Skip to content

Releases: invictus-ir/Microsoft-Extractor-Suite

Introduced a Graph Unified Audit Log (UAL) acquisition method

21 Mar 13:44
@JoeyInvictus JoeyInvictus
V1.3.0
2da5e18
Compare
Choose a tag to compare
Introduced a Graph Unified Audit Log (UAL) acquisition method

New Features

  • Introduced a Graph Unified Audit Log (UAL) acquisition method, expanding the script's functionality.

Performance Improvements:

  • Refined the code for ADSignInLogsGraph, ADAuditLogsGraph, ADAuditLogs and ADSignInLogs to enhance efficiency.
  • Streamlined the results directly into the output file, bypassing the need to store them in memory first. This change addresses potential out-of-memory errors for large tenants.
  • Get-ADSignInLogs now writes the output for each day, addressing the out-of-memory errors. This approach may be applied to other scripts later as well.

Usability Improvements:

  • Updated parameter names from before/after to EndDate/StartDate across the script for consistency.
  • Converted the MergeCSVOutput parameter to a switch for simplified usage.

Fixes

  • Corrected the issue where Get-OAuthPermissions did not output delegated permissions correctly.
  • Addressed the bug reported by angry-bender related to Get-ActivityLogs failing in the absence of logs for a given subscription.
  • Replaced broken link to the Invictus website

Enhancements

  • Added a PowerShell badge to the README.
  • Added note with required permissions for each of the Graph API functions in the ReadTheDocs.
  • Removed unnecessary WRITE permissions in documentation.
  • The timestamp is now prefixed to every output file, ensuring consistency across all functions.
  • Removed the "Beta" mention from the prerequisites section.
  • Added Temporary Access Pass and certificate Based Auth Configuration to the MFA output as requested by evild3ad.
  • A version check will be performed when importing the module, issuing a warning if it's an old version.
Assets 2
Loading

First release - V1.2.3

04 Mar 07:57
@JoeyInvictus JoeyInvictus
v1.2.3
92b5bc8
Compare
Choose a tag to compare
First release - V1.2.3

To enhance our process and maintain a more professional approach, we've decided to leverage the GitHub Releases feature. Although we're currently already at version 1.2.3. Going forward, we'll utilize GitHub Releases for every subsequent version release.

Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.

The following Microsoft data sources are supported:

  • Unified Audit Log
  • Admin Audit Log
  • Mailbox Audit Log
  • Mailbox Rules
  • Transport Rules
  • Message Trace Logs
  • Azure AD Sign-In Logs
  • Azure AD Audit Logs

In addition to the log sources above the tool is also able to retrieve other relevant information:

  • Registered OAuth applications in Azure AD
  • The MFA status for all users
  • The creation time and date of the last password change for all users
  • The risky users
  • The risky detections
  • The conditional access policies
  • Administrator directory roles and their users
  • A specific e-mail or attachment
Assets 2
Loading