functions/Get-McasExMalwareFileActivity.ps1
|
function Get-McasExMalwareFileActivity { <# .SYNOPSIS Search MCAS for FileMalwareDetected activities. .DESCRIPTION Search MCAS for FileMalwareDetected activities. .PARAMETER Limit How far to look into the past. Defaults to one day. .EXAMPLE PS C:\> Get-McasExMalwareFileActivity Get all detected malware in file activities in the last day #> [CmdletBinding()] Param ( [Parameter(ParameterSetName = 'filter')] [PSFDateTime] $Limit = '-1d' ) begin { #region Utility Functions function ConvertFrom-Activity { [CmdletBinding()] param ( [parameter(ValueFromPipeline = $true)] $ActivityObject ) process { [PSCustomObject]@{ ID = $ActivityObject._id File = @($ActivityObject.mainInfo.EventObjects).Where{ $_.objType -eq 0 }.name ServiceType = @($ActivityObject.mainInfo.EventObjects).Where{ $_.objType -eq 1 }.serviceObjectType App = $ActivityObject.appName Created = ConvertFrom-MCASTimestamp -Timestamp $ActivityObject.Created Timestamp = ConvertFrom-MCASTimestamp -Timestamp $ActivityObject.Timestamp TenantId = $ActivityObject.aadTenantId EventTypeValue = $ActivityObject.eventTypeValue EventTypeName = $ActivityObject.eventTypeName EventCategory = $ActivityObject.description_metadata.event_category Confidence = $ActivityObject.confidenceLevel Severity = $ActivityObject.Severity MatchingRules = $ActivityObject.matchingRules Description = $ActivityObject.description OrganizationId = $ActivityObject.rawDataJson.OrganizationId CreationTime = $ActivityObject.rawDataJson.CreationTime CorrelationId = $ActivityObject.rawDataJson.CorrelationId RecordType = $ActivityObject.rawDataJson.RecordType Operation = $ActivityObject.rawDataJson.Operation UserType = $ActivityObject.rawDataJson.UserType Workload = $ActivityObject.rawDataJson.Workload ClientIP = $ActivityObject.rawDataJson.ClientIP UserAgent = $ActivityObject.rawDataJson.UserAgent UserKey = $ActivityObject.rawDataJson.UserKey Version = $ActivityObject.rawDataJson.Version ItemType = $ActivityObject.rawDataJson.ItemType SourceFileExtension = $ActivityObject.rawDataJson.SourceFileExtension ObjectId = $ActivityObject.rawDataJson.ObjectId UserId = $ActivityObject.rawDataJson.UserId ListItemUniqueId = $ActivityObject.rawDataJson.ListItemUniqueId SourceRelativeUrl = $ActivityObject.rawDataJson.SourceRelativeUrl EventSource = $ActivityObject.rawDataJson.EventSource SourceFileName = $ActivityObject.rawDataJson.SourceFileName FileId = $ActivityObject.rawDataJson.Id SiteUrl = $ActivityObject.rawDataJson.SiteUrl WebId = $ActivityObject.rawDataJson.WebId ListId = $ActivityObject.rawDataJson.ListId Site = $ActivityObject.rawDataJson.Site VirusVendor = $ActivityObject.rawDataJson.VirusVendor VirusInfo = $ActivityObject.rawDataJson.VirusInfo RawObject = $ActivityObject } } } #endregion Utility Functions $eventTypes = @( '20892:EVENT_O365_SP_FILE_MALWARE_DETECTED:FileMalwareDetected' '15600:EVENT_O365_ONEDRIVE_FILE_MALWARE_DETECTED:FileMalwareDetected' ) } process{ $skip = 0 do { $activities = Get-MCASActivity -EventTypeName $eventTypes -ResultSetSize 100 -Skip $skip -DateAfter $Limit if (-not $activities) { return } $activities | ConvertFrom-Activity if (@($activities).Count -lt 100) { return } $skip = $skip + 100 } while ($true) } } |