 'AirInvestigation', 'ApplicationAudit', 'AzureActiveDirectory', 'AzureActiveDirectoryAccountLogon', 'AzureActiveDirectoryStsLogon', 'Campaign', 'ComplianceDLPExchange', 'ComplianceDLPSharePoint', 'ComplianceDLPSharePointClassification', 'ComplianceSupervisionExchange', 'CRM', 'CustomerKeyServiceEncryption', 'DataCenterSecurityCmdlet', 'DataGovernance', 'DataInsightsRestApiAudit', 'Discovery', 'DLPEndpoint', 'ExchangeAdmin', 'ExchangeAggregatedOperation', 'ExchangeItem', 'ExchangeItemAggregated', 'ExchangeItemGroup', 'HRSignal', 'HygieneEvent', 'InformationBarrierPolicyApplication', 'InformationWorkerProtection', 'Kaizala', 'LabelExplorer', 'MailSubmission', 'MicrosoftFlow', 'MicrosoftForms', 'MicrosoftStream', 'MicrosoftTeams', 'MicrosoftTeamsAddOns', 'MicrosoftTeamsAdmin', 'MicrosoftTeamsAnalytics', 'MicrosoftTeamsDevice', 'MicrosoftTeamsSettingsOperation', 'MipAutoLabelSharePointItem', 'MipAutoLabelSharePointPolicyLocation', 'MIPLabel', 'OfficeNative', 'OneDrive', 'PowerAppsApp', 'PowerAppsPlan', 'PowerBIAudit', 'Project', 'Quarantine', 'SecurityComplianceAlerts', 'SecurityComplianceCenterEOPCmdlet', 'SecurityComplianceInsights', 'SharePoint', 'SharePointCommentOperation', 'SharePointContentTypeOperation', 'SharePointFieldOperation', 'SharePointFileOperation', 'SharePointListItemOperation', 'SharePointListOperation', 'SharePointSharingOperation', 'SkypeForBusinessCmdlets', 'SkypeForBusinessPSTNUsage', 'SkypeForBusinessUsersBlocked', 'Sway', 'SyntheticProbe', 'TeamsHealthcare', 'ThreatFinder', 'ThreatIntelligence', 'ThreatIntelligenceAtpContent', 'ThreatIntelligenceUrl', 'WorkplaceAnalytics', 'Yammer' )] [string[]] $RecordType, [Parameter()] [ValidateSet( 'ClientViewSignaled', 'ComplianceRecordDelete', 'ComplianceSettingChanged', 'DocumentSensitivityMismatchDetected', 'FileAccessed', 'FileAccessedExtended', 'FileCheckedIn', 'FileCheckedOut', 'FileCheckOutDiscarded', 'FileCopied', 'FileDeleted', 'FileDeletedFirstStageRecycleBin', 'FileDeletedSecondStageRecycleBin', 'FileDownloaded', 'FileMalwareDetected', 'FileModified', 'FileModifiedExtended', 'FileMoved', 'FilePreviewed', 'FileRenamed', 'FileRestored', 'FileUploaded', 'FileVersionRecycled', 'FileVersionsAllMinorsRecycled', 'FileVersionsAllRecycled', 'LockRecord', 'PagePrefetched', 'PageViewed', 'PageViewedExtended', 'SearchQueryPerformed', 'UnlockRecord', 'AddFolderPermissions', 'AddMailboxPermissions', 'ApplyRecordLabel', 'Copy', 'Create', 'HardDelete', 'MailboxLogin', 'MailItemsAccessed', 'Move', 'MoveToDeletedItems', 'New-InboxRule', 'RemoveFolderPermissions', 'Remove-MailboxPermission', 'SendAs', 'SendOnBehalf', 'Set-InboxRule', 'SoftDelete', 'Update', 'UpdateCalendarDelegation', 'UpdateFolderPermissions', 'UpdateInboxRules', 'Add user', 'Change user license', 'Change user password', 'Delete user', 'Reset user password', 'Set force change user password', 'Set license properties', 'Update user' )] [string[]] $Operations, [Parameter()] [int] $ResultSize = 5000 ) $SessionId = [DateTime]::Now.ToLocalTime() if ($StartSearchHoursAgo) { [DateTime]$StartSearchHoursAgo = ((Get-Date).AddHours( - $StartSearchHoursAgo)) $StartSearchHoursAgo = $StartSearchHoursAgo.ToUniversalTime() } if ($StartSearchHoursAgo) { [DateTime]$EndSearchHoursAgo = ((Get-Date).AddHours( - $EndSearchHoursAgo)) $EndSearchHoursAgo = $EndSearchHoursAgo.ToUniversalTime() } $params = @{ 'StartDate' = $StartSearchHoursAgo 'EndDate' = $EndSearchHoursAgo 'SessionCommand' = 'returnlargeset' 'SessionId' = $SessionId 'ResultSize' = $ResultSize } if ($RecordType) { $params.Add('RecordType', $RecordType) } if ($Operations) { $params.Add('Operations', $Operations) } try { Invoke-SearchAuditLog @params | Out-GridView } catch { if ($_.Exception.Message -match 'Cannot index into a null array') { Write-Warning "No data found" } else { Write-Warning $_.Exception.Message } } } |