-
Notifications
You must be signed in to change notification settings - Fork 120
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature/233: Added User-specific audit for mailitems accessed
- Loading branch information
1 parent
470acce
commit c7b0886
Showing
2 changed files
with
67 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,62 @@ | ||
| Function Get-HawkMailItemsAccessed { | ||
| <# | ||
| .SYNOPSIS | ||
| This will export MailboxItemsAccessed operations from the Unified Audit Log (UAL). Must be connected to Exchange Online | ||
| using the Connect-EXO or Connect-ExchangeOnline module. M365 E5 or G5 license is required for this function to work. | ||
| This telemetry will ONLY be availabe if Advanced Auditing is enabled for the M365 user. | ||
| .DESCRIPTION | ||
| Recent attacker activities have illuminated the use of the Graph API to read user mailbox contents. This will export | ||
| logs that will be present if the attacker is using the Graph API for such actions. Note: NOT all graph API actions against | ||
| a mailbox are malicious. Review the results of this function and look for suspicious access of mailbox items associated | ||
| with a specific user. | ||
| .PARAMETER UserIDs | ||
| Specific user(s) to be investigated | ||
| .EXAMPLE | ||
| Get-HawkMailItemsAccessed -UserIDs [email protected] | ||
| Gets MailItemsAccess from Unified Audit Log (UAL) that corresponds to the User ID that is provided | ||
| .OUTPUTS | ||
| MailItemsAccessed.csv | ||
| .LINK | ||
| https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/ | ||
| .NOTES | ||
| "Operation Properties" and "Folders" will return "System.Object" as they are nested JSON within the AuditData field. | ||
| You will need to conduct individual log pull and review via PowerShell or other SIEM to determine values | ||
| for those fields. | ||
| #> | ||
| [CmdletBinding()] | ||
| param( | ||
| [Parameter(Mandatory=$true)] | ||
| [string[]]$UserIDs | ||
| ) | ||
|
|
||
| BEGIN { | ||
| # Check if Hawk object exists and is fully initialized | ||
| if (Test-HawkGlobalObject) { | ||
| Initialize-HawkGlobalObject | ||
| } | ||
| Out-LogFile "Starting Unified Audit Log (UAL) search for 'MailItemsAccessed'" -Action | ||
| }#End Begin | ||
|
|
||
| PROCESS { | ||
| $curr_idx = 0 | ||
| foreach($user in $UserIDs) { | ||
| if($curr_idx -eq 0) { | ||
| $UserList = $user | ||
| }else { | ||
| $UserList = "$UserList, $user" | ||
| } | ||
| $curr_idx += 1 | ||
| } | ||
| $MailboxItemsAccessed = Get-AllUnifiedAuditLogEntry -UnifiedSearch ("Search-UnifiedAuditLog -Operations 'MailItemsAccessed' -UserIds $UserList") | ||
|
|
||
| $MailboxItemsAccessed | Select-Object -ExpandProperty AuditData | Convertfrom-Json | Out-MultipleFileType -FilePrefix "MailItemsAccessed" -csv -json | ||
|
|
||
| }#End Process | ||
|
|
||
| END{ | ||
| Out-Logfile "Completed exporting MailItemsAccessed logs" -Information | ||
| }#End End | ||
|
|
||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters