Unified Audit Log
The UAL is a critical piece of evidence in a BEC investigation because it is a centralized source for all Office 365 events. The UAL contains at least 236 categories of data, including events from Azure, Exchange, SharePoint, OneDrive, and Skype.
Note
Audit (Standard) - Audit records are retained for 180 days.
Audit (Premium) - Audit records are retained for 365 days.
Show available log sources and amount of logging
Pretty straightforward a search is executed and the total number of logs within the set timeframe will be displayed and written to a csv file called “Amount_Of_Audit_Logs.csv” the file is prefixed with a random number to prevent duplicates.
Usage
Displays the total number of logs within the unified audit log:
Get-UALStatistics
Displays the total number of logs within the unified audit log between 1/4/2023 and 5/4/2023 for the user test[@]invictus-ir.com:
Get-UALStatistics -UserIds test[@]invictus-ir.com -StartDate 1/4/2023 -EndDate 5/4/2023
Parameters
- -UserIds (optional)
UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
- -StartDate (optional)
StartDate is the parameter specifying the start date of the date range.
Default: Today -90 days
- -EndDate (optional)
EndDate is the parameter specifying the end date of the date range.
Default: Now
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UnifiedAuditLog
Note
Important note regarding the StartDate and EndDate variables.
When you do not specify a timestamp, the script will automatically default to midnight (00:00) of that day.
If you provide a timestamp, it will be converted to the corresponding UTC time. For example, if your local timezone is UTC+2, a timestamp like 2023-01-01 08:15:00 will be converted to 2023-01-01 06:15:00 in UTC.
To specify a date and time without conversion, please use the ISO 8601 format with UTC time (e.g., 2023-01-01T08:15:00Z). This format will retrieve data from January 1st, 2023, starting from a quarter past 8 in the morning until the specified end date.
Output
The output will be saved to the file ‘Amount_Of_Audit_Logs.csv’ within the ‘Output’ directory.
Extract all audit logs
Extract All Audit Logs will retrieve all available audit logs within the specified timeframe and export them.
Usage
Running the script without any parameters will gather the Unified Audit log for the last 90 days for all users:
Get-UALAll
Get all the unified audit log entries for the user test[@]invictus-ir.com:
Get-UALAll -UserIds test[@]invictus-ir.com
Get all the unified audit log entries for the users test[@]invictus-ir.com and HR[@]invictus-ir.com:
Get-UALAll -UserIds "test@invictus-ir.com,HR@invictus-ir.com"
Get all the unified audit log entries between 1/4/2023 and 5/4/2023 for the user test[@]invictus-ir.com:
Get-UALAll -UserIds test[@]invictus-ir.com -StartDate 1/4/2023 -EndDate 5/4/2023
Get all the unified audit log entries with a time interval of 720:
Get-UALAll -UserIds -Interval 720
Get all the unified audit log entries for the user test[@]invictus-ir.com in JSON format:
Get-UALAll -UserIds test[@]invictus-ir.com -Output JSON
Parameters
- -UserIds (optional)
UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
- -StartDate (optional)
StartDate is the parameter specifying the start date of the date range.
Default: Today -90 days
- -EndDate (optional)
EndDate is the parameter specifying the end date of the date range.
Default: Now
- -Interval (optional)
Interval is the parameter specifying the interval in which the logs are being gathered.
Default: 60 minutes
- -Output (optional)
Output is the parameter specifying the CSV or JSON output type.
Default: CSV
- -MergeOutput (optional)
MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UnifiedAuditLog
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
Note
Important note regarding the StartDate and EndDate variables.
When you do not specify a timestamp, the script will automatically default to midnight (00:00) of that day.
If you provide a timestamp, it will be converted to the corresponding UTC time. For example, if your local timezone is UTC+2, a timestamp like 2023-01-01 08:15:00 will be converted to 2023-01-01 06:15:00 in UTC.
To specify a date and time without conversion, please use the ISO 8601 format with UTC time (e.g., 2023-01-01T08:15:00Z). This format will retrieve data from January 1st, 2023, starting from a quarter past 8 in the morning until the specified end date.
Output
The output will be saved to the ‘UnifiedAuditLog’ directory within the ‘Output’ directory, with the file name ‘UAL-[$CurrentStart].[csv/json]’.
Extract group logging
You can extract a specific group of logs such as all Exchange or Azure logs in a single operation. The below groups are supported:
Group |
Record Type |
---|---|
Azure |
AzureActiveDirectory |
AzureActiveDirectoryAccountLogon |
|
AzureActiveDirectoryStsLogon |
|
SharePoint |
ComplianceDLPSharePoint |
SharePoint |
|
SharePointFileOperation |
|
SharePointSharingOperation |
|
SharepointListOperation |
|
ComplianceDLPSharePointClassification |
|
SharePointCommentOperation |
|
SharePointListItemOperation |
|
SharePointContentTypeOperation |
|
SharePointFieldOperation |
|
MipAutoLabelSharePointItem |
|
MipAutoLabelSharePointPolicyLocation |
|
Skype |
SkypeForBusinessCmdlets |
SkypeForBusinessPSTNUsage |
|
SkypeForBusinessUsersBlocked |
|
Defender |
ThreatIntelligence |
ThreatFinder |
|
ThreatIntelligenceUrl |
|
ThreatIntelligenceAtpContent |
|
Campaign |
|
AirInvestigation |
|
WDATPAlerts |
|
AirManualInvestigation |
|
AirAdminActionInvestigation |
|
MSTIC |
|
MCASAlerts |
|
Exchange |
ExchangeAdmin |
ExchangeAggregatedOperation |
|
ExchangeItem |
|
ExchangeItemGroup |
|
ExchangeItemAggregated |
|
ComplianceDLPExchange |
|
ComplianceSupervisionExchange |
Usage
Running the script with only the group parameter will gather the Unified Audit log for the last 90 days for all users and the specified Azure group:
Get-UALGroup -Group Azure
Get all Exchange related unified audit log entries for the user test[@]invictus-ir.com:
Get-UALGroup -Group Exchange -UserIds test[@]invictus-ir.com
Get all Exchange related unified audit log entries for the users test[@]invictus-ir.com and HR[@]invictus-ir.com:
Get-UALGroup -Group Exchange -UserIds "test@invictus-ir.com,HR@invictus-ir.com"
Get all the Azure related unified audit log entries between 1/4/2023 and 5/4/2023:
Get-UALGroup -Group Azure -StartDate 1/4/2023 -EndDate 5/4/2023
Get all the Defender related unified audit log entries for the user test[@]invictus-ir.com in JSON format with a time interval of 720:
Get-UALGroup -Group Defender -UserIds test[@]invictus-ir.com -Interval 720 -Output JSON
Parameters
- -Group (required)
Group is the group of logging needed to be extracted.
Options are: Exchange, Azure, Sharepoint, Skype and Defender
- -UserIds (optional)
UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
- -StartDate (optional)
StartDate is the parameter specifying the start date of the date range.
Default: Today -90 days
- -EndDate (optional)
EndDate is the parameter specifying the end date of the date range.
Default: Now
- -Interval (optional)
Interval is the parameter specifying the interval in which the logs are being gathered.
Default: 60 minutes
- -Output (optional)
Output is the parameter specifying the CSV or JSON output type.
Default: CSV
- -MergeOutput (optional)
MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UnifiedAuditLog
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
Note
Important note regarding the StartDate and EndDate variables.
When you do not specify a timestamp, the script will automatically default to midnight (00:00) of that day.
If you provide a timestamp, it will be converted to the corresponding UTC time. For example, if your local timezone is UTC+2, a timestamp like 2023-01-01 08:15:00 will be converted to 2023-01-01 06:15:00 in UTC.
To specify a date and time without conversion, please use the ISO 8601 format with UTC time (e.g., 2023-01-01T08:15:00Z). This format will retrieve data from January 1st, 2023, starting from a quarter past 8 in the morning until the specified end date.
Output
The output will be saved to the ‘UnifiedAuditLog’ directory within the ‘Output’ directory, with the file name ‘UAL-[$CurrentStart].[csv/json]’.
Extract specific audit logs
If you want to extract a subset of audit logs. You can configure the tool by specifying the required Record Types to extract. The 236 supported Record Types can be found at the end of this page.
Usage
Running the script with only the RecordType parameter will gather the Unified Audit log for the last 90 days for all users and the specified ExchangeItem record type:
Get-UALSpecific -RecordType ExchangeItem
Get the MipAutoLabelExchangeItem logging from the unified audit log for the user test[@]invictus-ir.com:
Get-UALSpecific -RecordType MipAutoLabelExchangeItem -UserIds test[@]invictus-ir.com
Get the PrivacyInsights logging from the unified audit log for the uses test[@]invictus-ir.com and HR[@]invictus-ir.com:
Get-UALSpecific -RecordType PrivacyInsights -UserIds "test@invictus-ir.com,HR@invictus-ir.com"
Get the ExchangeAdmin logging from the unified audit log entries between 1/4/2023 and 5/4/2023:
Get-UALSpecific -RecordType ExchangeAdmin -StartDate 1/4/2023 -EndDate 5/4/2023
Get all the MicrosoftFlow logging from the unified audit log for the user test[@]invictus-ir.com in JSON format with a time interval of 720:
Get-UALSpecific -RecordType MicrosoftFlow -UserIds test[@]invictus-ir.com -StartDate 25/3/2023 -EndDate 5/4/2023 -Interval 720 -Output JSON
Parameters
- -RecordType (required)
The RecordType parameter filters the log entries by record type.
Options are: ExchangeItem, ExchangeAdmin, etc. A total of 236 RecordTypes are supported.
- -UserIds (optional)
UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
- -StartDate (optional)
StartDate is the parameter specifying the start date of the date range.
Default: Today -90 days
- -EndDate (optional)
EndDate is the parameter specifying the end date of the date range.
Default: Now
- -Interval (optional)
Interval is the parameter specifying the interval in which the logs are being gathered.
Default: 60 minutes
- -Output (optional)
Output is the parameter specifying the CSV or JSON output type.
Default: CSV
- -MergeOutput (optional)
MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: UnifiedAuditLog
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
Note
Important note regarding the StartDate and EndDate variables.
When you do not specify a timestamp, the script will automatically default to midnight (00:00) of that day.
If you provide a timestamp, it will be converted to the corresponding UTC time. For example, if your local timezone is UTC+2, a timestamp like 2023-01-01 08:15:00 will be converted to 2023-01-01 06:15:00 in UTC.
To specify a date and time without conversion, please use the ISO 8601 format with UTC time (e.g., 2023-01-01T08:15:00Z). This format will retrieve data from January 1st, 2023, starting from a quarter past 8 in the morning until the specified end date.
Output
The output will be saved to the ‘UnifiedAuditLog’ directory within the ‘Output’ directory, with the file name ‘UAL-[$CurrentStart].[csv/json]’.
Supported Record Types
ExchangeAdmin
ExchangeItem
ExchangeItemGroup
SharePoint
SyntheticProbe
SharePointFileOperation
OneDrive
AzureActiveDirectory
AzureActiveDirectoryAccountLogon
DataCenterSecurityCmdlet
ComplianceDLPSharePoint
Sway
ComplianceDLPExchange
SharePointSharingOperation
AzureActiveDirectoryStsLogon
SkypeForBusinessPSTNUsage
SkypeForBusinessUsersBlocked
SecurityComplianceCenterEOPCmdlet
ExchangeAggregatedOperation
PowerBIAudit
CRM
Yammer
SkypeForBusinessCmdlets
Discovery
MicrosoftTeams
ThreatIntelligence
MailSubmission
MicrosoftFlow
AeD
MicrosoftStream
ComplianceDLPSharePointClassification
ThreatFinder
Project
SharePointListOperation
SharePointCommentOperation
DataGovernance
Kaizala
SecurityComplianceAlerts
ThreatIntelligenceUrl
SecurityComplianceInsights
MIPLabel
WorkplaceAnalytics
PowerAppsApp
PowerAppsPlan
ThreatIntelligenceAtpContent
LabelContentExplorer
TeamsHealthcare
ExchangeItemAggregated
HygieneEvent
DataInsightsRestApiAudit
InformationBarrierPolicyApplication
SharePointListItemOperation
SharePointContentTypeOperation
SharePointFieldOperation
MicrosoftTeamsAdmin
HRSignal
MicrosoftTeamsDevice
MicrosoftTeamsAnalytics
InformationWorkerProtection
Campaign
DLPEndpoint
AirInvestigation
Quarantine
MicrosoftForms
ApplicationAudit
ComplianceSupervisionExchange
CustomerKeyServiceEncryption
OfficeNative
MipAutoLabelSharePointItem
MipAutoLabelSharePointPolicyLocation
MicrosoftTeamsShifts
SecureScore
MipAutoLabelExchangeItem
CortanaBriefing
Search
WDATPAlerts
PowerPlatformAdminDlp
PowerPlatformAdminEnvironment
MDATPAudit
SensitivityLabelPolicyMatch
SensitivityLabelAction
SensitivityLabeledFileAction
AttackSim
AirManualInvestigation
SecurityComplianceRBAC
UserTraining
AirAdminActionInvestigation
MSTIC
PhysicalBadgingSignal
TeamsEasyApprovals
AipDiscover
AipSensitivityLabelAction
AipProtectionAction
AipFileDeleted
AipHeartBeat
MCASAlerts
OnPremisesFileShareScannerDlp
OnPremisesSharePointScannerDlp
ExchangeSearch
SharePointSearch
PrivacyDataMinimization
LabelAnalyticsAggregate
MyAnalyticsSettings
SecurityComplianceUserChange
ComplianceDLPExchangeClassification
ComplianceDLPEndpoint
MipExactDataMatch
MSDEResponseActions
MSDEGeneralSettings
MSDEIndicatorsSettings
MS365DCustomDetection
MSDERolesSettings
MAPGAlerts
MAPGPolicy
MAPGRemediation
PrivacyRemediationAction
PrivacyDigestEmail
MipAutoLabelSimulationProgress
MipAutoLabelSimulationCompletion
MipAutoLabelProgressFeedback
DlpSensitiveInformationType
MipAutoLabelSimulationStatistics
LargeContentMetadata
Microsoft365Group
CDPMlInferencingResult
FilteringMailMetadata
CDPClassificationMailItem
CDPClassificationDocument
OfficeScriptsRunAction
FilteringPostMailDeliveryAction
CDPUnifiedFeedback
TenantAllowBlockList
ConsumptionResource
HealthcareSignal
DlpImportResult
CDPCompliancePolicyExecution
MultiStageDisposition
PrivacyDataMatch
FilteringDocMetadata
FilteringEmailFeatures
PowerBIDlp
FilteringUrlInfo
FilteringAttachmentInfo
CoreReportingSettings
ComplianceConnector
PowerPlatformLockboxResourceAccessRequest
PowerPlatformLockboxResourceCommand
CDPPredictiveCodingLabel
CDPCompliancePolicyUserFeedback
WebpageActivityEndpoint
OMEPortal
CMImprovementActionChange
FilteringUrlClick
MipLabelAnalyticsAuditRecord
FilteringEntityEvent
FilteringRuleHits
FilteringMailSubmission
LabelExplorer
MicrosoftManagedServicePlatform
PowerPlatformServiceActivity
ScorePlatformGenericAuditRecord
FilteringTimeTravelDocMetadata
Alert
AlertStatus
AlertIncident
IncidentStatus
Case
CaseInvestigation
RecordsManagement
PrivacyRemediation
DataShareOperation
CdpDlpSensitive
EHRConnector
FilteringMailGradingResult
PublicFolder
PrivacyTenantAuditHistoryRecord
AipScannerDiscoverEvent
EduDataLakeDownloadOperation
M365ComplianceConnector
MicrosoftGraphDataConnectOperation
MicrosoftPurview
FilteringEmailContentFeatures
PowerPagesSite
PowerAppsResource
PlannerPlan
PlannerCopyPlan
PlannerTask
PlannerRoster
PlannerPlanList
PlannerTaskList
PlannerTenantSettings
ProjectForTheWebProject
ProjectForTheWebTask
ProjectForTheWebRoadmap
ProjectForTheWebRoadmapItem
ProjectForTheWebProjectSettings
ProjectForTheWebRoadmapSettings
QuarantineMetadata
MicrosoftTodoAudit
TimeTravelFilteringDocMetadata
TeamsQuarantineMetadata
SharePointAppPermissionOperation
MicrosoftTeamsSensitivityLabelAction
FilteringTeamsMetadata
FilteringTeamsUrlInfo
FilteringTeamsPostDeliveryAction
MDCAssessments
MDCRegulatoryComplianceStandards
MDCRegulatoryComplianceControls
MDCRegulatoryComplianceAssessments
MDCSecurityConnectors
MDADataSecuritySignal
VivaGoals
FilteringRuntimeInfo
AttackSimAdmin
MicrosoftGraphDataConnectConsent
FilteringAtpDetonationInfo
PrivacyPortal
ManagedTenants
UnifiedSimulationMatchedItem
UnifiedSimulationSummary
UpdateQuarantineMetadata
MS365DSuppressionRule
PurviewDataMapOperation
FilteringUrlPostClickAction
IrmUserDefinedDetectionSignal
TeamsUpdates
PlannerRosterSensitivityLabel
MS365DIncident
FilteringDelistingMetadata
ComplianceDLPSharePointClassificationExtended
MicrosoftDefenderForIdentityAudit
SupervisoryReviewDayXInsight
DefenderExpertsforXDRAdmin
CDPEdgeBlockedMessage
HostedRpa
Extract specific audit logs
Makes it possible to extract a group of specific unified audit activities out of a Microsoft 365 environment. You can for example extract all Inbox Rules or Azure Changes in one go.
Usage
Gets the New-InboxRule logging from the unified audit log:
Get-UALSpecificActivity -ActivityType New-InboxRule
Gets the Sharepoint FileDownload logging from the unified audit log for the user Test@invictus-ir.com:
Get-UALSpecificActivity -ActivityType FileDownloaded -UserIds "Test@invictus-ir.com"
Gets the Add Service Principal. logging from the unified audit log for the uses Test@invictus-ir.com and HR@invictus-ir.com:
Get-UALSpecificActivity -ActivityType "Add service principal." -UserIds "Test@invictus-ir.com,HR@invictus-ir.com"
Gets all the MailItemsAccessed logging from the unified audit log for the user Test@invictus-ir.com in JSON format with a time interval of 720:
Get-UALSpecificActivity -ActivityType MailItemsAccessed -UserIds Test@invictus-ir.com -StartDate 25/3/2023 -EndDate 5/4/2023 -Interval 720 -Output JSON
Parameters
- -ActivityType (required)
- The ActivityType parameter filters the log entries by operation or activity type.
Options are: New-MailboxRule, MailItemsAccessed, etc. A total of 108 common ActivityTypes are supported.
- -UserIds (optional)
UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
- -StartDate (optional)
StartDate is the parameter specifying the start date of the date range.
Default: Today -90 days
- -EndDate (optional)
EndDate is the parameter specifying the end date of the date range.
Default: Now
- -Interval (optional)
Interval is the parameter specifying the interval in which the logs are being gathered.
Default: 60 minutes
- -Output (optional)
Output is the parameter specifying the CSV or JSON output type.
Default: CSV
- -OutputDir (optional)
OutputDir is the parameter specifying the output directory.
Default: OutputUnifiedAuditLog
- -Encoding (optional)
Encoding is the parameter specifying the encoding of the CSV/JSON output file.
Default: UTF8
Note
Important note regarding the StartDate and EndDate variables.
When you do not specify a timestamp, the script will automatically default to midnight (00:00) of that day.
If you provide a timestamp, it will be converted to the corresponding UTC time. For example, if your local timezone is UTC+2, a timestamp like 2023-01-01 08:15:00 will be converted to 2023-01-01 06:15:00 in UTC.
To specify a date and time without conversion, please use the ISO 8601 format with UTC time (e.g., 2023-01-01T08:15:00Z). This format will retrieve data from January 1st, 2023, starting from a quarter past 8 in the morning until the specified end date.
Output
The output will be saved to the ‘Name of the Activity’ directory within the ‘Output’ directory.