Introduction

With the MS Powershell Sensor you are able to trigger any Get- cmdlet within your Office 365 tenant by default (Exchange and Security / Compliance)
By default we have restricted the cmdlets in a way, that only GET- and TEST- cmdlets are allowed. However you can adjust this by modifying the following file on the GL filesystem level.

for Exchange:

open ssh console and issue the following commands:

  • vim /opt/panagenda/appdata/volumes/gl/scripts/gl_powershell/o365_exchange_ps_commands.txt
  • Just add your cmdlet at the end of this list → save/close.
  • Afterwards please restart the following docker container:   docker restart gl_tomcat
  • Wait until the GFL application becomes available again (login screen)
  • From now on you can choose your cmdlet entry within the sensor


for Security and Compliance

vim /opt/panagenda/appdata/volumes/gl/scripts/gl_powershell/o365_sec_and_compliance_ps_commands.txt

The following kbase article explains two simple examples for Exchange

  1. Get-Mailbox
  2. Get-MailTrafficReport

 

Configuration

First of all you have to add portal.office.com as a server to your GL server list. Just add the server without selecting any OS type or Role

 

Scenario 1:  Get-Mailbox for a specific user

Create a MS Powershell Sensor with the following Settings

  • Script Type: O365
  • Command Type: Exchange
  • Username+Password
  • cmdlet: enter "Get-"....and choose Get-Mailbox from the List
  • add your Parameters (make sure that you have one parameter PER line!)

  • add portal.office.com as a target (target tab)

 

Output:

 

 

Scenario 2:  Get-MailTrafficReport for a single day

Create a MS Powershell Sensor with the following Settings

  • Script Type: O365
  • Command Type: Exchange
  • Username+Password
  • cmdlet: enter "Get-"....and choose Get-MailTrafficReport from the List
  • add your Parameters (make sure that you have one parameter PER line!)

 

 

Output:

 

 

Of course all this output can be further used for charting/alerting

example: inbound e-mails