# o365
### Get O365 AuditLog and sign-ins:
```powershell
# install modules
Install-Module -Name ExchangeOnlineManagement
Install-Module -Name MSOnline
Install-Module -Name AzureAD
# Import required modules
Import-Module MSOnline
Import-Module AzureAD
Import-Module ExchangeOnlineManagement
# Connect to services
Connect-MsolService
Connect-AzureAD
Connect-ExchangeOnline
# Define the date from which you want to start the search
$startDate = Get-Date -Date "yyyy-MM-dd" # Replace yyyy-MM-dd with your start date
# Search the audit log
$auditLogEntries = Search-UnifiedAuditLog -StartDate $startDate -EndDate (Get-Date)
# Sign-Ins
Get-AzureADAuditSignInLogs | Export-Csv AzureSignIns.csv
# Export the results
$auditLogEntries | Export-csv AuditLog.csv
```
###
###
### export Exchange mailbox:
Exchange Online/ O365:
```powershell
Install-Module -Name ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName USERNAME
Connect-IPPSSession -UserPrincipalName USERNAME
New-ComplianceSearch "your_descriptive_name" -ExchangeLocation all | Start-ComplianceSearch
New-ComplianceSearchAction "your_descriptive_name" -Export -Format Fxstream
Get-ComplianceSearchAction "your_descriptive_name_export" -IncludeCredential | FL
```
Powershell Audit Log extraction - o365:
```powershell
#Modify the values for the following variables to configure the audit log search.
$logFile = "C:\temp\AuditLogSearchLog.txt"
$outputFile = "C:\temp\AuditLogRecords.csv"
[DateTime]$start = [DateTime]::UtcNow.AddDays(-52)
[DateTime]$end = [DateTime]::UtcNow
$record = $null
$resultSize = 5000
$intervalMinutes = 60
#Start script
[DateTime]$currentStart = $start
[DateTime]$currentEnd = $end
Function Write-LogFile ([String]$Message)
{
$final = [DateTime]::Now.ToUniversalTime().ToString("s") + ":" + $Message
$final | Out-File $logFile -Append
}
Write-LogFile "BEGIN: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize."
Write-Host "Retrieving audit records for the date range between $($start) and $($end), RecordType=$record, ResultsSize=$resultSize"
$totalCount = 0
while ($true)
{
$currentEnd = $currentStart.AddMinutes($intervalMinutes)
if ($currentEnd -gt $end)
{
$currentEnd = $end
}
if ($currentStart -eq $currentEnd)
{
break
}
$sessionID = [Guid]::NewGuid().ToString() + "_" + "ExtractLogs" + (Get-Date).ToString("yyyyMMddHHmmssfff")
Write-LogFile "INFO: Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
Write-Host "Retrieving audit records for activities performed between $($currentStart) and $($currentEnd)"
$currentCount = 0
$sw = [Diagnostics.StopWatch]::StartNew()
do
{
$results = Search-UnifiedAuditLog -StartDate $currentStart -EndDate $currentEnd -RecordType $record -SessionId $sessionID -SessionCommand ReturnLargeSet -ResultSize $resultSize
if (($results | Measure-Object).Count -ne 0)
{
$results | export-csv -Path $outputFile -Append -NoTypeInformation
$currentTotal = $results[0].ResultCount
$totalCount += $results.Count
$currentCount += $results.Count
Write-LogFile "INFO: Retrieved $($currentCount) audit records out of the total $($currentTotal)"
if ($currentTotal -eq $results[$results.Count - 1].ResultIndex)
{
$message = "INFO: Successfully retrieved $($currentTotal) audit records for the current time range. Moving on!"
Write-LogFile $message
Write-Host "Successfully retrieved $($currentTotal) audit records for the current time range. Moving on to the next interval." -foregroundColor Yellow
""
break
}
}
}
while (($results | Measure-Object).Count -ne 0)
$currentStart = $currentEnd
}
Write-LogFile "END: Retrieving audit records between $($start) and $($end), RecordType=$record, PageSize=$resultSize, total count: $totalCount."
Write-Host "Script complete! Finished retrieving audit records for the date range between $($start) and $($end). Total count: $totalCount" -foregroundColor Green
```
on prem:
```
New-MailboxExportRequest -Mailbox “Test Mailbox” -FilePath “\SERVER01\PST\Testmailbox.pst”
```
o365 Log location:
```powershell
Search-MailboxAuditLog
Search-MailboxAuditLog -Identity -LogonTypes Admin,Delegate -StartDate 1/1/2018 -EndDate 12/31/2018
Search-UnifiedAuditLog -StartDate -EndDate -FreeText (Get-Mailbox ).ExchangeGuid
```
1. Log in to your Microsoft 365 account
2. In the left-hand pane of the Security & Compliance Center, click on “Audit Log Search”
3. Choose the activities and dates you want to view, as well as any specific users, files, folders, or sites you want to filter
4. Click “Search”
5. Click on a specific event to open the “Details” page
6. Filter or export the results
Activities: Under Exchange mailbox activities, select one or both of the following activities:
* New-InboxRule Create new inbox rule from Outlook Web App. This activity returns audit records when inbox rules are created using Outlook web app or Exchange Online PowerShell.
* Updated inbox rules from Outlook client. This activity returns audit records when inbox rules are created, modified, or removed using the Outlook desktop clien
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://f1rstbyt3.gitbook.io/hacking-notes/dfir/forensics/windows/o365.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.