Update V1.3.5 - Improvements to Get-AzureADLogs + Get AzureADGraphLogs

Get-AzureADLogs and Get-AzureADGraphLogs:

• Changed the output directory names for the Audit and Sign-in logs to make it clearer which folders contain what logs.
• Accepted pull request by angry-bender, which added the split by time feature to Get-AzureADAuditLogs with a 12-hour interval (larger dataset than SignInLogs).
• Both Graph and AD collections for the audit logs and sign-in logs now support date and time instead of only date.
• Added error handling to the Graph and AD functionalities to retry if they fail, ensuring all data is collected.

Get-Email

• The functionality Get-Email now supports an input text file containing multiple message IDs, and the functionality will download all messages.

Update V1.3.4 - Bug fixes

• Fixed a bug reported by Camel0101 where the number of log entries is not displayed in the Get-UALStatistics command.
• Fixed a bug reported by SecurityAura where LogFile.txt gives errors when the default Output directory is not present.
• Fixed an issue where the MergeOutput flag is not working correctly for Get-UALGroup and Get-UALSpecific.
• As requested by evild3ad, the LastUpdatedDateTime has been added to the Get-MFA command.

Update V1.3.3 - Some bug fixes

• Fixed some functionalities that did not return valid JSON output:
  • Get-UalGraph
  • Get-ADAuditLogs
• Removed incorrect parameter in the Azure Audit Logs documentation.
• Removed incorrect example for the Get-Session functionality.
• Added Microsoft-Analyzer-Suite by evild3ad to the readme.
• Added a try/catch loop for Get-ActivityLogs as requested by angry-bender.
• Fixed a bug in the Get-Sessions and Get-MessageIDs functionalities not correctly filtering.
• Added an extra output to the Get-MFA functionality, now writing two CSV files with user registration details and authentication methods utilized in the environment.
• Removed duplicate tempaccess/temporaryAccessPass in Get-MFA.
• Accepted Pull Request from angry-bender fixing some date format issues with the Graph Sign-in functionality.

Introduced a merge output flag for Azure AD Graph logs and AD logs

• Merge Output Option: Introduced a merge output flag for Azure AD Graph logs and AD logs.
• File Naming Correction: Corrected an issue where the .json extension was missing from the filename for AD sign-in logs, ensuring files are correctly recognized and processed by tools expecting JSON format.
• Option Renaming: The MergecsvOutput option has been renamed to MergeOutput to better reflect its functionality and to accommodate both CSV and JSON file formats.
• Fixed bug with wrong version number in the version check.

Fixed a bug in the Get-UalGraph function that caused an error during output writing

Fixed a bug in the Get-UalGraph function that caused an error during output writing. Additionally, accepted a pull request from Angry-Bender that resolves potential out-of-memory issues in Get-AzureADLogs by writing the output to separate files for each day.

Introduced a Graph Unified Audit Log (UAL) acquisition method

New Features

• Introduced a Graph Unified Audit Log (UAL) acquisition method, expanding the script's functionality.

Performance Improvements:

• Refined the code for ADSignInLogsGraph, ADAuditLogsGraph, ADAuditLogs and ADSignInLogs to enhance efficiency.
• Streamlined the results directly into the output file, bypassing the need to store them in memory first. This change addresses potential out-of-memory errors for large tenants.
• Get-ADSignInLogs now writes the output for each day, addressing the out-of-memory errors. This approach may be applied to other scripts later as well.

Usability Improvements:

• Updated parameter names from before/after to EndDate/StartDate across the script for consistency.
• Converted the MergeCSVOutput parameter to a switch for simplified usage.

Fixes

• Corrected the issue where Get-OAuthPermissions did not output delegated permissions correctly.
• Addressed the bug reported by angry-bender related to Get-ActivityLogs failing in the absence of logs for a given subscription.
• Replaced broken link to the Invictus website

Enhancements

• Added a PowerShell badge to the README.
• Added note with required permissions for each of the Graph API functions in the ReadTheDocs.
• Removed unnecessary WRITE permissions in documentation.
• The timestamp is now prefixed to every output file, ensuring consistency across all functions.
• Removed the "Beta" mention from the prerequisites section.
• Added Temporary Access Pass and certificate Based Auth Configuration to the MFA output as requested by evild3ad.
• A version check will be performed when importing the module, issuing a warning if it's an old version.

First release - V1.2.3

To enhance our process and maintain a more professional approach, we've decided to leverage the GitHub Releases feature. Although we're currently already at version 1.2.3. Going forward, we'll utilize GitHub Releases for every subsequent version release.

Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.

The following Microsoft data sources are supported:

• Unified Audit Log
• Admin Audit Log
• Mailbox Audit Log
• Mailbox Rules
• Transport Rules
• Message Trace Logs
• Azure AD Sign-In Logs
• Azure AD Audit Logs

In addition to the log sources above the tool is also able to retrieve other relevant information:

• Registered OAuth applications in Azure AD
• The MFA status for all users
• The creation time and date of the last password change for all users
• The risky users
• The risky detections
• The conditional access policies
• Administrator directory roles and their users
• A specific e-mail or attachment