Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Import-Module MSOnline
- $keyPath = "C:\O365\key\TENANTNAME.key"
- $key = Test-Path $keyPath
- if($key){
- $admin = "dirsync@pmuseum.onmicrosoft.com"
- $Password = cat $keyPath | ConvertTo-SecureString
- $Credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $admin, $Password
- }else{
- $Credentials = Get-Credential -Message "Please enter your Office 365 admin credentials!"
- }
- #********************* Check Variables Ends *********************
- $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “https://ps.outlook.com/powershell/” -Credential $Credentials -Authentication Basic -AllowRedirection
- #Enter-PSSession $Session
- Import-PSSession $Session -AllowClobber
- Connect-MsolService -Credential $Credentials
- #New-ComplianceSearchAction -SearchName "Tafeeda 4" -Purge -PurgeType SoftDelete
- #Remove-PSSession $Session
- $startDate = (Get-Date).AddDays(-30)
- $endDate = (Get-Date)
- $Logs = @()
- Write-Host "Retrieving logs" -ForegroundColor Blue
- do {
- $logs += Search-unifiedAuditLog -SessionCommand ReturnLargeSet -SessionId "UALSearch" -ResultSize 5000 -StartDate $startDate -EndDate $endDate -Operations UserLoggedIn #-SessionId "$($customer.name)"
- Write-Host "Retrieved $($logs.count) logs" -ForegroundColor Yellow
- }while ($Logs.count % 5000 -eq 0 -and $logs.count -ne 0)
- Write-Host "Finished Retrieving logs" -ForegroundColor Green
- $userIds = $logs.userIds | Sort-Object -Unique
- $ignorecountries = 'Palestinian Territory','Israel','Palestine', 'Jordan','Hashemite Kingdom of Jordan'
- $count = 1
- $starttime = Get-Date
- foreach ($userId in $userIds) {
- $ips = @()
- Write-Host "Getting logon IPs for $userId"
- $searchResult = ($logs | Where-Object {$_.userIds -contains $userId}).auditdata | ConvertFrom-Json -ErrorAction SilentlyContinue
- Write-Host "$userId has $($searchResult.count) logs" -ForegroundColor Green
- $ips = $searchResult.clientip | Sort-Object -Unique
- Write-Host "Found $($ips.count) unique IP addresses for $userId"
- foreach ($ip in $ips) {
- $currenttime = Get-Date
- if($count -gt 44){
- $count = 1
- $timedif = $currenttime - $starttime
- #api-ip allows 45 requests/minute, so wait until the minute has rests, 70 instead of 60 just to be sure
- Start-sleep -s (70 -[int]$timedif.Seconds)
- $starttime = Get-Date
- }
- $count++
- Write-Host "Checking $ip" -ForegroundColor Yellow
- #continue
- $mergedObject = @{}
- $singleResult = $searchResult | Where-Object {$_.clientip -contains $ip} | Select-Object -First 1
- Start-sleep -m 400
- $ipresult = Invoke-restmethod -method get -uri http://ip-api.com/json/$ip
- $UserAgent = $singleResult.extendedproperties.value[0]
- Write-Host "Country: $($ipResult.country) UserAgent: $UserAgent"
- $singleResultProperties = $singleResult | Get-Member -MemberType NoteProperty
- foreach ($property in $singleResultProperties) {
- if ($property.Definition -match "object") {
- $string = $singleResult.($property.Name) | ConvertTo-Json -Depth 10
- $mergedObject | Add-Member -Name $property.Name -Value $string -MemberType NoteProperty
- }
- else {$mergedObject | Add-Member -Name $property.Name -Value $singleResult.($property.Name) -MemberType NoteProperty}
- }
- $property = $null
- $ipProperties = $ipresult | get-member -MemberType NoteProperty
- foreach ($property in $ipProperties) {
- $mergedObject | Add-Member -Name $property.Name -Value $ipresult.($property.Name) -MemberType NoteProperty
- }
- $mergedObject | Select-Object UserId, Operation, CreationTime, @{Name = "UserAgent"; Expression = {$UserAgent}}, Query, ISP, City, RegionName, Country | export-csv C:\temp\UserLocationDataGCITS.csv -Append -NoTypeInformation
- }
- }
- Remove-PSSession $Session
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement