function
Invoke-SharePointFileAudit
{
[
cmdletbinding
()]
param
(
[
Parameter
(
Mandatory
=
$true
)][
validateset
(
"Deleted"
,
"Modified"
,
"Moved"
,
"Renamed"
,
"Downloaded"
,
"Uploaded"
,
"Synced"
,
"Accessed"
,
"MalwareDetected"
,
"Restored"
,
"Locked"
,
"unLocked"
)]
[string]
$Type
,
[
parameter
(
Mandatory
=
$false
)]
[switch]
$KeepAlive
,
[switch]
$SharePointOnline
,
[switch]
$OneDrive
,
[Nullable[DateTime]]
$StartDate
,
[Nullable[DateTime]]
$EndDate
,
[string]
$Outfile
,
[int]
$ResultSize
= 5000
)
Begin
{
$Module
=
Get-Module
ExchangeOnlineManagement
-ListAvailable
if
(
$Module
.count
-eq
0) {Install-Module ExchangeOnlineManagement
-Repository
PSGallery
-AllowClobber
-Force
}
$getsessions
=
Get-PSSession
|
Select-Object
-Property
State, Name
$isconnected
= (@(
$getsessions
)
-like
'@{State=Opened; Name=ExchangeOnlineInternalSession*'
).Count
-gt
0
If
(
$isconnected
-ne
"false"
) {
try {
Connect-ExchangeOnline
}
catch {
Write-Error
"Exchange Online Failed. Ending"
end
}
}
if
(
$Null
-eq
$StartDate
) {
$StartDate
= ((
Get-Date
).AddDays(-89)).Date }
if
(
$Null
-eq
$EndDate
) {
$EndDate
= (
Get-Date
).Date }
if
(
$EndDate
-lt
$StartDate
) {
$StartDate
= ((
Get-Date
).AddDays(-89)).Date }
if
(
$EndDate
-gt
(
Get-Date
).Date) {
$EndDate
= (
Get-Date
).Date }
}
Process
{
switch
(
$Type
) {
"Deleted"
{
$DeletedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileDeleted,FileDeletedFirstStageRecycleBin,FileDeletedSecondStageRecycleBin,FileVersionsAllDeleted,FileRecycled"
-SessionId
deleted
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$DeletedRecord
in
$DeletedRecords
) {
$JSONInfo
=
$DeletedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStampe = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$DeletedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
RelativeURL =
$JSONInfo
.SourceRelativeUrl
FileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Modified"
{
$ModifiedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileModified,FileModifiedExtended"
-SessionId
Modified
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$ModifiedRecord
in
$ModifiedRecords
) {
$JSONInfo
=
$ModifiedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$ModifiedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
RelativeURL =
$JSONInfo
.SourceRelativeUrl
FileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Moved"
{
$MovedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileMoved"
-SessionId
Moved
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$MovedRecord
in
$MovedRecords
) {
$JSONInfo
=
$MovedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$MovedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
SourceRelativeURL =
$JSONInfo
.SourceRelativeUrl
DestinationRelativeURL =
$JSONInfo
.DestinationRelativeURL
FileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Renamed"
{
$RenamedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileRenamed"
-SessionId
Renamed
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$RenamedRecord
in
$RenamedRecords
) {
$JSONInfo
=
$RenamedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$RenamedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
SourceRelativeURL =
$JSONInfo
.SourceRelativeUrl
SourceFileName =
$JSONInfo
.SourceFileName
DestinationFileName =
$JSONInfo
.DestinationFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Downloaded"
{
$DownloadedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileDownloaded"
-SessionId
Downloaded
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$DownloadedRecord
in
$DownloadedRecords
) {
$JSONInfo
=
$DownloadedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$DownloadedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
SourceRelativeURL =
$JSONInfo
.SourceRelativeUrl
SourceFileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Uploaded"
{
$UploadedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileUploaded"
-SessionId
Uploaded
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$UploadedRecord
in
$UploadedRecords
) {
$JSONInfo
=
$UploadedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$UploadedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
SourceRelativeURL =
$JSONInfo
.SourceRelativeUrl
SourceFileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Synced"
{
$SyncedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileSyncDownloadedFull,FileSyncUploadedFull"
-SessionId
Synced
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$SyncedRecord
in
$SyncedRecords
) {
$JSONInfo
=
$SyncedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$SyncedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
SourceRelativeURL =
$JSONInfo
.SourceRelativeUrl
SourceFileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Accessed"
{
$AccessedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileAccessed,FileAccessedExtended"
-SessionId
Accessed
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$AccessedRecord
in
$AccessedRecords
) {
$JSONInfo
=
$AccessedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$AccessedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
SourceRelativeURL =
$JSONInfo
.SourceRelativeUrl
SourceFileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"MalwareDetected"
{
$MalewareRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileMalwareDetected"
-SessionId
MalewareRecords
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$MalewareRecord
in
$MalewareRecords
) {
$JSONInfo
=
$MalewareRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$MalewareRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
RelativeURL =
$JSONInfo
.SourceRelativeUrl
FileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Restored"
{
$RestoredRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"FileRestored"
-SessionId
RestoredRecords
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$RestoredRecord
in
$RestoredRecords
) {
$JSONInfo
=
$RestoredRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$RestoredRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
RelativeURL =
$JSONInfo
.SourceRelativeUrl
FileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"Locked"
{
$LockedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"LockRecord"
-SessionId
Locked
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$LockedRecord
in
$LockedRecords
) {
$JSONInfo
=
$LockedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$LockedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
RelativeURL =
$JSONInfo
.SourceRelativeUrl
FileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
"unLocked"
{
$unLockedRecords
= Search-UnifiedAuditLog
-StartDate
$StartDate
-EndDate
$EndDate
-Operations
"UnlockRecord"
-SessionId
UnlockRecord
-SessionCommand
ReturnLargeSet
-ResultSize
5000
$Return
=
foreach
(
$unLockedRecord
in
$unLockedRecords
) {
$JSONInfo
=
$unLockedRecord
.AuditData |
convertfrom-json
[pscustomobject][ordered]
@{
TimeStamp = (
$JSONInfo
.creationtime).tolocaltime()
UserName =
$unLockedRecord
.UserIds
ClientIP =
$JSONInfo
.ClientIP
Source =
$JSONInfo
.EventSource
Workload =
$JSONInfo
.Workload
Operation =
$JSONInfo
.Operation
SiteURL =
$JSONInfo
.SiteURL
RelativeURL =
$JSONInfo
.SourceRelativeUrl
FileName =
$JSONInfo
.SourceFileName
ObjectID =
$JSONInfo
.ObjectId
}
}
}
}
}
end
{
if
(!(
$SharePointOnline
-and
$OneDrive
)
-or
(
$SharePointOnline
-and
$OneDrive
)) {
if
(
$PSBoundParameters
.ContainsKey(
"OutFile"
)) {
$Return
|
Export-Csv
./
$Outfile
.CSV
}
else
{
$Return
}
}
elseif
(
$SharePointOnline
) {
if
(
$PSBoundParameters
.ContainsKey(
"OutFile"
)) {
$Return
|
where-object
{
$_
.workload
-like
"SharePoint"
} |
Export-Csv
./
$Outfile
.CSV
}
else
{
$Return
|
where-object
{
$_
.workload
-like
"SharePoint"
}
}
}
elseif
(
$OneDrive
) {
if
(
$PSBoundParameters
.ContainsKey(
"OutFile"
)) {
$Return
|
where-object
{
$_
.workload
-like
"OneDrive"
} |
Export-Csv
./
$Outfile
.CSV
}
else
{
$Return
|
where-object
{
$_
.workload
-like
"OneDrive"
}
}
}
if
(!(
$KeepAlive
)) {
Disconnect-ExchangeOnline
-Confirm
:
$false
-InformationAction
Ignore
-ErrorAction
SilentlyContinue
}
}
}