立即与支持人员聊天
与支持团队交流

Change Auditor 7.4 - PowerShell User Guide

Managing Windows File System auditing

Change Auditor for Windows File Server tracks, audits, and alerts on file and folder changes in real time, translating events into simple terms and eliminating the time and complexity required by system provided auditing. The auditing scope can be set on an individual file or folder or an entire file system recursive or non-recursive. You can include or exclude certain files or folders from the audit scope to ensure a faster and more efficient audit process.

Managing Windows file system auditing is available through the following PowerShell commands:

Use this command to define a folder or file paths to audit.

NOTE:  

-IncludePath

Specifies the folder or file to audit.

-IncludePathType

Specifies the type of path to audit based on one of the following values:

-IncludeScope

 

Specifies the scope to monitor for the Includepath based on one of the following values:

-AuditEvents

The events to audit.

Use Get-CAWindowsFSEventClassInfo to get the list of event classes.

-IncludeMask (Optional)

Specifies what to include in the selected folder or file path to audit. Entering * will audit all files and folders in the selected folder.

-ExcludeFilePaths (Optional)

Specifies the names and paths of any files to exclude from auditing.

The default is set to None.

-ExcludeFolderPaths (Optional)

Specifies the names and paths of any subfolders to exclude from auditing. The default is set to None.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled on the selected path or folder. The default is set to false.

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeSubTree -AuditEvents $auditEvents -IncludeMask "*"
–ExcludeFolderPaths "C:\ExampleDirectory\ExcludedDirectory"

New-CAWindowsFSAuditObject -IncludePath "C:\ExampleDirectory" -IncludePathType SystemFolder -IncludeScope ScopeOneLevel -AuditEvents $auditEvents -IncludeMask "*" –ExcludeFilePaths "*.tmp"

To enable Windows File System auditing, you must first create an auditing template for each file or folder to audit. Each auditing template defines the files or folders to audit, the auditing scope, and the excluded processes.

Use this command to create a Windows file system auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-TemplateName

The template name.

-AuditObjects

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Specifies whether the template is enabled or disabled. Default is set to false.

New-CAWindowsFSAuditTemplate -Connection $connection -TemplateName 'New-FSTemplate' -AuditObjects $auditObject -ExcludeProcess $excludeProcess -DiscardTooltipEvents $true -DiscardBrowsingEvents $true -Disabled $false

Use this command to delete a Windows File System auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to remove. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to remove.

-Force (Optional)

Removes template without prompting for a confirmation. The default is false.

Remove-CAWindowsFSAuditTemplate -Connection $connection -Template $removeTemplate

 

Use this command to edit an existing Windows File System auditing template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

The CAWindowsFSAuditTemplate object to edit. Obtain the template objects using the Get-CAWindowsFSAuditTemplates command and filter to select the object to update.

-TemplateName (Optional)

The template name.

-AuditObjects (Optional)

The folder or file path objects created using
New-CAWindowsFSAuditObject.

-ExcludeProcess (Optional)

The list of processes to exclude from auditing. The default is none.

-DiscardTooltipEvents (Optional)

Multiple folder open events are generated by tooltips (folder content information that is displayed when you hover your mouse over a folder) because Windows Explorer navigates the folder tree for all the sub-folders when you hover over the parent folder to see the tooltip. To ignore the folder opened events generated by this action set this parameter to 'true'.

-DiscardBrowsingEvents (Optional)

Multiple file open events are generated by file scans because Windows Explorer opens and reads the header of all files contained in an opened folder for information to display in the window. To ignore the file open events generated by this action set this parameter to 'true'.

-Disabled (Optional)

Set to true or false to enable or disable the template.

Set-CAWindowsFSAuditTemplate -Connection $connection -Template $Template -ExcludeProcess "avsoftware.exe" -TemplateName "NewTemplateName"

Use this command to see all the Windows File System auditing templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAWindowsFSAuditTemplates -Connection $connection

$template = Get-CAWindowsFSAuditTemplates -Connection $connection | where TemplateName -eq TemplateName

Use this command to get a list of all available Windows File System auditing event classes.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAWindowsFSEventClassInfo -Connection $connection

Managing SQL Extended Events Auditing (Preview)

SQL Server Extended Events allow users to gather information on the performance of their SQL database. These commands allow you to create and manage SQL Extended Events auditing templates for auditing SQL Extended Events.

NOTE:  

Use this command to retrieve the list of event names and filters available from the SQL server to use when configuring the SQL Extended Events template. Change Auditor audits event information from the Admin, Operational, and Analytic channels.

-Connection

A connection obtained by using the Connect-CAClient command.

-SQLServerName

The name or IP of the SQL Server and the instance name if a named instance. For example, SQLTestServer\InstanceName.

-SQLServerLoginCredential

The SQL server credentials used to retrieve the list of available events and filters from the SQL server.

Get-CASQLExtendedEventsInfo –Connection $connection -SQLServerName $sqlservername -SQLServerLoginCredential $dbcredential

Use this command to specify a filter for the SQL Extended Events to audit when creating templates.

-EventsInfo

The available event and filter information obtained using the Get-CASQLExtendedEventsInfo command.

-FieldName

The field on which to filter.

-Operator

The operator to be used for comparison. See the output obtained from the Get-CASQLExtendedEventsInfo command for available operators for the specified filter field.

-Value

The value to be used for comparison.

-FilterType

The type of filter AND or OR.

New-CASQLExtendedEventsFilter -EventsInfo $eventsInfo -FieldName database_name -Operator Equals -Value testdb1 -FilterType 'AND'

Use this command to specify the SQL Extended Events to audit.

-EventsInfo

The available event and filter information obtained using thee Get-CASQLExtendedEventsInfo command.

-EventNames

A string array of event names to be included.

-EventPackages

A string array of event packages to be applied for the specified array of event names when the object is created.

The array values for parameters -EventNames and -EventPackages must be the same length as each index element of each array is paired with one another.

You can specify an empty value for the default package.

New-CASQLExtendedEventsObject -EventsInfo $sqlExtendedEventClasses -EventNames "login_event","database_stopped","error_reported" -EventPackages "sqlserver","sqlserver","xesvlpkg"

Use this command to create SQL Extended Events auditing templates.

-Connection

A connection obtained by using the Connect-CAClient command.

-SQLServerName

The name or IP of the SQL Server and the instance name if a named instance. For example, SQLTestServer\InstanceName.

-SQLServerLogonCredential

The SQL server logon credential.

NOTE:  

-Name

A unique name for the template.

-ExtendedEvents

The list of events to audit using New-CASQLExtendedEventsObject.

-Filters (Optional)

A list of event filters using New-CASQLExtendedEventsFilter.

-MaxMemorySize (Optional)

SQL Extended Events maximum memory size in megabytes.

Minimum is 250 MB (default if parameter not specified).

-Disabled (Optional)

Set to determine if the template is enabled or disabled. By

default this is set to False.

-AgentInfo (Optional)

An agent object obtained using the Get-CAAgents command. If not specified, it will expect an agent installed on the SQL server to be audited. The agent is used for SQL Extended Events session management and event auditing.

New-CASQLExtendedEventsTemplate -Connection $connection -AgentInfo $Agent -SQLServerName $sqlServerName -SQLServerLoginCredential $sqlCredential -Name 'testXEventTemplate' -ExtendedEvents $events -Filters $filters

Use this command to see all the SQL Extended Events templates that have been created.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CASqlExtendedEventsTemplates -Connection $connection

Get-CASqlExtendedEventsTemplates -Connection $connection | Filter.Where(_$.name = "MyTemplate")

Use this command to delete a specified SQL Extended Events template.

-Connection

A connection obtained by using Connect-CAClient.

-Template

The template object obtained using Get-CASQLExtendedEventsTemplates.

Remove-CASQLExtendedEventsTemplate -Connection $connection -Template $template

Managing Azure Active Directory auditing

Change Auditor audits activity in the Azure portal that corresponds to the events in the Azure Active Directory auditing logs and sign-in activity. Managing Azure Active Directory auditing is available through the following PowerShell commands:

NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.

The following sample scripts are available in the Change Auditor client folder. By default they are located here: C:\Program Files\Quest\ChangeAuditor\Client\PowerShell Sample Scripts:

 

Use this command to create a template for auditing Azure Active Directory.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent is used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

$connection = Connect-CAClient –InstallationName ‘Default'

$agent = Get-CAAgents –Connection $connection | where{$_.agentfqdn -like "CAAGENT.DOMAIN.COM"} *Keep in Uppercase

New-CAAzureADTemplate -Connection $connection -CreateWebApp -Tenant $tenant
-AgentInfo $agent –HistoricalEventCollectionDays 30 -SignIns $True -AuditLogs $True

Alternatively, use these parameters if you are using a pre-created Azure web application that Change Auditor will use for authentication.

For details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

The following permissions must be assigned to the Azure web application:

Office 365 Management APIs

Application Permissions:

 

Microsoft Graph

Application Permissions:

Once the required permissions are applied, click Grant admin consent for… and confirm with Yes.

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 720.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 30.

-Disabled (Optional)

Specifies whether auditing is enabled or disabled for Azure Active Directory.

New-CAAzureADTemplate -Connection $connection -AgentInfo $agent -WebAppKey $webAppKey -WebAppId $webAppId -Tenant $tenant –HistoricalEventCollectionDays 30
-SignIns $True -AuditLogs $True

Use this command to edit the web application key and ID, and the agent in an existing Azure Active Directory template. This also allows you to replace an expired or revoked web application.

NOTE:  

-AgentInfo

An agent object obtained using the Get-CAAgents command. The agent will be used for Azure Active Directory auditing.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by the Get-CAAzureADTemplates command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-AuditLogs

Specifies whether or not to audit the Azure Active Directory audit logs. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-SignIns

Specifies whether or not to audit Azure Active Directory sign-in activity. You must enable at least one type of activity to audit using the
- AuditLogs or -SignIns parameter.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

Set-CAAzureADTemplate -Connection $connection -Template $template -WebAppKey $webAppKey -WebAppId $webAppId

Set-CAAzureADTemplate -Connection $connection -Template $template -SignIns $True
-AuditLogs $True

Use this command to see all the Azure Active Directory templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAAzureADTemplates -Connection $connection

Managing Office 365 auditing

Change Auditor for Exchange and Change Auditor for SharePoint have been extended to include the auditing of activities taking place in Exchange Online, SharePoint Online, and OneDrive for Business. The following commands are available to manage Office 365 auditing:

NOTE: When you delete a template (see Remove-CAAgentTemplate), the web application created in Azure Active Directory remains. You can delete the web application using the Azure management portal. If you do not have the portal, see https://technet.microsoft.com/en-us/library/dn832618.aspx for instructions.

Use this command to create a template for auditing Office 365 Exchange Online, SharePoint Online, and OneDrive for Business.

 

-AgentInfo

An agent obtained by using the Get-CAAgents command.

-Connection

A connection obtained by using the Connect-CAClient command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-Tenant

The Azure Active Directory tenant/directory that you want to audit (for example: yourTenantName.onmicrosoft.com).

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by users other than the mailbox owner.

-CertificateFile (Optional)

The filename of an exported X509 certificate with private key.

-CertificateFilePassword (Optional)

The password for the certificate file.

NOTE:  

-CertificateThumbprint (Optional)

The thumbprint of a certificate that is located in the user's personal certificate store on the host workstation and must have a private key (string format).

NOTE:  

-GenerateCertificate (Optional)

If specified, will generate a new self-signed certificate.

-Disabled (Optional)

Specifies whether the auditing template is enabled or disabled.

-EnableExchangeOnline (Optional)

Specifies whether Exchange Online auditing is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 168.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 7.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events are created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

New-CAO365Template -Connection $connection -Tenant $tenant -AgentInfo $agent -CreateWebApp -GenerateCertificate -EnableExchangeOnline $true -AuditAdministration $true –AuditOrganization $true –HistoricalEventCollectionDays 7

When you create or edit an Office 365 auditing template and you select to use an existing web application, it must be configured to support certificate authentication. See the Azure Active Directory and Office 365 User Guide for the required steps.

For more details on integrating applications with Azure Active Directory and creating a web application, consult the Microsoft documentation. When creating a web application in the Azure Classic Portal, you are required to provide the following URLs: Sign-On URL, App ID URL. Specify any URL address that is unique to your tenant (for example: http://ChangeAuditorApp) for each of them.

-AgentInfo

An agent object obtained by using the Get-CAAgents command.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Azure AD tenant/Directory that you would like Change Auditor to audit (for example: yourTenantName.onmicrosoft.com).

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-CertificateFile (Optional)

The filename of an exported X509 certificate with private key.

-CertificateFilePassword (Optional)

The password for the certificate file.

NOTE:  

-CertificateThumbprint (Optional)

The thumbprint of a certificate that is located in the user's personal certificate store on the host workstation and must have a private key (string format).

NOTE:  

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by users other than the mailbox owner.

-Disabled (Optional)

Specifies whether the auditing template is enabled or disabled.

-EnableExchangeOnline (Optional)

Specifies whether Exchange Online auditing is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-HistoricalEventCollectionDays (Optional)

Specifies how many days the agent should go back in time to start event collection. The parameter accepts values from 1 to 7.

-HistoricalEventCollectionHours (Optional)

Specifies how many hours the agent should go back in time to start event collection. The parameter accepts values from 1 to 168.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events are created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

New-CAO365Template -Connection $connection -Tenant $tenant -AgentInfo $agent -WebAppId $webAppID -WebAppKey $webAppKey1 -CertificateFile 'C:\Users\user.domain\Desktop\CertificateFile.pfx' -CertificateFilePassword $password -EnableExchangeOnline $true -AuditAdministration $true –AuditOrganization $true –HistoricalEventCollectionDays 7

Use this command to edit the account used to access Office 365 Exchange Online, the type of service and events to audit, and select a new agent.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-CreateWebApp (Optional)

Specifies that you want to create a new Azure web application.

You will need to login to register Change Auditor in the tenant and ensure the required consent has been granted. Note: Internet access is required.

The Azure Active Directory sign-in page opens automatically.

To apply the consent to all the users in your organization, click to enable Consent on behalf of your organization and click Accept.

-WebAppId

An Azure Active Directory web application Id. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-WebAppKey

 

The key assigned to the web application specified for the WebAppId parameter. This application is needed for Change Auditor to authenticate to your Azure Active Directory tenant.

-AgentInfo (Optional)

An agent object obtained by using the Get-CAAgents command.

-AuditAdministration (Optional)

Specifies whether to audit administration events.

-AuditOrganization (Optional)

Specifies whether to audit all Exchange Online mailboxes accessed by non-owners.

-CertificateFile (Optional)

The filename of an exported X509 certificate with private key.

-CertificateFilePassword (Optional)

The password for the certificate file.

NOTE:  

-CertificateThumbprint (Optional)

The thumbprint of a certificate that is located in the user's personal certificate store on the host workstation and must have a private key (string format).

NOTE:  

-GenerateCertificate (Optional)

If specified, will generate a new self-signed certificate.

-EnableExchangeOnline (Optional)

Specifies whether Exchange Online auditing is enabled or disabled.

-EnableOneDrive (Optional)

Specifies whether OneDrive for Business auditing is enabled or disabled.

-EnableSharePoint (Optional)

Specifies whether SharePoint Online auditing is enabled or disabled.

-ExcludedOperations (Optional)

String that specifies events to exclude from the Office 365 OneDrive for Business event, Office 365 SharePoint Online event, and Office 365 Exchange Online event.

These generic dynamically constructed events are created when associated activity is detected that does not have a corresponding event defined in Change Auditor.

-OverwriteTenantMailboxAuditing (Optional)

Specifies whether the template auditing settings will overwrite the existing tenant auditing settings.

Set-CAO365Template -Connection $connection -Template $template
-AuditOrganization $true

Set-CAO365Template -Connection $connection -Template $template -EnableSharePoint $true -EnableOneDrive $true

Set-CAO365Template -Connection $connection -Template $template -CreateWebApp -GenerateCertificate -AgentInfo $agent

Set-CAO365Template -Connection $connection -Template $template -WebAppId $webAppId -WebAppKey $webAppKey -CertificateThumbprint $certificateThumbprint -AgentInfo $agent

Set-CAO365Template -Connection $connection -Template $template -AgentInfo $agent

Use this command to see all the Office 365 templates available within your installation.

-Connection

A connection obtained by using the Connect-CAClient command.

Get-CAO365Templates -Connection $connection

Use this command to remove a template for auditing Office 365 Exchange Online, SharePoint Online, and OneDrive for Business.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Office 365 tenant that is used for auditing. For example, yourTenantName.onmicrosoft.com.

Remove-CAO365Template -Connection $connection -Tenant $tenant

Use this command to find specific mailboxes that can be added to an existing Office 365 Exchange Online template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Tenant

The Office 365 tenant that is used for auditing. For example, yourTenantName.onmicrosoft.com.

-SearchText (Optional)

The search criteria specified as the mailbox display name. This can be the full name of the mailbox to return a specific mailbox or the starting characters to return a list of mailboxes that start with those characters.

-Skip (Optional)

The number of objects to exclude from the list of returned objects, starting from the top.

-First (Optional)

The number of objects to return.

-IncludeTotalCount (Optional)

The total number of objects in the data set. Values specified for the First or Skip parameters do not impact this count.

Get-CAO365ExchangeMailboxes -Connection $connection -Tenant $tenant -SearchText "a"

Use this command to audit specific mailboxes in your organization by adding them to an existing Office 365 Exchange Online template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-Mailboxes

Mailbox objects obtained by using the Get-CAO365ExchangeMailboxes command.

-AuditOwnerEvents (Optional)

A switch that indicates that the added mailboxes will be audited for owner activity in addition to the non-owner activity. By default, the mailboxes will be audited for non-owner mailbox activity only.

-OverwriteExisting (Optional)

If the mailboxes already exist in the template, this switch indicates that the mailboxes will have their current owner/non-owner auditing settings overwritten with new settings.

Add-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template -Mailboxes $mailboxes –AuditOwnerEvents

Use this command to remove mailboxes from an existing Office 365 Exchange Online template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-Mailboxes

Mailbox objects obtained by using the Get-CAO365ExchangeMailboxes command.

-All (Optional)

A switch that indicates that all mailboxes will be removed from the template.

Remove-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template –All

Use this command to retrieve a list of mailboxes being audited by a particular Office 365 Exchange Online template.

-Connection

A connection obtained by using the Connect-CAClient command.

-Template

A template object obtained by using the Get-CAO365Templates command.

-AuditTypeFilter

Parameter that allows you to narrow the search based on the type of activities being audited: non-owner only, owner (non-owner, owner), or any (non-owner only, owner and non-owner).

-DisplayNameFilter

The search criteria specified as the mailbox display name. This can be the full name of the mailbox to return a specific mailbox or the starting characters to return a list of mailboxes that start with those characters.

-Skip (Optional)

The number of objects to exclude from the list of returned objects, starting from the top.

-First (Optional)

The number of objects to return.

-IncludeTotalCount (Optional)

The total number of objects in the data set. Values specified for the First or Skip parameters do not impact this count.

Get-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template

Get-CAO365ExchangeTemplateMailboxes -Connection $connection -Template $template -DisplayNameFilter "Sam S" -AuditTypeFilter NonOwnerOnly

 

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级