From ae533f398d6dc6476354cb36ad76565e1b66a5ba Mon Sep 17 00:00:00 2001 From: JoeyInvictus <129975292+JoeyInvictus@users.noreply.github.com> Date: Wed, 26 Jun 2024 10:06:26 +0200 Subject: [PATCH] Update 2.0 Acquisition for new log source added: - Added Azure Directory Activity logs. Output Structure Improvements: Restructured the output to write results to specific folders instead of multiple outputs in Userinfo. For instance, the MFA functionality now generates a new folder named MFA for its output. Performance improvements inspired by Calvindd2f: - Replaced | Out-Null with > $null across multiple instances in the script for improved performance. - Redesigned the log-writing mechanism for increased speed. - Set default parameters in CmdletBindings across all scripts. - Created a function for combining logs outside of the function utilizing this. Authentication Type Detection: - Implemented functionality to automatically detect whether the user is logged in via Graph with delegated or application permissions. This prevents unnecessary errors by ensuring that the script connects with the appropriate scopes based on the authentication type. - Removed the need for the Application parameter. The script now automatically determines the authentication type in the background. Optimized Graph API Requests: Updated certain functionalities to use Invoke-MgGraphRequest instead of the Graph PowerShell Module cmdlets for improved performance and reliability. - The Get-MFA script now utilizes Invoke-MgGraphRequest to ensure all output is captured, including nested objects that were previously missed. - Get-Email, Get-Attachment, Show-Email are now using Invoke-MgGraphRequests for better performence and reliability. - Get-UALGraph has been reworked and is now using Invoke-MgGraphrequest for better performence. - Get-RiskyUsers & Get-RiskyDetections are both using Invoke-MgGraphrequest now. Get-ADSignInLogsGraph and Get-ADAuditLogsGraph: Inspired by code snippets from Calvindd2f, both functionalities have been reworked to use Invoke-MgGraphRequest. This change simplifies paging, eliminates the need for guessing the correct intervals, and allows for more efficient log retrieval. As a result, the script is now easier to use, faster, and should mitigate memory issues. Get-ActivityLogs This functionality now uses Invoke-RestMethod instead of the AzureAZ PowerShell Module cmdlets for improved performance and reliability. This change simplifies paging, eliminates the need to guess correct intervals, and enables more efficient log retrieval. Read The Docs: Updated Read The Docs so it's up to date with the latest changes. areYouConnected: The $areYouConnected function, which checks if the script can run the necessary actions and provides an error if it cannot, has been improved. It now displays the actual error message when the script fails, rather than a custom error message. Additionally, it no longer checks the module before running the main code (for most functions), making the script faster by avoiding unnecessary module checks. --- Scripts/Get-AdminAuditLog.ps1 | 2 +- Scripts/Get-AzureADGraphLogs.ps1 | 4 ++-- Scripts/Get-AzureADLogs.ps1 | 4 ++-- Scripts/Get-AzureActivityLogs.ps1 | 6 ++---- Scripts/Get-ConditionalAccessPolicy.ps1 | 2 +- Scripts/Get-Emails.ps1 | 6 +++--- Scripts/Get-MailItemsAccessed.ps1 | 18 +++++++++--------- Scripts/Get-MailboxAuditLog.ps1 | 2 +- Scripts/Get-MessageTraceLog.ps1 | 2 +- Scripts/Get-OAuthPermissions.ps1 | 2 +- Scripts/Get-RiskyEvents.ps1 | 4 ++-- Scripts/Get-UAL.ps1 | 8 ++++---- Scripts/Get-UALGraph.ps1 | 2 +- Scripts/Get-UALStatistics.ps1 | 2 +- Scripts/Get-UsersInfo.ps1 | 4 ++-- .../functionality/UnifiedAuditLogGraph.rst | 2 +- 16 files changed, 34 insertions(+), 36 deletions(-) diff --git a/Scripts/Get-AdminAuditLog.ps1 b/Scripts/Get-AdminAuditLog.ps1 index b2d8c11..cdcf295 100644 --- a/Scripts/Get-AdminAuditLog.ps1 +++ b/Scripts/Get-AdminAuditLog.ps1 @@ -68,7 +68,7 @@ function Get-AdminAuditLog { $results | Export-Csv $outputDirectory -NoTypeInformation -Append -Encoding UTF8 } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/Scripts/Get-AzureADGraphLogs.ps1 b/Scripts/Get-AzureADGraphLogs.ps1 index 6e1cd30..6df5bb3 100644 --- a/Scripts/Get-AzureADGraphLogs.ps1 +++ b/Scripts/Get-AzureADGraphLogs.ps1 @@ -102,7 +102,7 @@ function Get-ADSignInLogsGraph { } While ($apiUrl) } catch { - Write-LogFile -Message "[INFO] Make sure you are connected to Connect-MgGraph before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" } Write-LogFile -Message "[INFO] Acquisition complete, check the $($OutputDir) directory for your files.." -Color "Green" @@ -212,7 +212,7 @@ function Get-ADAuditLogsGraph { } While ($apiUrl) } catch { - Write-LogFile -Message "[INFO] Make sure you are connected to Connect-MgGraph before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" } Write-LogFile -Message "[INFO] Acquisition complete, check the $($OutputDir) directory for your files.." -Color "Green" diff --git a/Scripts/Get-AzureADLogs.ps1 b/Scripts/Get-AzureADLogs.ps1 index f8bbed9..d0e3817 100644 --- a/Scripts/Get-AzureADLogs.ps1 +++ b/Scripts/Get-AzureADLogs.ps1 @@ -114,7 +114,7 @@ function Get-ADSignInLogs { Write-LogFile -Message "[WARNING] Failed to acquire logs. Retrying... Attempt $retryCount of $maxRetries" -Color "Yellow" } else { Write-LogFile -Message "[ERROR] Failed to acquire logs after $maxRetries attempts. Moving on." -Color "Red" - Write-logFile -Message "[INFO] You must call Connect-Azure or install AzureADPreview before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Azure by running the Connect-Azure command or install AzureADPreview before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" } } @@ -273,7 +273,7 @@ function Get-ADAuditLogs { Write-LogFile -Message "[WARNING] Failed to acquire logs. Retrying... Attempt $retryCount of $maxRetries" -Color "Yellow" } else { Write-LogFile -Message "[ERROR] Failed to acquire logs after $maxRetries attempts. Moving on." -Color "Red" - Write-logFile -Message "[WARNING] You must call Connect-Azure or install AzureADPreview before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Azure by running the Connect-Azure command or install AzureADPreview before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" } } diff --git a/Scripts/Get-AzureActivityLogs.ps1 b/Scripts/Get-AzureActivityLogs.ps1 index 4154d03..416f18a 100644 --- a/Scripts/Get-AzureActivityLogs.ps1 +++ b/Scripts/Get-AzureActivityLogs.ps1 @@ -74,7 +74,6 @@ function Get-ActivityLogs { $azureRmProfile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile $profileClient = [Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient]::new($azureRmProfile) $token = $profileClient.AcquireAccessToken($currentContext.Tenant.Id) - #$token if ($SubscriptionID -eq "") { write-logFile -Message "[INFO] Retrieving all subscriptions linked to the logged-in user account" -Color "Green" @@ -90,7 +89,7 @@ function Get-ActivityLogs { $subScription = $subscriptionsResponse.value } catch { - write-logFile -Message "[INFO] You must call Connect-AzureAZ before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Azure by running the Connect-Az command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -105,7 +104,7 @@ function Get-ActivityLogs { $subScription = Get-AzSubscription -SubscriptionId $SubscriptionID } catch { - write-logFile -Message "[INFO] You must call Connect-AzureAZ before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Azure by running the Connect-Az command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -115,7 +114,6 @@ function Get-ActivityLogs { $subId = $sub.subscriptionId write-logFile -Message "[INFO] Retrieving all Activity Logs for $subId" -Color "Green" - #$subId = $sub.Id $date = [datetime]::Now.ToString('yyyyMMddHHmmss') $filePath = "$OutputDir\$($date)-$subId-ActivityLog.json" diff --git a/Scripts/Get-ConditionalAccessPolicy.ps1 b/Scripts/Get-ConditionalAccessPolicy.ps1 index 481a05f..8b99888 100644 --- a/Scripts/Get-ConditionalAccessPolicy.ps1 +++ b/Scripts/Get-ConditionalAccessPolicy.ps1 @@ -104,7 +104,7 @@ Function Get-ConditionalAccessPolicies { } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes Policy.Read.All before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes Policy.Read.All command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" break } diff --git a/Scripts/Get-Emails.ps1 b/Scripts/Get-Emails.ps1 index 1e5a1cb..f882652 100644 --- a/Scripts/Get-Emails.ps1 +++ b/Scripts/Get-Emails.ps1 @@ -138,7 +138,7 @@ Function Get-Email { } } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes Mail.ReadBasic.All before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes Mail.ReadBasic.All command before executing this script" -Color "Yellow" Write-logFile -Message "[WARNING] The 'Mail.ReadBasic.All' is an application-level permission, requiring an application-based connection through the 'Connect-MgGraph' command for its use." -Color "Red" return } @@ -192,7 +192,7 @@ Function Get-Attachment { $getMessage = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$internetMessageId'" -ErrorAction stop } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes Mail.ReadBasic.All before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes Mail.ReadBasic.All command before executing this script" -Color "Yellow" Write-logFile -Message "[WARNING] The 'Mail.ReadBasic.All' is an application-level permission, requiring an application-based connection through the 'Connect-MgGraph' command for its use." -Color "Red" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break @@ -259,7 +259,7 @@ Function Show-Email { $message = Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/v1.0/users/$userIds/messages?filter=internetMessageId eq '$internetMessageId'" -ErrorAction stop } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes Mail.ReadBasic.All before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes Mail.ReadBasic.All command before executing this script" -Color "Yellow" Write-logFile -Message "[WARNING] The 'Mail.ReadBasic.All' is an application-level permission, requiring an application-based connection through the 'Connect-MgGraph' command for its use." -Color "Red" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break diff --git a/Scripts/Get-MailItemsAccessed.ps1 b/Scripts/Get-MailItemsAccessed.ps1 index 4c702c3..8d40c0a 100644 --- a/Scripts/Get-MailItemsAccessed.ps1 +++ b/Scripts/Get-MailItemsAccessed.ps1 @@ -73,7 +73,7 @@ Function Get-Sessions { $amountResults = (Search-UnifiedAuditLog -StartDate $StartDate -UserIds $UserIds -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount) } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -116,7 +116,7 @@ Function Get-Sessions { $amountResults = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount) } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -161,7 +161,7 @@ Function Get-Sessions { $amountResults = (Search-UnifiedAuditLog -UserIds $UserIds -FreeText $IP -StartDate $StartDate -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount) } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -206,7 +206,7 @@ Function Get-Sessions { $amountResults = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount) } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -326,7 +326,7 @@ function Get-MessageIDs { $amountResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -406,7 +406,7 @@ function Get-MessageIDs { $amountResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -493,7 +493,7 @@ function Get-MessageIDs { $amountResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $Sessions -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -575,7 +575,7 @@ function Get-MessageIDs { $amountResults = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -FreeText $IP -Operations "MailItemsAccessed" -ResultSize 1 | Select-Object -First 1 -ExpandProperty ResultCount } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -697,7 +697,7 @@ function DownloadMails($iMessageID,$UserIds){ } } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes Mail.ReadBasic.All before running the -Download flag" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes Mail.ReadBasic.All command before executing this script" -Color "Yellow" Write-logFile -Message "[WARNING] The 'Mail.ReadBasic.All' is an application-level permission, requiring an application-based connection through the 'Connect-MgGraph' command for its use." -Color "Red" Write-Host "[WARNING] Error Message: $($_.Exception.Message)" -Color "Red" break diff --git a/Scripts/Get-MailboxAuditLog.ps1 b/Scripts/Get-MailboxAuditLog.ps1 index 3059d4f..d8bf6ea 100644 --- a/Scripts/Get-MailboxAuditLog.ps1 +++ b/Scripts/Get-MailboxAuditLog.ps1 @@ -56,7 +56,7 @@ function Get-MailboxAuditLog $areYouConnected = Search-MailboxAuditlog -ErrorAction stop } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/Scripts/Get-MessageTraceLog.ps1 b/Scripts/Get-MessageTraceLog.ps1 index c3a7edb..15c39f3 100644 --- a/Scripts/Get-MessageTraceLog.ps1 +++ b/Scripts/Get-MessageTraceLog.ps1 @@ -89,7 +89,7 @@ function Get-MessageTraceLog $areYouConnected = Get-MessageTrace -ErrorAction stop } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/Scripts/Get-OAuthPermissions.ps1 b/Scripts/Get-OAuthPermissions.ps1 index f5ffff3..b3b9e5d 100644 --- a/Scripts/Get-OAuthPermissions.ps1 +++ b/Scripts/Get-OAuthPermissions.ps1 @@ -93,7 +93,7 @@ Lists delegated permissions (OAuth2PermissionGrants) and application permissions try { $tenant_details = Get-AzureADTenantDetail -ErrorAction stop } catch { - write-logFile -Message "[WARNING] You must call Connect-Azure before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Azure by running the Connect-Azure command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/Scripts/Get-RiskyEvents.ps1 b/Scripts/Get-RiskyEvents.ps1 index 88f1414..7b4d05c 100644 --- a/Scripts/Get-RiskyEvents.ps1 +++ b/Scripts/Get-RiskyEvents.ps1 @@ -82,7 +82,7 @@ function Get-RiskyUsers { $uri = $response.'@odata.nextLink' } while ($uri -ne $null) } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes IdentityRiskEvent.Read.All,IdentityRiskyServicePrincipal.Read.All,IdentityRiskyUser.Read.All before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes IdentityRiskEvent.Read.All,IdentityRiskyServicePrincipal.Read.All,IdentityRiskyUser.Read.All command before executing this script" -Color "Yellow" Write-LogFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -197,7 +197,7 @@ function Get-RiskyDetections { $uri = $response.'@odata.nextLink' } while ($uri -ne $null) } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes IdentityRiskEvent.Read.All,IdentityRiskyServicePrincipal.Read.All,IdentityRiskyUser.Read.All before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes IdentityRiskEvent.Read.All,IdentityRiskyServicePrincipal.Read.All,IdentityRiskyUser.Read.All command before executing this script" -Color "Yellow" Write-LogFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/Scripts/Get-UAL.ps1 b/Scripts/Get-UAL.ps1 index 33c3b78..e6277b0 100644 --- a/Scripts/Get-UAL.ps1 +++ b/Scripts/Get-UAL.ps1 @@ -86,7 +86,7 @@ function Get-UALAll $areYouConnected = Get-AdminAuditLogConfig -ErrorAction stop } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -300,7 +300,7 @@ function Get-UALGroup $areYouConnected = Get-AdminAuditLogConfig -ErrorAction stop } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -554,7 +554,7 @@ function Get-UALSpecific $areYouConnected = Get-AdminAuditLogConfig -ErrorAction stop } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -781,7 +781,7 @@ function Get-UALSpecificActivity $areYouConnected = Get-AdminAuditLogConfig -ErrorAction stop } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/Scripts/Get-UALGraph.ps1 b/Scripts/Get-UALGraph.ps1 index a9c5a3a..20b32df 100644 --- a/Scripts/Get-UALGraph.ps1 +++ b/Scripts/Get-UALGraph.ps1 @@ -153,7 +153,7 @@ Function Get-UALGraph { } } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes 'AuditLogsQuery.Read.All' before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes 'AuditLogsQuery.Read.All' command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/Scripts/Get-UALStatistics.ps1 b/Scripts/Get-UALStatistics.ps1 index dd6da9b..7e5c2f2 100644 --- a/Scripts/Get-UALStatistics.ps1 +++ b/Scripts/Get-UALStatistics.ps1 @@ -70,7 +70,7 @@ function Get-UALStatistics $totalCount = Search-UnifiedAuditLog -Userids $UserIds -StartDate $script:StartDate -EndDate $script:EndDate -ResultSize 1 | Format-List -Property ResultCount| out-string -Stream | select-string ResultCount } catch { - write-logFile -Message "[WARNING] You must call Connect-M365 before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to M365 by running the Connect-M365 command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/Scripts/Get-UsersInfo.ps1 b/Scripts/Get-UsersInfo.ps1 index 6bfe286..cd99afe 100644 --- a/Scripts/Get-UsersInfo.ps1 +++ b/Scripts/Get-UsersInfo.ps1 @@ -97,7 +97,7 @@ function Get-Users { $mgUsers | select-object $selectobjects | Export-Csv -Path $filePath -NoTypeInformation -Encoding $Encoding } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes 'User.Read.All, Directory.AccessAsUser.All, User.ReadBasic.All, Directory.Read.All' before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes 'User.Read.All, Directory.AccessAsUser.All, User.ReadBasic.All, Directory.Read.All' command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } @@ -218,7 +218,7 @@ Function Get-AdminUsers { } } catch { - Write-logFile -Message "[WARNING] You must call Connect-MgGraph -Scopes 'User.Read.All, Directory.AccessAsUser.All, Directory.Read.All' before running this script" -Color "Red" + write-logFile -Message "[INFO] Ensure you are connected to Microsoft Graph by running the Connect-MgGraph -Scopes 'User.Read.All, Directory.AccessAsUser.All, User.ReadBasic.All, Directory.Read.All' command before executing this script" -Color "Yellow" Write-logFile -Message "[ERROR] An error occurred: $($_.Exception.Message)" -Color "Red" break } diff --git a/docs/source/functionality/UnifiedAuditLogGraph.rst b/docs/source/functionality/UnifiedAuditLogGraph.rst index c939acc..1faa314 100644 --- a/docs/source/functionality/UnifiedAuditLogGraph.rst +++ b/docs/source/functionality/UnifiedAuditLogGraph.rst @@ -1,4 +1,4 @@ -Unified Audit Log via Graph API (BETA functionality) +Unified Audit Log via Graph API ======= The UAL is a critical piece of evidence in a BEC investigation because it is a centralized source for