Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings
forked fromHubTou/tala

Microsoft Teams Audit Log Analyzer

License

NotificationsYou must be signed in to change notification settings

servierhub/tala

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
 
 
 
 
 
 
 
 

Repository files navigation

What is it?

A portable Python-only tool to process Microsoft Teams Audit Logs.

The original goal was to help spot network issues (connections lost) by looking at people making multiple successive connections to the same meeting with the same device.

Servier Inspired

Usage

usage: tala [--debug] [--help|-?] [--version]       [-o|--organizers] [-a|--attendees]       [-u|--users FILE]       [-d|--disconnect] [-i|--ip REGEX]       [--] [file ...]  ---------------  -------------------------------------------------  -o|--organizers  List meetings organizers  -a|--attendees   List meetings attendees  -d|--disconnect  List meetings disconnections  -i|--ip REGEX    Filter meeting disconnections by IP address regex  -u|--users FILE  create/update and use the FILE users database  --debug          Enable debug mode  --help|-?        Print usage and this help message and exit  --version        Print version and exit  --               Options processing terminator

You can use the command either as a filter (cat my_log_file | tala) or as a file processor (tala my_log_file).

You can either use it:

  • to display an audit log in human readable format (no args)
  • to produce a CSV file with the relevant meetings/organizers information (-o)
  • to produce a CSV file with the relevant meetings/attendees information (-a)
  • to produce/update/use a CSV file with UUID,EMAIL of organizers/attendees (-u FILE)
  • to analyze suspected disconnection cases (-d)
    • you can restrict cases to the ones made from specific IP addresses (-i REGEX), as you normally don't care about people connecting from home rather than your internal enterprise network.
      • for example "^10\.5[78]\." for IPv4 addresses beginning with "10.57." or "10.58.".
    • you can use the CSV file with UUID,EMAIL to identify attendees encountering network issues (-u FILE)

Please note that the suspected disconnection cases are still crude so far, and contain false positives (for example, when you have multiple rather than successive connections to the same meeting, using different devices).

Audit log file format

LineContentUsual values
1header line"CreationDate,UserId,Operation,AuditData"
2-50001content linesfield1,field2,field3,field4

The audit data used to be truncated at 50.000 lines per extract file. If you have files with exactly 50.001 lines, try exporting data on a shorter time span.

NB: The fields can be in any order and there may be additional fields buttala expects at least the 4 mentioned above, with a comma-separator.

Content lines format

FieldUsual values
CreationDatea date in "YYYY-MM-JJThh:mm:ss.0000000Z" format
UserIdthe email address of the organizer (that field was formerly called "UsedIds")
Operationapparently always "MeetingParticipantDetail", but according to the references below there are other possible values (that field was formerly called "Operations")
AuditDatasee below...

AuditData field format

FieldUsual values
CreationTimea date in "YYYY-MM-JJThh:mm:ss" format
Idthe recordUUID
Operationapparently always "MeetingParticipantDetail"
OrganizationIdthe organizer's organisation UUID (Microsoft 365 tenant ID)
RecordTypeapparently always 25
UserKeythe organizer UUID
UserTypeapparently always 0
Versionapparently always 1
Workloadapparently always "MicrosoftTeams"
ClientIPan IPv4 or IPv6 address (usually the one before a proxy)
UserIdthe email address of the organizer
ArtifactsShareda list. Not always present. See below
Attendeesa list of 1 element. See below
DeviceIdsome code (maybe for devices enrolled in Intune?). Not always present
ExtraPropertiesa list. See below
JoinTimethe meeting join date in "YYYY-MM-JJThh:mm:ss" format
LeaveTimethe meeting leave date in "YYYY-MM-JJThh:mm:ss" format
MeetingDetailIdthe meeting UUID
DeviceInformationa string describing the device used by the attendee
ItemNamea value with a comma-separated combination of the following words: "ScheduledMeeting", "RecurringMeeting", "AdHocMeeting", "Escalation", "Transfer", "CallQueue", "AutoAttendant", "MicrosoftTeams", "ChannelMeeting", "ScreenSharingCall", "Broadcast", "Streaming", "Cast", "Complete", "31"

ArtifactsShared sub-field format

Sub-fieldUsual values
ArtifactSharedNameapparently always "videoTransmitted" or ""screenShared"

Attendees sub-field format

Can be either:

Sub-fieldUsual values
OrganizationIdnot always present
RecipientTypeeither "InternalFederated" or "GuestFederated". Used to be either "User", "Anonymous", "Applications" or "Phone"
UserObjectIdthe attendee's UUID when it's a "User". Not present otherwise
DisplayNamethe display name when it's a "InternalFederated" or "GuestFederated" user, a phone number when it's a "Phone", an application UUID when it's an "Applications", "teamsvisitor:" followed by a code when it's a "Anonymous"
Roleapparently always 1 or 3
UPNthe email address when it's an "InternalFederated" or "GuestFederated" user

or:

Sub-fieldUsual values
DisplayNamean unstructured display name
Roleapparently always 1 or 3
UPNthen email address when it's an "InternalFederated" or "GuestFederated" user

In addition, when the meeting participant is added during the meeting, there's an "InviterInfo" record associated with one of the 2 previous types:

Sub-fieldSub-sub-fieldUsual values
InviterInfoInviteTimea date in "YYYY-MM-JJThh:mm:ss" format
InviterInfoOrganizationIdthe inviter's organization UUID
InviterInfoUserTypeeither "Teams", "PSTN" or "TeamsForLife"
InviterInfoDisplayNamethe display name of the inviter
InviterInfoUPNthe email address of the inviter
InviterInfoUserIdentifierthe inviter's UUID

ExtraProperties sub-field format

Sub-fieldUsual values
Keyapparently always "UserAgent"
Valuesomething beginning with "CallSignalingAgent" (the most common one), "SkypeSpaces", "Conferencing Virtual Assistant", "Together Mode", "SkypeBot Transcription Bot Teams", "Teams Echo", "Large Gallery", "Announcement Playback Service", "SkypeBot Call Recorder Teams", "CaaEnterpriseBot", "Large gallery", "SkypeBot Teams Live Events Bot", "MicrosoftTeamsVoicemailService", "SkypeBot Teams Lightweight meeting Bot"

References

Other interesting links:

Releases

No releases published

Languages

  • Python91.4%
  • Shell8.6%
[8]ページ先頭
©2009-2025 Movatter.jp