o365_ual_collector

Script to collect Office 365 Unified Audit Logs While working on multiple BEC engagements, it is often the case that we need to extract Unified Audit Logs for our investigations. There are two ways to pull down this log Using the web portal Using the powershell cmdlet Search-UnifiedAuditLog I have seen that web portal is little buggy in a way that the same query returns different number of results in the CSV file. Also a note that you can only export 50000 rows for a query in one time. So if your query had returned 50000 rows in CSV file, there is a high chance that there are more results and in that case, Microsoft recommends to break down your query. The web portal does not tell you how many results are actually there and hence you are left with breaking the query in to two parts and again hoping that the results be less than 50k. And in my own experience, that returned results varies sometimes when i just export the same results again.  The web portal method is not scalable and reliable when you have to pull down logs of 1 month or all users in environment which is the case most of the times in IR. The powershell cmdlet also has similar limitations that it can only export 50000 but there is a concept of session and pages in use of thie cmdlet. Everytime you run the cmdlet you can only export max 5000 results in single execution. However, if the cmdlet is run with with argument sessionid (any random value) and argument sessioncommand as returnlargeset it can be executed upto 10 times for the same duration to return all 50000 rows. The powershell cmdlet can be scripted so that we run the cmdlet and have a new sessionid for every 60 minutes or less instead of running it for a month or more. This reduces the chance that we will cross 50000 rows for that session and just have it running to pull off all the data. I have seen PWC Office extractor which uses a similar concept of running the cmdlet for every hour. But this version does not use the SessionID feature that enable us to get results beyond the first 5000. I found the script at Microsoft which does indeed use this sessionID feature for better extraction. https://docs.microsoft.com/en-us/microsoft-365/compliance/audit-log-search-script?view=o365-worldwide I have shamelessly copied the script but have just modified it to add prompts for Incident name, start date, end date and usernames if any .