Office 365 Extractor – A Complete Guide To Extracting Audit Logs And Enhancing Forensic Investigations

This script makes it possible to extract log data out of an Office365 environment. The script created by us consist out of four main options, which enable the investigator to easily extract logging out of an Office365 environment.

1. Show available log sources and amount of logging
2. Extract all audit logging
3. Extract group audit logging
4. Extract Specific audit logging (advanced mode)

Show Available Log Sources And Amount Of Logging

Pretty straightforward a search is executed and the total number of logs within the
set timeframe will be displayed and written to a csv file called “Amount_Of_Audit_Logs.csv” the file is prefixed with a random number to prevent duplicates.

Extract All Audit Logs

Extract all audit logs” this option wil get all available audit logs within the set timeframe and written out to a file called AuditRecords.CSV.

Extract Group Logging

Extract a group of logs. You can for example extract all Exchange or Azure logging in one go

Extract Specific Audit Logs

Extract specific audit logs” Use this option if you want to extract a subset of the audit logs. To configure what logs will be extracted the tool needs to
be configured with the required Record Types. A full list of recordtypes can be found at the bottom of this page.
The output files will be writen in a directory called ‘Log_Directory” and will be given the name of their recordtype e.g. (ExchangeItem_AuditRecords.csv)

Prerequisites

-Exchange Online PowerShell V2 Module
-PowerShell
-Office365 account with privileges to access/extract audit logging
-One of the following windows versions:
Windows 10, Windows 8.1, Windows 8, or Windows 7 Service Pack 1 (SP1)
Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2 SP1

You have to be assigned the View-Only Audit Logs or Audit Logs role in Exchange Online to search the Office 365 audit log.

By default, these roles are assigned to the Compliance Management and Organization Management role groups on the Permissions page in the Exchange admin center.

To give a user the ability to search the Office 365 audit log with the minimum level of privileges, you can create a custom role group in Exchange Online, add the View-Only Audit Logs or Audit Logs role, and then add the user as a member of the new role group. For more information, see Manage role groups in Exchange Online. 

Install Exchange Online Powershell V2 Module

1. Start Windows PowerShell with the “Run as administrator” option
2. Install PowerShellGet Module. To install the ExchangeOnlineManagement module, you need PowerShellGet 2.0 or later version. Else, you end up with an error: Run: Install-Module PowerShellGet -Force
3. Run the following cmdlet to install Exchange Online PowerShell V2 Module: Install-Module –Name ExchangeOnlineManagement

For more information click here.