Microsoft Purview audit logs are one of the best tools that a cloud engineer could have. Usually you go to Purview admin center under this URL https://purview.microsoft.com and under Solutions you can find Audit.
And you will be forwarded to the Audit Search page, from where you can search the logs by URL, file, user name and etc. More info regarding audit log search could be found on the following Microsoft page https://learn.microsoft.com/en-us/purview/audit-search.
But as someone who should search the audit logs regulary or if you want to automate this process there is a better way to search the logs and here comes Graph and PowerShell. Below is an example how you can search audit logs for deleted Microsoft Teams teams in the last 6 hours:
Connect-MgGraph -ClientId $ClientID -TenantId $TenantID -CertificateThumbprint $CertificateThumbprint
$EndDate = (Get-Date).AddHours(-1)
$StartDate = (Get-Date $EndDate).AddHours(-6)
$AuditQueryStart = $StartDate.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$AuditQueryEnd = $EndDate.ToString("yyyy-MM-ddTHH:mm:ss.fffZ")
$params = @{displayName = "New audit query - Operations"
filterStartDateTime = "$AuditQueryStart"
filterEndDateTime = "$AuditQueryEnd"
operationFilters = @("TeamDeleted")
}
$q = New-MgBetaSecurityAuditLogQuery -BodyParameter $params
$qID = $q.Id
In my case I'm using Azure App (ClientId and CertificateThumbprint) with Microsoft Graph Application AuditLogsQuery.Read.All permissions to connect to Microsoft Graph and query Audit logs. Keep the ID of the job in variable because it will be need to show or export the results.
No comments:
Post a Comment