Search-UnifiedAuditLog Quick Tip

Posted on by Blake

My poor neglected site. 🙁

I use the Search-UnifedAuditLog a lot. I should probably learn to use the API, but Search-UnifiedAudit log is how I start my day. When I have more time I’d like to do a write up of how I’ve scripted this, what I do with it, and how I parse out the output.

Basically, I use Search-UnifiedAuditLog in two ways. Each morning I do a bit of “threat hunting,” in which I dump a bunch of logins and try to look for suspicious looking patterns. I can get more into that later.

The second way, and arguably the more important way, is during incident response. During an active phishing campaign, I’m always finding new IOCs and needing to quickly get the results from the Audit Log (because some months ago Cloud App Security stopped showing “non-interactive” logins from legacy auth). So, again, I’d like to do a bigger write up on how I use this, but today, to show I’m alive on this blog, I’ll leave a quick tip.

Usually, a compromised account that starts sending internal phishes will get reported. From there, I’ll check the account’s logins in the Audit Log in Security and Compliance to get login IP addresses as well as collect IP addresses from the messages sent through the Threat Explorer.

The basic Search-UnifiedAuditLog command looks like this:

Search-UnifiedAuditLog -StartDate $start -EndDate $end -Operations UserLoggedIn -IPAddresses [IOCs here] -SessionCommand ReturnLargeSet -ResultSize 5000

I’ll take all of those IP addresses and start filling in those IOCs. In the event I had tons of addresses (usually a deduplicated column from the csv export), I’d do a stupid $hold = get-content out.txt; $all = “”; foreach($i in $hold){$all = $all +”, ” + $i}; $all.substring(2) | clip OR something messy like that, don’t quote me on it…then I’d paste the new comma delimited list into the [IOCs here] portion of the script.

NO MORE.

If you’ve got a text file, with a single IP per line, you can do -IPAddresses (get-content ip.txt)!!!

Maybe this is obvious but it allowed me to build scripts to check against a set of bad /23s so easily. Considering how stupid my previous pipe-to-clip method was, being that my IPs were already in an acceptable text file, this was awesome for me.

Leave a Reply

Your email address will not be published. Required fields are marked *