-
Notifications
You must be signed in to change notification settings - Fork 1
/
o365_alert_new_inbox_rule.ps1
69 lines (57 loc) · 2.79 KB
/
o365_alert_new_inbox_rule.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
<#
.SYNOPSIS
Powershell script to parse through Office 365 logs every 15 minutes and sent out an email alert if supciious rule found.
.NOTES
Author: London Crosby
Created: <05-14-2018>
#>
#
$ExoLogin = 'no-reply@example.com'
$ExoPassFile = 'Path-to-encryped-password.txt'
# If doesn't exist then let's set some up!
If (!(Test-Path $ExoPassFile)) {
$GetPass = Read-Host -Prompt "Enter password:" -AsSecureString
$GetPass | ConvertFrom-SecureString | Out-File $ExoPassFile
}
$ExoCredentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ExoLogin, (Get-Content $ExoPassFile | ConvertTo-SecureString)
$ExoSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/PowerShell/ -Credential $ExoCredentials -Authentication Basic -AllowRedirection
Import-PSSession $ExoSession
# For future functionality
Import-Module MsOnline
Connect-MsolService -Credential $ExoCredentials
# Set basic alerting variables
$AlertTo = 'your_address@example.com'
$AlertWhat = 'New-InboxRule'
$AlertSMTP = 'smtp-relay.example.com'
$BlacklistContains = 'hack'
$BlacklistFromAddress = 'postmaster@'
# Add functionaly to pass argument
$SearchTime = Get-Date
# Default is 100 results returned. Not common to exceed but if shit hits the fan then or big userbase at least you get a better picture
$AuditLog = Search-UnifiedAuditLog -StartDate $SearchTime.AddMinutes(-15) -EndDate $SearchTime -Operations $AlertWhat -ResultSize 5000 | Select CreationDate, UserIds, Operations,AuditData,ResultIndex,ResultCount
function SendAlert {
$AlertSubject = "Suspicious $AlertWhat Activity for $aUserId!"
# Using HTML so it can be expanded on in the future with pretty colors for idiots
$AlertBody = "<h3>$aTime - $aUserId ($aUserName) from $aUserIp</h3><p>Created a $AlertWhat that contains: $elementValue</p></br><p style=font-weight:bold;>INVESTIGATE ASAP!!!</p>"
Send-MailMessage -From $ExoLogin -To $AlertTo -Subject $AlertSubject -BodyAsHtml $AlertBody -SmtpServer $AlertSMTP
}
foreach ($l in $AuditLog){
#
$aData = $l.AuditData | ConvertFrom-Json
$aTime = $aData.CreationTime
$aUserId = $aData.UserId
$aUserIp = $aData.ClientIP
$aUserDetails = Get-MsolUser -UserPrincipalName $aUserId
$aUserName = $aUserDetails.DisplayName
$aParams = $aData.Parameters
#
if ($aParams.Name -match 'SubjectOrBodyContainsWords' -Or $aParams.Name -match 'FromAddressContainsWords' -Or $aParams.Name -match 'MyNameInToOrCcBox'){
foreach ($element in $aParams) {
$elementValue = $element.Value
if ($elementValue.Contains($BlacklistContains) -Or $elementValue.Contains($BlacklistFromAddress)){
Write-Output "Found match!"
SendAlert
}
}
}
Remove-PSSession $ExoSession