![]() ![]() Microsoft 365 is a highly targeted resource that is rich with organizational data stored in Office 365, SharePoint, Teams, and other Microsoft 365 components. My goal is to help security teams better understand each method and the limits. Microsoft is good at updating doc pages and providing information, unfortunately, the answers can be spread across several different sites in various locations. Which bring me to this multi part series on how to hunt Microsoft 365 data. To my surprise, I couldn’t find a colleague that had a consolidated set of information. I was recently asked to deliver a session around hunting Microsoft 365 logs to help an organization determine the various methods and limits to each. This seemed like an easy ask and I was sure someone already put together content. Get-AzLog -ResourceId $vm.Discovering Microsoft 365 Logs within your Organization You can add the start and end times as shown below. ![]() For example, to filter only warning logs, (Get-AzLog -ResourceId $vm.Id) | where | Caller, EventTimestamp You can filter the event with a specific level. (Get-AzLog -ResourceId $vm.Id) | Level, Caller, EventTimestamp | If we need to retrieve the only properties which are shown in the azure activity log on the portal, you can use the below command. It will provide all the azure events for that specific resource group and you can see the number of properties. We need to use this ID in the Get-AzLog command to retrieve the activity logs. We will get the resource ID using, PS C:\> $vm = Get-AzVM -VMName TestVM PS C:\> $vm.Id We have the below TestVM, we need to retrieve activity logs and we need its resource id. Before running, AZ commands make sure that you are connected to the Azure Account using (ConnectAzAccount) and the subscription (Set-AzContext). To get the Azure VM activity logs with PowerShell, we need to use the Get-AzLog command. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |