-
Notifications
You must be signed in to change notification settings - Fork 5.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1128 from JohnDuprey/dev
Bugfixes & new audit log search function
- Loading branch information
Showing
11 changed files
with
830 additions
and
212 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,13 +1,24 @@ | ||
[ | ||
{ | ||
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000", | ||
"resourceAccess": [{ "id": "AllProfiles.Manage", "type": "Scope" }] | ||
"resourceAppId": "00000006-0000-0ff1-ce00-000000000000", | ||
"resourceAccess": [ | ||
{ | ||
"id": "M365AdminPortal.IntegratedApps.ReadWrite", | ||
"type": "Scope" | ||
}, | ||
{ | ||
"id": "user_impersonation", | ||
"type": "Scope" | ||
} | ||
] | ||
}, | ||
{ | ||
"resourceAppId": "00000006-0000-0ff1-ce00-000000000000", | ||
"resourceAppId": "00000003-0000-0ff1-ce00-000000000000", | ||
"resourceAccess": [ | ||
{ "id": "M365AdminPortal.IntegratedApps.ReadWrite", "type": "Scope" }, | ||
{ "id": "user_impersonation", "type": "Scope" } | ||
{ | ||
"id": "AllProfiles.Manage", | ||
"type": "Scope" | ||
} | ||
] | ||
} | ||
] | ||
] |
156 changes: 156 additions & 0 deletions
156
Modules/CIPPCore/Public/AuditLogs/New-CippAuditLogSearch.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,156 @@ | ||
function New-CippAuditLogSearch { | ||
<# | ||
.SYNOPSIS | ||
Create a new audit log search | ||
.DESCRIPTION | ||
Create a new audit log search in Microsoft Graph Security API | ||
.PARAMETER DisplayName | ||
The display name of the audit log search. Default is 'CIPP Audit Search - ' + current date and time. | ||
.PARAMETER TenantFilter | ||
The tenant to filter on. | ||
.PARAMETER StartTime | ||
The start time to filter on. | ||
.PARAMETER EndTime | ||
The end time to filter on. | ||
.PARAMETER RecordTypeFilters | ||
The record types to filter on. | ||
.PARAMETER KeywordFilter | ||
The keyword to filter on. | ||
.PARAMETER ServiceFilter | ||
The service to filter on. | ||
.PARAMETER OperationsFilters | ||
The operations to filter on. | ||
.PARAMETER UserPrincipalNameFilters | ||
The user principal names to filter on. | ||
.PARAMETER IPAddressFilter | ||
The IP addresses to filter on. | ||
.PARAMETER ObjectIdFilters | ||
The object IDs to filter on. | ||
.PARAMETER AdministrativeUnitFilters | ||
The administrative units to filter on. | ||
#> | ||
[CmdletBinding(SupportsShouldProcess = $true)] | ||
param( | ||
[Parameter()] | ||
[string]$DisplayName = 'CIPP Audit Search - ' + (Get-Date).ToString('yyyy-MM-dd HH:mm:ss'), | ||
[Parameter(Mandatory = $true)] | ||
[string]$TenantFilter, | ||
[Parameter(Mandatory = $true)] | ||
[datetime]$StartTime, | ||
[Parameter(Mandatory = $true)] | ||
[datetime]$EndTime, | ||
[Parameter()] | ||
[ValidateSet( | ||
'exchangeAdmin', 'exchangeItem', 'exchangeItemGroup', 'sharePoint', 'syntheticProbe', 'sharePointFileOperation', | ||
'oneDrive', 'azureActiveDirectory', 'azureActiveDirectoryAccountLogon', 'dataCenterSecurityCmdlet', | ||
'complianceDLPSharePoint', 'sway', 'complianceDLPExchange', 'sharePointSharingOperation', | ||
'azureActiveDirectoryStsLogon', 'skypeForBusinessPSTNUsage', 'skypeForBusinessUsersBlocked', | ||
'securityComplianceCenterEOPCmdlet', 'exchangeAggregatedOperation', 'powerBIAudit', 'crm', 'yammer', | ||
'skypeForBusinessCmdlets', 'discovery', 'microsoftTeams', 'threatIntelligence', 'mailSubmission', | ||
'microsoftFlow', 'aeD', 'microsoftStream', 'complianceDLPSharePointClassification', 'threatFinder', | ||
'project', 'sharePointListOperation', 'sharePointCommentOperation', 'dataGovernance', 'kaizala', | ||
'securityComplianceAlerts', 'threatIntelligenceUrl', 'securityComplianceInsights', 'mipLabel', | ||
'workplaceAnalytics', 'powerAppsApp', 'powerAppsPlan', 'threatIntelligenceAtpContent', 'labelContentExplorer', | ||
'teamsHealthcare', 'exchangeItemAggregated', 'hygieneEvent', 'dataInsightsRestApiAudit', | ||
'informationBarrierPolicyApplication', 'sharePointListItemOperation', 'sharePointContentTypeOperation', | ||
'sharePointFieldOperation', 'microsoftTeamsAdmin', 'hrSignal', 'microsoftTeamsDevice', 'microsoftTeamsAnalytics', | ||
'informationWorkerProtection', 'campaign', 'dlpEndpoint', 'airInvestigation', 'quarantine', 'microsoftForms', | ||
'applicationAudit', 'complianceSupervisionExchange', 'customerKeyServiceEncryption', 'officeNative', | ||
'mipAutoLabelSharePointItem', 'mipAutoLabelSharePointPolicyLocation', 'microsoftTeamsShifts', 'secureScore', | ||
'mipAutoLabelExchangeItem', 'cortanaBriefing', 'search', 'wdatpAlerts', 'powerPlatformAdminDlp', | ||
'powerPlatformAdminEnvironment', 'mdatpAudit', 'sensitivityLabelPolicyMatch', 'sensitivityLabelAction', | ||
'sensitivityLabeledFileAction', 'attackSim', 'airManualInvestigation', 'securityComplianceRBAC', | ||
'userTraining', 'airAdminActionInvestigation', 'mstic', 'physicalBadgingSignal', 'teamsEasyApprovals', | ||
'aipDiscover', 'aipSensitivityLabelAction', 'aipProtectionAction', 'aipFileDeleted', 'aipHeartBeat', | ||
'mcasAlerts', 'onPremisesFileShareScannerDlp', 'onPremisesSharePointScannerDlp', 'exchangeSearch', | ||
'sharePointSearch', 'privacyDataMinimization', 'labelAnalyticsAggregate', 'myAnalyticsSettings', | ||
'securityComplianceUserChange', 'complianceDLPExchangeClassification', 'complianceDLPEndpoint', | ||
'mipExactDataMatch', 'msdeResponseActions', 'msdeGeneralSettings', 'msdeIndicatorsSettings', | ||
'ms365DCustomDetection', 'msdeRolesSettings', 'mapgAlerts', 'mapgPolicy', 'mapgRemediation', | ||
'privacyRemediationAction', 'privacyDigestEmail', 'mipAutoLabelSimulationProgress', | ||
'mipAutoLabelSimulationCompletion', 'mipAutoLabelProgressFeedback', 'dlpSensitiveInformationType', | ||
'mipAutoLabelSimulationStatistics', 'largeContentMetadata', 'microsoft365Group', 'cdpMlInferencingResult', | ||
'filteringMailMetadata', 'cdpClassificationMailItem', 'cdpClassificationDocument', 'officeScriptsRunAction', | ||
'filteringPostMailDeliveryAction', 'cdpUnifiedFeedback', 'tenantAllowBlockList', 'consumptionResource', | ||
'healthcareSignal', 'dlpImportResult', 'cdpCompliancePolicyExecution', 'multiStageDisposition', | ||
'privacyDataMatch', 'filteringDocMetadata', 'filteringEmailFeatures', 'powerBIDlp', 'filteringUrlInfo', | ||
'filteringAttachmentInfo', 'coreReportingSettings', 'complianceConnector', | ||
'powerPlatformLockboxResourceAccessRequest', 'powerPlatformLockboxResourceCommand', | ||
'cdpPredictiveCodingLabel', 'cdpCompliancePolicyUserFeedback', 'webpageActivityEndpoint', 'omePortal', | ||
'cmImprovementActionChange', 'filteringUrlClick', 'mipLabelAnalyticsAuditRecord', 'filteringEntityEvent', | ||
'filteringRuleHits', 'filteringMailSubmission', 'labelExplorer', 'microsoftManagedServicePlatform', | ||
'powerPlatformServiceActivity', 'scorePlatformGenericAuditRecord', 'filteringTimeTravelDocMetadata', 'alert', | ||
'alertStatus', 'alertIncident', 'incidentStatus', 'case', 'caseInvestigation', 'recordsManagement', | ||
'privacyRemediation', 'dataShareOperation', 'cdpDlpSensitive', 'ehrConnector', 'filteringMailGradingResult', | ||
'publicFolder', 'privacyTenantAuditHistoryRecord', 'aipScannerDiscoverEvent', 'eduDataLakeDownloadOperation', | ||
'm365ComplianceConnector', 'microsoftGraphDataConnectOperation', 'microsoftPurview', | ||
'filteringEmailContentFeatures', 'powerPagesSite', 'powerAppsResource', 'plannerPlan', 'plannerCopyPlan', | ||
'plannerTask', 'plannerRoster', 'plannerPlanList', 'plannerTaskList', 'plannerTenantSettings', | ||
'projectForTheWebProject', 'projectForTheWebTask', 'projectForTheWebRoadmap', 'projectForTheWebRoadmapItem', | ||
'projectForTheWebProjectSettings', 'projectForTheWebRoadmapSettings', 'quarantineMetadata', | ||
'microsoftTodoAudit', 'timeTravelFilteringDocMetadata', 'teamsQuarantineMetadata', | ||
'sharePointAppPermissionOperation', 'microsoftTeamsSensitivityLabelAction', 'filteringTeamsMetadata', | ||
'filteringTeamsUrlInfo', 'filteringTeamsPostDeliveryAction', 'mdcAssessments', | ||
'mdcRegulatoryComplianceStandards', 'mdcRegulatoryComplianceControls', 'mdcRegulatoryComplianceAssessments', | ||
'mdcSecurityConnectors', 'mdaDataSecuritySignal', 'vivaGoals', 'filteringRuntimeInfo', 'attackSimAdmin', | ||
'microsoftGraphDataConnectConsent', 'filteringAtpDetonationInfo', 'privacyPortal', 'managedTenants', | ||
'unifiedSimulationMatchedItem', 'unifiedSimulationSummary', 'updateQuarantineMetadata', 'ms365DSuppressionRule', | ||
'purviewDataMapOperation', 'filteringUrlPostClickAction', 'irmUserDefinedDetectionSignal', 'teamsUpdates', | ||
'plannerRosterSensitivityLabel', 'ms365DIncident', 'filteringDelistingMetadata', | ||
'complianceDLPSharePointClassificationExtended', 'microsoftDefenderForIdentityAudit', | ||
'supervisoryReviewDayXInsight', 'defenderExpertsforXDRAdmin', 'cdpEdgeBlockedMessage', 'hostedRpa', | ||
'cdpContentExplorerAggregateRecord', 'cdpHygieneAttachmentInfo', 'cdpHygieneSummary', | ||
'cdpPostMailDeliveryAction', 'cdpEmailFeatures', 'cdpHygieneUrlInfo', 'cdpUrlClick', | ||
'cdpPackageManagerHygieneEvent', 'filteringDocScan', 'timeTravelFilteringDocScan', 'mapgOnboard' | ||
)] | ||
[string[]]$RecordTypeFilters, | ||
[Parameter()] | ||
[string]$KeywordFilter, | ||
[Parameter()] | ||
[string]$ServiceFilter, | ||
[Parameter()] | ||
[string[]]$OperationsFilters, | ||
[Parameter()] | ||
[string[]]$UserPrincipalNameFilters, | ||
[Parameter()] | ||
[string[]]$IPAddressFilter, | ||
[Parameter()] | ||
[string[]]$ObjectIdFilters, | ||
[Parameter()] | ||
[string[]]$AdministrativeUnitFilters | ||
) | ||
|
||
$SearchParams = @{ | ||
displayName = 'CIPP Audit Search - ' + (Get-Date).ToString('yyyy-MM-dd HH:mm:ss') | ||
filterStartDateTime = $StartTime.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss') | ||
filterEndDateTime = $EndTime.ToUniversalTime().ToString('yyyy-MM-ddTHH:mm:ss') | ||
} | ||
if ($OperationsFilters) { | ||
$SearchParams.operationsFilters = $OperationsFilters | ||
} | ||
if ($RecordTypeFilters) { | ||
$SearchParams.recordTypeFilters = @($RecordTypeFilters) | ||
} | ||
if ($KeywordFilter) { | ||
$SearchParams.keywordFilter = $KeywordFilter | ||
} | ||
if ($ServiceFilter) { | ||
$SearchParams.serviceFilter = $ServiceFilter | ||
} | ||
if ($UserPrincipalNameFilters) { | ||
$SearchParams.userPrincipalNameFilters = @($UserPrincipalNameFilters) | ||
} | ||
if ($IPAddressFilter) { | ||
$SearchParams.ipAddressFilter = @($IPAddressFilter) | ||
} | ||
if ($ObjectIdFilters) { | ||
$SearchParams.objectIdFilters = @($ObjectIdFilters) | ||
} | ||
if ($AdministrativeUnitFilters) { | ||
$SearchParams.administrativeUnitFilters = @($AdministrativeUnitFilters) | ||
} | ||
|
||
if ($PSCmdlet.ShouldProcess('Create a new audit log search for tenant ' + $TenantFilter)) { | ||
New-GraphPOSTRequest -uri 'https://graph.microsoft.com/beta/security/auditLog/queries' -body ($SearchParams | ConvertTo-Json -Compress) -tenantid $TenantFilter -AsApp $true | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.