Phill Moore

Alternatively it may be beneficial for Velociraptor to run an MFT parser periodically and allow artifacts to reference a moderally up-to-date table of data. This may impact performance if it...

.JOB files - https://github.com/gleeda/misc-scripts/blob/master/misc_python/jobparser.py Lowish priority but have seen it used.for persistence instead of the standard XML tasks. Unsure whether they're picked up by autoruns. WBEM repo - I'm still...

https://github.com/davidpany/WMI_Forensics/blob/master/CCM_RUA_Finder.py

@mpilking - can I share some of the data from the current/old 508 dataset. CCM RUA is on of those artefacts that when available has been invaluable on servers, but...

New Purview export from GUI has the following fields: RecordId,CreationDate,RecordType,Operation,UserId,AuditData

RecordId,CreationDate,RecordType,Operation,UserId,AuditData 0030f965-ed34-48c0-c61b-08da573650db,6/26/2022 5:40:02 AM,3,HardDelete,[email protected],"{""CreationTime"":""2022-06-26T05:40:02"",""Id"":""0030f965-ed34-48c0-c61b-08da573650db"",""Operation"":""HardDelete"",""OrganizationId"":""12341234-1234-1234-1234-123412341234"",""RecordType"":3,""ResultStatus"":""Succeeded"",""UserKey"":""FFFFFFFFFFFFFFFF"",""UserType"":0,""Version"":1,""Workload"":""Exchange"",""ClientIP"":""180.150.36.168"",""UserId"":""[email protected]"",""ClientIPAddress"":""180.150.36.168"",""ClientInfoString"":""Client=ActiveSync"",""ExternalAccess"":false,""InternalLogonType"":0,""LogonType"":0,""LogonUserSid"":""S-1-5-21-1234-1234-1234-1234"",""MailboxGuid"":""11111111-2222-2222-3333-444444444444"",""MailboxOwnerSid"":""S-1-5-21-1234-1234-1234-1234"",""MailboxOwnerUPN"":""[email protected]"",""OrganizationName"":""testtenancy.onmicrosoft.com"",""OriginatingServer"":""SY4P282MB3551 (15.20.4200.000)\r\n"",""AffectedItems"":[{""Id"":""RgAAAABrQsWN1X22SKsI3ZybZGsPBwAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAosCml+oLISIgtXqbEv8XmAAGMMzcsAAAJ"",""InternetMessageId"":"""",""ParentFolder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAB"",""Path"":""\\Inbox""},""Subject"":""Action""}],""CrossMailboxOperation"":false,""Folder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAB"",""Path"":""\\Inbox""}}" 0034779e-f875-4015-d49b-08da4763e1a9,6/6/2022 2:25:53 AM,6,FilePreviewed,[email protected],"{""AppAccessContext"":{""CorrelationId"":""219044a0-106f-1000-4ccf-dff97fcd0a5d""},""CreationTime"":""2022-06-06T02:25:53"",""Id"":""0034779e-f875-4015-d49b-08da4763e1a9"",""Operation"":""FilePreviewed"",""OrganizationId"":""12341234-1234-1234-1234-123412341234"",""RecordType"":6,""UserKey"":""i:0h.f|membership|[email protected]"",""UserType"":0,""Version"":1,""Workload"":""SharePoint"",""ClientIP"":""180.150.36.168"",""ObjectId"":""https:\/\/testtenancy.sharepoint.com\/sites\/test\/Shared Documents\/files\/R1.doc"",""UserId"":""[email protected]"",""CorrelationId"":""219044a0-106f-1000-4ccf-dff97fcd0a5d"",""DoNotDistributeEvent"":true,""EventSource"":""SharePoint"",""ItemType"":""File"",""ListId"":""e7362856-6fde-4908-b82a-e6e06e699ff8"",""ListItemUniqueId"":""b78ac8b8-7a97-4635-a28e-d029a3792dc4"",""Site"":""00000000-3333-3333-3333-000000000000"",""UserAgent"":""OneDriveMpc-Transform_Thumbnail\/1.0"",""WebId"":""22949a7a-8ce8-4bc0-a70c-7d3eb9dd0920"",""HighPriorityMediaProcessing"":false,""SourceFileExtension"":""doc"",""SiteUrl"":""https:\/\/testtenancy.sharepoint.com\/sites\/test\/"",""SourceFileName"":""R1.doc"",""SourceRelativeUrl"":""Shared Documents\/files\/Reports""}" 006221cd-dc7d-40a6-f0f5-08da82b96bd7,8/20/2022 2:36:51 PM,3,HardDelete,[email protected],"{""CreationTime"":""2022-08-20T14:36:51"",""Id"":""006221cd-dc7d-40a6-f0f5-08da82b96bd7"",""Operation"":""HardDelete"",""OrganizationId"":""12341234-1234-1234-1234-123412341234"",""RecordType"":3,""ResultStatus"":""Succeeded"",""UserKey"":""FFFFFFFFFFFFFFFF"",""UserType"":0,""Version"":1,""Workload"":""Exchange"",""ClientIP"":""2001:8004:4500:b5d2:a5cd:7528:628e:61a7"",""UserId"":""[email protected]"",""ClientIPAddress"":""2001:8004:4500:b5d2:a5cd:7528:628e:61a7"",""ClientInfoString"":""Client=ActiveSync"",""ExternalAccess"":false,""InternalLogonType"":0,""LogonType"":0,""LogonUserSid"":""S-1-5-21-1234-1234-1234-1234"",""MailboxGuid"":""11111111-2222-2222-3333-444444444444"",""MailboxOwnerSid"":""S-1-5-21-1234-1234-1234-1234"",""MailboxOwnerUPN"":""[email protected]"",""OrganizationName"":""testtenancy.onmicrosoft.com"",""OriginatingServer"":""SY4P282MB3551 (15.20.4200.000)\r\n"",""AffectedItems"":[{""Id"":""RgAAAABrQsWN1X22SKsI3ZybZGsPBwAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAosCml+oLISIgtXqbEv8XmAAGxPFA1AAAJ"",""InternetMessageId"":"""",""ParentFolder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAB"",""Path"":""\\Inbox""},""Subject"":""Your email""}],""CrossMailboxOperation"":false,""Folder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAB"",""Path"":""\\Inbox""}}" 00a2cb6e-89c4-430e-a2ff-08da741fa69b,8/2/2022 12:40:51 AM,3,HardDelete,[email protected],"{""CreationTime"":""2022-08-02T00:40:51"",""Id"":""00a2cb6e-89c4-430e-a2ff-08da741fa69b"",""Operation"":""HardDelete"",""OrganizationId"":""12341234-1234-1234-1234-123412341234"",""RecordType"":3,""ResultStatus"":""Succeeded"",""UserKey"":""FFFFFFFFFFFFFFFF"",""UserType"":0,""Version"":1,""Workload"":""Exchange"",""ClientIP"":""2403:5801:1768:0:9da9:38c3:d08b:9799"",""UserId"":""[email protected]"",""ClientIPAddress"":""2403:5801:1768:0:9da9:38c3:d08b:9799"",""ClientInfoString"":""Client=ActiveSync"",""ExternalAccess"":false,""InternalLogonType"":0,""LogonType"":0,""LogonUserSid"":""S-1-5-21-1234-1234-1234-1234"",""MailboxGuid"":""11111111-2222-2222-3333-444444444444"",""MailboxOwnerSid"":""S-1-5-21-1234-1234-1234-1234"",""MailboxOwnerUPN"":""[email protected]"",""OrganizationName"":""testtenancy.onmicrosoft.com"",""OriginatingServer"":""SY4P282MB3551 (15.20.4200.000)\r\n"",""AffectedItems"":[{""Id"":""RgAAAABrQsWN1X22SKsI3ZybZGsPBwAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAosCml+oLISIgtXqbEv8XmAAGkatJeAAAJ"",""InternetMessageId"":"""",""ParentFolder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAB"",""Path"":""\\Inbox""},""Subject"":""Your email""}],""CrossMailboxOperation"":false,""Folder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAB"",""Path"":""\\Inbox""}}" 00aa9aa0-cba1-42d0-a8a3-08da4d4395f5,6/13/2022 1:49:50 PM,3,HardDelete,[email protected],"{""CreationTime"":""2022-06-13T13:49:50"",""Id"":""00aa9aa0-cba1-42d0-a8a3-08da4d4395f5"",""Operation"":""HardDelete"",""OrganizationId"":""12341234-1234-1234-1234-123412341234"",""RecordType"":3,""ResultStatus"":""Succeeded"",""UserKey"":""FFFFFFFFFFFFFFFF"",""UserType"":0,""Version"":1,""Workload"":""Exchange"",""ClientIP"":""180.150.36.168"",""UserId"":""[email protected]"",""ClientIPAddress"":""180.150.36.168"",""ClientInfoString"":""Client=ActiveSync"",""ExternalAccess"":false,""InternalLogonType"":0,""LogonType"":0,""LogonUserSid"":""S-1-5-21-1234-1234-1234-1234"",""MailboxGuid"":""11111111-2222-2222-3333-444444444444"",""MailboxOwnerSid"":""S-1-5-21-1234-1234-1234-1234"",""MailboxOwnerUPN"":""[email protected]"",""OrganizationName"":""testtenancy.onmicrosoft.com"",""OriginatingServer"":""SY4P282MB3551 (15.20.4200.000)\r\n"",""AffectedItems"":[{""Id"":""RgAAAABrQsWN1X22SKsI3ZybZGsPBwAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAosCml+oLISIgtXqbEv8XmAAGEW37sAAAJ"",""InternetMessageId"":"""",""ParentFolder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAB"",""Path"":""\\Inbox""},""Subject"":""Action required""}],""CrossMailboxOperation"":false,""Folder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEMAAAB"",""Path"":""\\Inbox""}}" 0176b00a-27b5-4a4f-5153-08da4e88d686,6/15/2022 4:38:04 AM,4,FileMoved,[email protected],"{""AppAccessContext"":{""CorrelationId"":""417d47a0-701c-1000-5979-46ce8a88a543""},""CreationTime"":""2022-06-15T04:38:04"",""Id"":""0176b00a-27b5-4a4f-5153-08da4e88d686"",""Operation"":""FileMoved"",""OrganizationId"":""12341234-1234-1234-1234-123412341234"",""RecordType"":4,""UserKey"":""i:0h.f|membership|[email protected]"",""UserType"":0,""Version"":1,""Workload"":""SharePoint"",""ClientIP"":"""",""ObjectId"":""https:\/\/testtenancy.sharepoint.com\/sites\/test\/Shared Documents\/files\/Urban.xlsx"",""UserId"":""[email protected]"",""CorrelationId"":""417d47a0-701c-1000-5979-46ce8a88a543"",""CustomUniqueId"":false,""EventSource"":""SharePoint"",""ItemType"":""File"",""ListId"":""e7362856-6fde-4908-b82a-e6e06e699ff8"",""ListItemUniqueId"":""4d6c1b75-8bc1-477b-b5f4-fe235c61f1df"",""Site"":""00000000-3333-3333-3333-000000000000"",""UserAgent"":"""",""WebId"":""22949a7a-8ce8-4bc0-a70c-7d3eb9dd0920"",""EventData"":""AUSAUShttps:\/\/testtenancy-my.sharepoint.com\/personal\/x\/Documents\/Urban.xlsxhttps:\/\/testtenancy.sharepoint.com\/sites\/test\/Shared Documents\/files\/Urban.xlsxhttps:\/\/testtenancy.sharepoint.com\/sites\/test5b9389eb-4d48-4b5a-adae-9e8e2de9442c4d6c1b75-8bc1-477b-b5f4-fe235c61f1dfcb7fe1d9-2bde-43f8-b4c9-2af0f0b433dda05b1dc7-c67a-4828-9393-3659a8ad40b1""}"...

Will come back to testing. It's mostly ok. There's a Json parse failure on "movetodeleteditems" so I'll have to get you an example to look at

Here's an event! f55e4951-32ed-4c73-2aed-08da111123ad,8/28/2022 11:58:01 PM,3,MoveToDeletedItems,[email protected]"{""CreationTime"":""2022-01-11T23:58:01"",""Id"":""f55e4951-32ed-4c73-2aed-08da895123ad"",""Operation"":""MoveToDeletedItems"",""OrganizationId"":""12341234-1234-1234-1234-123412341234"",""RecordType"":3,""ResultStatus"":""Succeeded"",""UserKey"":""1001100111111111"",""UserType"":0,""Version"":1,""Workload"":""Exchange"",""ClientIP"":""1.1.1.1"",""UserId"":""[email protected]"",""AppId"":""00000002-0000-0ff1-ce00-000000000000"",""ClientIPAddress"":""1.1.1.1"",""ClientInfoString"":""Client=OWA;Action=ViaProxy"",""ExternalAccess"":false,""InternalLogonType"":0,""LogonType"":0,""LogonUserSid"":""S-1-5-21-111111111-1111111111-1111111111-1234567"",""MailboxGuid"":""1234123-1234-1234-1234-1234123412"",""MailboxOwnerSid"":""S-1-5-21-111111111-1111111111-1111111111-1234567"",""MailboxOwnerUPN"":""[email protected]"",""OrganizationName"":""test.onmicrosoft.com"",""OriginatingServer"":""SY4P212MB3551 (15.20.4200.000)\r\n"",""SessionId"":""f7111a8d-7d51-4f11-99e9-7e18c7d0911c"",""AffectedItems"":[{""Attachments"":""image001.jpg (2116b); image002.jpg (1111b)"",""Id"":""RgA111BrQsWN1X22SKsI3ZybZGsPBwAosCml+oLISIgtXqbEv8XmAAAAAND8AAAosCml+oLISIgtXqbEv8XmAAG2daILAAA1””,””InternetMessageId"":"""",""ParentFolder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAND8AAAB"",""Path"":""\\RSS Feeds""},""Subject"":""RE: Subject""}],""CrossMailboxOperation"":false,""DestFolder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAAEKAAA1””,””Path"":""\\Deleted Items""},""Folder"":{""Id"":""LgAAAABrQsWN1X22SKsI3ZybZGsPAQAosCml+oLISIgtXqbEv8XmAAAAAND8AAA1””,””Path"":""\\RSS Feeds""}}"

That's a fair assumption and I'd go with it being correct.

> Very unlikely - does it have a JSON export rather than a CSV export? Supporting that is probably preferable