First, I'll present the scenario.
We are on the right track but I already notice something missing in the results of the Search-AdminAuditLog cmdlet. We see ...
- Object modified (Alex.Heyne)
- CmdletName (Add-MailboxPermission)
- Caller (XADMIN)
So XADMIN executed the command Add-MailboxPermission against the mailbox of Alex.Heyne.
But what permissions were granted and to whom? Himself? Someone else?
We should keep in mind that the entry in the Event Viewer (shown in one of the screenshots above) does indicate these details.
After some research, I discovered that the information we want is present but not displayed but default. We are supposed to observe the property "CmdletParameters" with (in braces) "Identity", "User" and "Access rights" and realize this is a hash-table containing "name-value" pairs. We need to extract these using an array.
I used this article as a reference but was not able to obtain the same results:
Next, I attempted to expand the CmdletParameters property (successfully) but the output was not what I would have liked. I will not present all the variations attempted but in the end, this was the most readable:
So, for a single action (XADMIN grants himself Full Access to the mailbox of Alex Heyne), we have three separate entries. The auditor would have to be able to see the relationship between the three items that (by default) are not united in a single entity (unlike the presentation in the Event Viewer, once again).
While I could not create an array as described in the article cited earlier...
Parsing the Admin Audit Logs with PowerShell
It did include a script by Matthew Byrd that is supposed to format the output of the Search-AdminAuditLog so it is easier to interpret. I thought I would give this a try.
First, we download the script from the TechNet Gallery (Script Center):
Second, we declare a variable and assign it the output of the Search-AdminAuditLog as shown in the screenshot below.
Third, we pipeline the result to the Get-SimpleAdminAuditLog.ps1 script:
Note: click to enlarge.
This is much better! In the FullCommand field, we see the exact command that was executed. The auditor still needs to understand what that command accomplishes but no longer has to determine the relationship between three separate items as before.
But can we export the content to a file?
Yes we can:
And can we send the file to the auditor? Yes! In my case, I had to create a script for this (simple text to be saved and then executed as a .ps1 file):
The operation is successful and the auditor (we'll pretend user Alan Reid holds this role) does indeed receive the .csv attachment:
However, some may consider that the presentation is not the best:
I thought that HTML might allow for a more attractive and perhaps even readable presentation.
First, this is what I tried:
You might want to ignore what is inside the orange frame. Without further formatting, the output is really no better than our .csv file. With the -head parameter (please observe the details in the screenshot above), we can create a document like this:
We can combine all the elements so the file is sent to the auditor:
Note: we can also configure the Task Scheduler to run the script at the interval of our choice.
With some instruction, our auditor should be able to make sense of the HTML file. We can add other events as desired after the -Cmdlets section of the script. All in all, it seems like an acceptable solution if we do not have a third-party tool (or if our third-party tool stops functioning after an insufficiently tested update...).
And giving credit where credit is due...
Besides the text already cited twice above, I also used the following resources to construct my script(s):
Windows PowerShell Tip of the Week - ConvertTo-Html
Trying to pipe Export-Csv to Send-MailMessage