Last active
February 26, 2022 09:06
-
-
Save alexmags/92009e7de6c4ac34446133a1249b49e3 to your computer and use it in GitHub Desktop.
PowerShell to export mailbox audit logs using search-mailboxAuditLog. https://blog.alexmags.com/posts/exchange-online-email-investigation/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $StartDate='02/22/2022' | |
| $EndDate='02/24/2022' #start of day | |
| $MailboxOwner=someone@Companyname.com' | |
| $mailboxAuditlogs=search-mailboxAuditLog $ MailboxOwner -StartDate $StartDate -EndDate $EndDate -LogonTypes Owner, Admin, Delegate -ShowDetails -resultsize 50000 | |
| if ($mailboxAuditlogs.count -eq 50000) {write-warning 'Results limited to 50000'} | |
| # backtick used to split this over multiple lines. Pulling InternetMessageIds out of AggregatedRecordFoldersData JSON object | |
| $resultTable=$mailboxAuditlogs | select MailboxOwnerUPN,LogonType,LogonUserDisplayName,Operation,ItemSubject,` | |
| @{label='InternetMessageIds'; expression={($_.AggregatedRecordFoldersData | ConvertFrom-Json).folderitems.InternetMessageId -join ' '}},` | |
| AggregatedRecordFoldersData,AppId,AuditOperationsCountInAggregatedRecord,ClientAppId,ClientInfoString,ClientIP,ClientIPAddress,ClientMachineName,` | |
| ClientProcessName,ClientVersion,CrossMailboxOperation,DestFolderId,DestFolderPathName,DestMailboxGuid,DestMailboxOwnerSid,DestMailboxOwnerUPN,` | |
| DirtyProperties,ExternalAccess,FolderId,FolderName,FolderPathName,Identity,InternalLogonType,IsValid,ItemAttachments,ItemComplianceLabel,ItemId,ItemInternetMessageId,` | |
| ItemIsRecord,LastAccessed,LogonUserSid,MailboxGuid,MailboxOwnerSid,MailboxResolvedOwnerName,` | |
| MemberRights,MemberSid,MemberUpn,ObjectState,OperationProperties,OperationResult,OriginatingServer,SessionId,SourceFolderPathNamesList,` | |
| SourceFolders,SourceItemAttachmentsList,SourceItemFolderPathNamesList,SourceItemIdsList,SourceItemInternetMessageIdsList,SourceItems,SourceItemSubjectsList | |
| # Export the results to CSV. Make random file name, export to csv, open it. | |
| $csvpath="$([System.IO.Path]::GetTempFileName()).csv" # Make a random temp filename | |
| $resultTable |Export-Csv -Encoding UTF8 -NoTypeInformation -force -path $csvpath # export to CSV | |
| invoke-item $csvpath # launch the CSV file (opens with Excel) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment