Releases: invictus-ir/Microsoft-Extractor-Suite
Update V1.3.5 - Improvements to Get-AzureADLogs + Get AzureADGraphLogs
Get-AzureADLogs and Get-AzureADGraphLogs:
- Changed the output directory names for the Audit and Sign-in logs to make it clearer which folders contain what logs.
- Accepted pull request by angry-bender, which added the split by time feature to Get-AzureADAuditLogs with a 12-hour interval (larger dataset than SignInLogs).
- Both Graph and AD collections for the audit logs and sign-in logs now support date and time instead of only date.
- Added error handling to the Graph and AD functionalities to retry if they fail, ensuring all data is collected.
Get-Email
- The functionality Get-Email now supports an input text file containing multiple message IDs, and the functionality will download all messages.
Update V1.3.4 - Bug fixes
- Fixed a bug reported by Camel0101 where the number of log entries is not displayed in the Get-UALStatistics command.
- Fixed a bug reported by SecurityAura where LogFile.txt gives errors when the default Output directory is not present.
- Fixed an issue where the MergeOutput flag is not working correctly for Get-UALGroup and Get-UALSpecific.
- As requested by evild3ad, the LastUpdatedDateTime has been added to the Get-MFA command.
Update V1.3.3 - Some bug fixes
- Fixed some functionalities that did not return valid JSON output:
- Get-UalGraph
- Get-ADAuditLogs
- Removed incorrect parameter in the Azure Audit Logs documentation.
- Removed incorrect example for the Get-Session functionality.
- Added Microsoft-Analyzer-Suite by evild3ad to the readme.
- Added a try/catch loop for Get-ActivityLogs as requested by angry-bender.
- Fixed a bug in the Get-Sessions and Get-MessageIDs functionalities not correctly filtering.
- Added an extra output to the Get-MFA functionality, now writing two CSV files with user registration details and authentication methods utilized in the environment.
- Removed duplicate tempaccess/temporaryAccessPass in Get-MFA.
- Accepted Pull Request from angry-bender fixing some date format issues with the Graph Sign-in functionality.
Introduced a merge output flag for Azure AD Graph logs and AD logs
- Merge Output Option: Introduced a merge output flag for Azure AD Graph logs and AD logs.
- File Naming Correction: Corrected an issue where the .json extension was missing from the filename for AD sign-in logs, ensuring files are correctly recognized and processed by tools expecting JSON format.
- Option Renaming: The MergecsvOutput option has been renamed to MergeOutput to better reflect its functionality and to accommodate both CSV and JSON file formats.
- Fixed bug with wrong version number in the version check.
Fixed a bug in the Get-UalGraph function that caused an error during output writing
Fixed a bug in the Get-UalGraph function that caused an error during output writing. Additionally, accepted a pull request from Angry-Bender that resolves potential out-of-memory issues in Get-AzureADLogs by writing the output to separate files for each day.
Introduced a Graph Unified Audit Log (UAL) acquisition method
New Features
- Introduced a Graph Unified Audit Log (UAL) acquisition method, expanding the script's functionality.
Performance Improvements:
- Refined the code for ADSignInLogsGraph, ADAuditLogsGraph, ADAuditLogs and ADSignInLogs to enhance efficiency.
- Streamlined the results directly into the output file, bypassing the need to store them in memory first. This change addresses potential out-of-memory errors for large tenants.
- Get-ADSignInLogs now writes the output for each day, addressing the out-of-memory errors. This approach may be applied to other scripts later as well.
Usability Improvements:
- Updated parameter names from before/after to EndDate/StartDate across the script for consistency.
- Converted the MergeCSVOutput parameter to a switch for simplified usage.
Fixes
- Corrected the issue where Get-OAuthPermissions did not output delegated permissions correctly.
- Addressed the bug reported by angry-bender related to Get-ActivityLogs failing in the absence of logs for a given subscription.
- Replaced broken link to the Invictus website
Enhancements
- Added a PowerShell badge to the README.
- Added note with required permissions for each of the Graph API functions in the ReadTheDocs.
- Removed unnecessary WRITE permissions in documentation.
- The timestamp is now prefixed to every output file, ensuring consistency across all functions.
- Removed the "Beta" mention from the prerequisites section.
- Added Temporary Access Pass and certificate Based Auth Configuration to the MFA output as requested by evild3ad.
- A version check will be performed when importing the module, issuing a warning if it's an old version.
First release - V1.2.3
To enhance our process and maintain a more professional approach, we've decided to leverage the GitHub Releases feature. Although we're currently already at version 1.2.3. Going forward, we'll utilize GitHub Releases for every subsequent version release.
Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.
The following Microsoft data sources are supported:
- Unified Audit Log
- Admin Audit Log
- Mailbox Audit Log
- Mailbox Rules
- Transport Rules
- Message Trace Logs
- Azure AD Sign-In Logs
- Azure AD Audit Logs
In addition to the log sources above the tool is also able to retrieve other relevant information:
- Registered OAuth applications in Azure AD
- The MFA status for all users
- The creation time and date of the last password change for all users
- The risky users
- The risky detections
- The conditional access policies
- Administrator directory roles and their users
- A specific e-mail or attachment