Home

Using PowerShell Logging to Track Potential Attacks Against Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-854108%22%20slang%3D%22en-US%22%3EUsing%20PowerShell%20Logging%20to%20Track%20Potential%20Attacks%20Against%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-854108%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOffice%20365%20tenant%20administrators%20often%20make%20extensive%20use%20of%20PowerShell.%20It%E2%80%99s%20a%20great%20tool%20to%20get%20work%20done%20across%20all%20the%20Office%20365%20workloads.%20However%2C%20hackers%20like%20PowerShell%20too%2C%20and%20it%20could%20be%20used%20to%20attack%20your%20tenant.%20If%20that%20happens%2C%20having%20PowerShell%20logs%20will%20allow%20you%20to%20find%20out%20exactly%20what%20the%20attacker%20did%20and%20where.%20With%20this%20in%20mind%2C%20shouldn%E2%80%99t%20you%20enable%20PowerShell%20logging%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Foffice365itpros.com%2F2019%2F09%2F13%2Fenable-powershell-logging%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Foffice365itpros.com%2F2019%2F09%2F13%2Fenable-powershell-logging%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-854108%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1158602%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20PowerShell%20Logging%20to%20Track%20Potential%20Attacks%20Against%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158602%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20%2C%20did%20you%20find%20a%20way%20to%20collect%20those%20events%20(%20powershell%20activities%20on%20Office%20365%20)%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3B%3F%20i%20am%20currently%20looking%20for%20a%20way%20to%20track%20them%20.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECordialement%20.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1158672%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20PowerShell%20Logging%20to%20Track%20Potential%20Attacks%20Against%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1158672%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548803%22%20target%3D%22_blank%22%3E%40Jean_Apala243%3C%2FA%3E%26nbsp%3BDo%20you%20mean%20the%20PowerShell%20logs%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1181695%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20PowerShell%20Logging%20to%20Track%20Potential%20Attacks%20Against%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1181695%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20i%20mean%20powershell%20logs%20%2C%20basically%20i%20want%20to%20detect%20a%20user%20who%20used%20powershell%20to%20connect%20to%20O365%20tenant%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1181900%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20PowerShell%20Logging%20to%20Track%20Potential%20Attacks%20Against%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1181900%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F548803%22%20target%3D%22_blank%22%3E%40Jean_Apala243%3C%2FA%3E%26nbsp%3B%20PowerShell%20doesn't%20capture%20events%20in%20the%20Office%20365%20audit%20log.%20All%20you%20could%20do%20is%20look%20for%20what%20people%20did%20in%20Office%20365%20workloads%20after%20they%20connected.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1186611%22%20slang%3D%22en-US%22%3ERe%3A%20Using%20PowerShell%20Logging%20to%20Track%20Potential%20Attacks%20Against%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1186611%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F64%22%20target%3D%22_blank%22%3E%40Tony%20Redmond%3C%2FA%3E%26nbsp%3B%20!%20%3A)%3C%2Fimg%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
MVP

 

Office 365 tenant administrators often make extensive use of PowerShell. It’s a great tool to get work done across all the Office 365 workloads. However, hackers like PowerShell too, and it could be used to attack your tenant. If that happens, having PowerShell logs will allow you to find out exactly what the attacker did and where. With this in mind, shouldn’t you enable PowerShell logging?

 

https://office365itpros.com/2019/09/13/enable-powershell-logging/

5 Replies
Highlighted

Hello , did you find a way to collect those events ( powershell activities on Office 365 ) @Tony Redmond ? i am currently looking for a way to track them . 

 

Cordialement . 

 

 

Highlighted
Highlighted

Yes i mean powershell logs , basically i want to detect a user who used powershell to connect to O365 tenant @Tony Redmond 

Highlighted

@Jean_Apala243  PowerShell doesn't capture events in the Office 365 audit log. All you could do is look for what people did in Office 365 workloads after they connected.

Highlighted
Related Conversations