- Show available log sources and amount of logging
- Extract all audit logging
- Extract group audit logging
- Extract Specific audit logging (advanced mode)
set timeframe will be displayed and written to a csv file called "Amount_Of_Audit_Logs.csv" the file is prefixed with a random number to prevent duplicates. Extract all audit logs" this option wil get all available audit logs within the set timeframe and written out to a file called AuditRecords.CSV. Extract a group of logs. You can for example extract all Exchange or Azure logging in one go
Extract specific audit logs" Use this option if you want to extract a subset of the audit logs. To configure what logs will be extracted the tool needs to
be configured with the required Record Types. A full list of recordtypes can be found at the bottom of this page.
The output files will be writen in a directory called 'Log_Directory" and will be given the name of their recordtype e.g. (ExchangeItem_AuditRecords.csv)
-PowerShell
-Office365 account with privileges to access/extract audit logging
-One of the following windows versions:
Windows 10, Windows 8.1, Windows 8, or Windows 7 Service Pack 1 (SP1)
Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1
You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the Office 365 audit log.
By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center. To give a user the ability to search the Office 365 audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online.
https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance)
2. Right click on the script and press "Run with PowerShell".
3. Now pick any of the options in the menu.
4. The logs will be written to the logdirectory in the folder where the script is located.
Amount_Of_Audit_Logs.csv:
Will show what logs are available and how many for each RecordType.
AuditLog.txt:
The AuditLog stores valuable information for debugging.
AuditRecords.csv:
When all logs are extracted they will be written to this file.
[RecordType]__AuditRecords:
When extracting specific RecordTypes, logs are sorted on RecordType and written to a CSV file.
The name of this file is the RecordType + _AuditRecords.
SyntheticProbe
AzureActiveDirectory
AzureActiveDirectoryAccountLogon
AzureActiveDirectoryStsLogon
ComplianceDLPExchange
ComplianceDLPSharePoint
CRM
DataCenterSecurityCmdlet
Discovery
ExchangeAdmin
ExchangeAggregatedOperation
ExchangeItem
ExchangeItemGroup
MicrosoftTeamsAddOns
MicrosoftTeams
MicrosoftTeamsSettingsOperation
OneDrive
PowerBIAudit
SecurityComplianceCenterEOPCmdlet
SharePoint
SharePointFileOperation
SharePointSharingOperation
SkypeForBusinessCmdlets
SkypeForBusinessPSTNUsage
SkypeForBusinessUsersBlocked
Sway
ThreatIntelligence
Yammer
MicrosoftStream
Project
SharepointListOperation
AuditRecords.csvSecurityComplianceAlerts
ThreatIntelligenceUrl
ThreatIntelligenceAtpContent
AeD
ThreatFinder
DataGovernance
WorkplaceAnalytics
SecurityComplianceInsights
ExchangeItemAggregated
PowerAppsApp
HygieneEvent
PowerAppsPlan
LabelExplorer
TeamsHealthcare
SharePointFieldOperation
If I enable mailbox auditing now can I see historical records?
No, additionaly if you enable auditing now it will take up to 24 hours before events will be logged.
I logged into a mailbox with auditing turned on but I don't see my events?
It can take up to 24 hours before an event is stored in the UAL.
Which date format does the script accepts as input?
The script will tell what the correct format is based on your Regional computer settings.For Start and End data variables it will show between brackets what the format is. For example, if the computer is configured to use the short date format mm/dd/yyyy, enter 09/01/2018 00:00 to specify September 1, 2018. You can enter the date only, or you can enter the date and time of day.
Do I need to configure the time period?
No if you don't specify a time period the script will use the default If you don't include a timestamp in the value for the StartDate or EndDate parameters, the default timestamp 12:00 AM (midnight) is used.
What about timestamps?
The audit logs are in UTC, and they will be exported as such
What is the retention period?
Office 365 E3 - Audit records are retained for 90 days. That means you can search the audit log for activities that were performed within the last 90 days.
Office 365 E5 - Audit records are retained for 365 days (one year). That means you can search the audit log for activities that were performed within the last year. Retaining audit records for one year is also available for users that are assigned an E3/Exchange Online Plan 1 license and have an Office 365 Advanced Compliance add-on license.
Can this script also acquire Message Trace Logs?
At the moment it cannot, but there are several open-source scripts available that can help you with getting the MTL
One example can be found here: https://gallery.technet.microsoft.com/scriptcenter/Export-Mail-logs-to-CSV-d5b6c2d6
This error is caused when the script did not close correctly and an active session will be running in the background. The script tries to import/load all modules again, but this is not necessary since it is already loaded. This error message has no impact on the script and will be gone when the open session gets closed. This can be done by restarting the PowerShell Windows or entering the following command: Get-PSSession | Remove-PSSession
Audit logging is enabled in the Office 365 environment but no logs are getting displayed?
The user must be assigned an Office 365 E5 license. Alternatively, users with an Office 365 E1 or E3 license can be assigned an Advanced eDiscovery standalone license. Administrators and compliance officers who are assigned to cases and use Advanced eDiscovery to analyze data don't need an E5 license.
Audit log search argument start date should be after
The start date should be earlier then the end date.
New-PSSession: [outlook.office365.com] Connecting to remove server outlook.office365.com failed with the following error message: Access is denied.
The password/username combination are incorrect or the user has not enough privileges to extract the audit logging.
Custom script was developed by Joey Rentenaar and Korstiaan Stam from PwC Netherlands Incident Response team.
Idea is based on a script developed by Tehnoon Raza from Microsoft:
(https://blogs.msdn.microsoft.com/tehnoonr/2018/01/26/retrieving-office-365-audit-data-using-powershell/).
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent