Introduction
With the MS Powershell Sensor you are able to trigger any Get- cmdlet within your Office 365 tenant by default (Exchange and Security / Compliance)
By default we have restricted the cmdlets in a way, that only GET- and TEST- cmdlets are allowed. However you can adjust this by modifying the following file on the GL filesystem level.
for Exchange:
open ssh console and issue the following commands:
- vim /opt/panagenda/appdata/volumes/gl/scripts/gl_powershell/o365_exchange_ps_commands.txt
- Just add your cmdlet at the end of this list → save/close.
- Afterwards please restart the following docker container: docker restart gl_tomcat
- Wait until the GFL application becomes available again (login screen)
- From now on you can choose your cmdlet entry within the sensor
for Security and Compliance
vim /opt/panagenda/appdata/volumes/gl/scripts/gl_powershell/o365_sec_and_compliance_ps_commands.txt
The following kbase article explains two simple examples for Exchange
- Get-Mailbox
- Get-MailTrafficReport
Configuration
First of all you have to add portal.office.com as a server to your GL server list. Just add the server without selecting any OS type or Role
Scenario 1: Get-Mailbox for a specific user
Create a MS Powershell Sensor with the following Settings
- Script Type: O365
- Command Type: Exchange
- Username+Password
- cmdlet: enter "Get-"....and choose Get-Mailbox from the List
- add your Parameters (make sure that you have one parameter PER line!)
- add portal.office.com as a target (target tab)
Output:
Scenario 2: Get-MailTrafficReport for a single day
Create a MS Powershell Sensor with the following Settings
- Script Type: O365
- Command Type: Exchange
- Username+Password
- cmdlet: enter "Get-"....and choose Get-MailTrafficReport from the List
- add your Parameters (make sure that you have one parameter PER line!)
Output:
Of course all this output can be further used for charting/alerting
example: inbound e-mails