update to 1.3.2

Merge Output Option: Introduced a merge output flag for Azure AD Graph logs and AD logs. File Naming Correction: Corrected an issue where the .json extension was missing from the filename for AD sign-in logs, ensuring files are correctly recognized and processed by tools expecting JSON format. Option Renaming: The MergecsvOutput option has been renamed to MergeOutput to better reflect its functionality and to accommodate both CSV and JSON file formats. - Fixed bug with wrong version number in the version check.
invictus-ir · Mar 26, 2024 · b37a171 · b37a171
1 parent 544efb8
commit b37a171
Show file tree

Hide file tree

Showing 8 changed files with 101 additions and 47 deletions.
diff --git a/Microsoft-Extractor-Suite.psd1 b/Microsoft-Extractor-Suite.psd1
@@ -8,7 +8,7 @@ Author = 'Joey Rentenaar & Korstiaan Stam'
 CompanyName = 'Invictus-IR'
 
 # Version number of this module.
-ModuleVersion = '1.3.1' 
+ModuleVersion = '1.3.2' 
 
 # ID used to uniquely identify this module
 GUID = '4376306b-0078-4b4d-b565-e22804e3be01'

diff --git a/Microsoft-Extractor-Suite.psm1 b/Microsoft-Extractor-Suite.psm1
@@ -42,7 +42,7 @@ Function StartDateAz
 {
 	if (($startDate -eq "") -Or ($null -eq $startDate)) {
 		$script:StartDate = [datetime]::Now.ToUniversalTime().AddDays(-30)
-		write-LogFile -Message "[INFO] No start date provived by user setting the start date to: $($script:StartDate.ToString("yyyy-MM-dd"))" -Color "Yellow"
+		write-LogFile -Message "[INFO] No start date provived by user setting the start date to: $($script:StartDate.ToString("yyyy-MM-ddTHH:mm:ssK"))" -Color "Yellow"
 	}
 	else
 	{
@@ -93,7 +93,7 @@ function Write-LogFile([String]$message,$color)
 
 function versionCheck{
 	$moduleName = "Microsoft-Extractor-Suite"
-	$currentVersionString  = "1.3.0"
+	$currentVersionString  = "1.3.2"
 
 	$currentVersion = [Version]$currentVersionString
     $latestVersionString = (Find-Module -Name $moduleName).Version.ToString()

diff --git a/Scripts/Get-AzureADGraphLogs.ps1 b/Scripts/Get-AzureADGraphLogs.ps1
@@ -1,7 +1,7 @@
 function Get-ADSignInLogsGraph {
     <#
     .SYNOPSIS
-    Gets of sign ins logs.
+    Gets of sign-ins logs.
 
     .DESCRIPTION
     The Get-ADSignInLogsGraph GraphAPI cmdlet collects the contents of the Azure Active Directory sign-in logs.
@@ -25,16 +25,20 @@ function Get-ADSignInLogsGraph {
     Application is the parameter specifying App-only access (access without a user) for authentication and authorization.
     Default: Delegated access (access on behalf a user)
 
+	.PARAMETER MergeOutput
+    MergeOutput is the parameter specifying if you wish to merge outputs to a single file
+    Default: No
+
     .PARAMETER UserIds
     UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
 
     .EXAMPLE
     Get-ADSignInLogsGraph
-    Get all audit logs of sign ins.
+    Get all audit logs of sign-ins.
 
     .EXAMPLE
     Get-ADSignInLogsGraph -Application
-    Get all audit logs of sign ins via application authentication.
+    Get all audit logs of sign-ins via application authentication.
 
     .EXAMPLE
     Get-ADSignInLogsGraph -endDate 2023-04-12
@@ -47,12 +51,13 @@ function Get-ADSignInLogsGraph {
     [CmdletBinding()]
     param(
         [string]$startDate,
-	[string]$endDate,
+		[string]$endDate,
+		[switch]$MergeOutput,
         [string]$OutputDir,
         [string]$UserIds,
         [string]$Encoding = "UTF8",
         [switch]$Application,
-	[string]$Interval
+		[string]$Interval
     )
 
     if (!($Application.IsPresent)) {
@@ -70,7 +75,6 @@ function Get-ADSignInLogsGraph {
     if ($Encoding -eq "" ){
 		$Encoding = "UTF8"
 	}
-
 
 	if ($Interval -eq "") {
 		$Interval = 1440
@@ -107,7 +111,6 @@ function Get-ADSignInLogsGraph {
 	StartDateAz
 	EndDate
 
-
     $date = Get-Date -Format 'yyyyMMddHHmmss'
     $filePath = Join-Path -Path $outputDir -ChildPath "$($date)-SignInLogsGraph.json"
 
@@ -116,7 +119,7 @@ function Get-ADSignInLogsGraph {
 	[DateTime]$lastLog = $script:EndDate
 	$currentDay = 0  
 
-	Write-LogFile -Message "[INFO] Extracting all available Directory Sign In Logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))" -Color "Green"
+	Write-LogFile -Message "[INFO] Extracting all available Directory Sign-in Logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))" -Color "Green"
 	if($currentStart -gt $script:EndDate){
 		Write-LogFile -Message "[ERROR] $($currentStart.ToString("yyyy-MM-dd")) is greather than $($script:EndDate.ToString("yyyy-MM-dd")) - are you sure you put in the correct year? Exiting!" -Color "Red"
 		return
@@ -125,7 +128,7 @@ function Get-ADSignInLogsGraph {
 	while ($currentStart -lt $script:EndDate) {			
 		$currentEnd = $currentStart.AddMinutes($Interval)       
 		if ($UserIds){
-			Write-LogFile -Message "[INFO] Collecting Directory Sign In logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))."
+			Write-LogFile -Message "[INFO] Collecting Directory Sign-in logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))."
 			try{
 				[Array]$results =  Get-MgBetaAuditLogSignIn -ExpandProperty * -All -Filter "UserPrincipalName eq '$($Userids)' and createdDateTime lt $($currentEnd.ToString("yyyy-MM-dd")) and createdDateTime gt $($currentStart.ToString("yyyy-MM-dd"))"
 			}
@@ -155,20 +158,38 @@ function Get-ADSignInLogsGraph {
 				$currentTotal = $currentCount 
 			}
 
-			Write-LogFile -Message "[INFO] Found $currentCount Directory Sign In Logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))" -Color "Green"
+			Write-LogFile -Message "[INFO] Found $currentCount Directory Sign-in Logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))" -Color "Green"
 
-			$filePath = "$OutputDir\SignInLogsGraph-$($CurrentStart.ToString("yyyyMMdd"))-$($CurrentEnd.ToString("yyyyMMdd")).json"
-			$results | Select-Object AppDisplayName,AppId,AppTokenProtectionStatus,AppliedConditionalAccessPolicies,ConditionsNotSatisfied,ConditionsSatisfied,AppliedConditionalAccessPoliciesDisplayName,EnforcedGrantControls,EnforcedSessionControls,AppliedConditionalAccessPoliciesId,AppliedConditionalAccessPoliciesResult,AppliedConditionalAccessPolicies2,AppliedEventListeners,AuthenticationAppDeviceDetails,AppVersion,ClientApp,DeviceId,OperatingSystem,AuthenticationAppPolicyEvaluationDetails,AdminConfiguration,AuthenticationEvaluation,AuthenticationAppPolicyEvaluationDetailsPolicyName,AuthenticationAppPolicyEvaluationDetailsStatus,AuthenticationContextClassReferences,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationProtocol,AuthenticationRequirement,AuthenticationRequirementPolicies,Detail,RequirementProvider,AutonomousSystemNumber,AzureResourceId,ClientAppUsed,ClientCredentialType,ConditionalAccessStatus,CorrelationId,@{N='CreatedDateTime';E={$_.CreatedDateTime.ToString()}},CrossTenantAccessType,DeviceDetail,Browser,DeviceDetailDeviceId,DisplayName,IsCompliant,IsManaged,DeviceDetailOperatingSystem,TrustType,FederatedCredentialId,FlaggedForReview,HomeTenantId,HomeTenantName,IPAddress,IPAddressFromResourceProvider,Id,IncomingTokenType,IsInteractive,IsTenantRestricted,Location,City,CountryOrRegion,State,ManagedServiceIdentity,AssociatedResourceId,FederatedTokenId,FederatedTokenIssuer,MsiType,MfaDetail,AuthDetail,AuthMethod,NetworkLocationDetails,OriginalRequestId,OriginalTransferMethod,PrivateLinkDetails,PolicyId,PolicyName,PolicyTenantId,PrivateLinkDetailsResourceId,ProcessingTimeInMilliseconds,ResourceDisplayName,ResourceId,ResourceServicePrincipalId,ResourceTenantId,RiskDetail,RiskEventTypesV2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ServicePrincipalCredentialKeyId,ServicePrincipalCredentialThumbprint,ServicePrincipalId,ServicePrincipalName,SessionLifetimePolicies,SignInEventTypes,SignInIdentifier,SignInIdentifierType,SignInTokenProtectionStatus,Status,StatusAdditionalDetails,TokenIssuerName,TokenIssuerType,UniqueTokenIdentifier,UserAgent,UserDisplayName,UserId,UserPrincipalName,UserType,AdditionalProperties |
-				ForEach-Object {
-					$_ | ConvertTo-Json -Depth 100
-				} |	Out-File -FilePath $filePath -Encoding $Encoding
+			$filePath = "$OutputDir\SignInLogsGraph-$($CurrentStart.ToString("yyyyMMdd"))-$($CurrentEnd.ToString("yyyyMMdd")).json"	
+			$results | ConvertTo-Json -Depth 100 | Out-File -Append $filePath -Encoding $Encoding
 
 			Write-LogFile -Message "[INFO] Successfully retrieved $($currentCount) records out of total $($currentTotal) for the current time range."							
 		}
 		[Array]$results = @()
 		$CurrentStart = $CurrentEnd
   		$currentDay++
 	}
+
+	if ($MergeOutput.IsPresent)
+	{
+		Write-LogFile -Message "[INFO] Merging output files into one file"
+	  	$outputDirMerged = "$OutputDir\Merged\"
+	  	If (!(test-path $outputDirMerged)) {
+			Write-LogFile -Message "[INFO] Creating the following directory: $outputDirMerged"
+		  	New-Item -ItemType Directory -Force -Path $outputDirMerged | Out-Null
+	  	}
+
+		$allJsonObjects = @()
+
+		Get-ChildItem $OutputDir -Filter *.json | ForEach-Object {
+			$content = Get-Content -Path $_.FullName -Raw
+			$jsonObjects = $content | ConvertFrom-Json
+			$allJsonObjects += $jsonObjects
+		}
+
+		$allJsonObjects | ConvertTo-Json -Depth 100 | Set-Content "$outputDirMerged\SignInLogs-Combined.json"
+	}
+
 	Write-LogFile -Message "[INFO] Acquisition complete, check the $($OutputDir) directory for your files.." -Color "Green"		
 }
 

diff --git a/Scripts/Get-AzureADLogs.ps1 b/Scripts/Get-AzureADLogs.ps1
@@ -23,6 +23,10 @@ function Get-ADSignInLogs {
     Encoding is the parameter specifying the encoding of the JSON output file.
 	Default: UTF8
 
+	.PARAMETER MergeOutput
+    MergeOutput is the parameter specifying if you wish to merge outputs to a single file
+    Default: No
+
 	.PARAMETER UserIds
     UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
     
@@ -48,6 +52,7 @@ function Get-ADSignInLogs {
 		[string]$endDate,
 		[string]$outputDir,
 		[string]$UserIds,
+		[switch]$MergeOutput,
 		[string]$Encoding,
 		[string]$Interval
 	)
@@ -96,7 +101,7 @@ function Get-ADSignInLogs {
 	[DateTime]$lastLog = $script:EndDate
 	$currentDay = 0  
 
-	Write-LogFile -Message "[INFO] Extracting all available Directory Sign In Logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))" -Color "Green"
+	Write-LogFile -Message "[INFO] Extracting all available Directory Sign-in Logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))" -Color "Green"
 	if($currentStart -gt $script:EndDate){
 		Write-LogFile -Message "[ERROR] $($currentStart.ToString("yyyy-MM-dd")) is greather than $($script:EndDate.ToString("yyyy-MM-dd")) - are you sure you put in the correct year? Exiting!" -Color "Red"
 		return
@@ -105,7 +110,7 @@ function Get-ADSignInLogs {
 	while ($currentStart -lt $script:EndDate) {			
 		$currentEnd = $currentStart.AddMinutes($Interval)       
 		if ($UserIds){
-			Write-LogFile -Message "[INFO] Collecting Directory Sign In logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))."
+			Write-LogFile -Message "[INFO] Collecting Directory Sign-in logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))."
 			try{
 				[Array]$results =  Get-AzureADAuditSignInLogs -All $true -Filter "UserPrincipalName eq '$($Userids)' and createdDateTime lt $($currentEnd.ToString("yyyy-MM-dd")) and createdDateTime gt $($currentStart.ToString("yyyy-MM-dd"))"
 			}
@@ -135,9 +140,9 @@ function Get-ADSignInLogs {
 				$currentTotal = $currentCount 
 			}
 
-			Write-LogFile -Message "[INFO] Found $currentCount Directory Sign In Logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))" -Color "Green"
+			Write-LogFile -Message "[INFO] Found $currentCount Directory Sign-in Logs between $($currentStart.ToUniversalTime().ToString("yyyy-MM-dd")) and $($currentEnd.ToUniversalTime().ToString("yyyy-MM-dd"))" -Color "Green"
 
-			$filePath = "$OutputDir\SignInLogs-$($CurrentStart.ToString("yyyyMMdd"))-$($CurrentEnd.ToString("yyyyMMdd"))"
+			$filePath = "$OutputDir\SignInLogs-$($CurrentStart.ToString("yyyyMMdd"))-$($CurrentEnd.ToString("yyyyMMdd")).json"
 			$results | ConvertTo-Json -Depth 100 | Out-File -Append $filePath -Encoding $Encoding
 
 			Write-LogFile -Message "[INFO] Successfully retrieved $($currentCount) records out of total $($currentTotal) for the current time range."							
@@ -146,6 +151,27 @@ function Get-ADSignInLogs {
 		$CurrentStart = $CurrentEnd
   		$currentDay++
 	}
+
+	if ($MergeOutput.IsPresent)
+	{
+		Write-LogFile -Message "[INFO] Merging output files into one file"
+	  	$outputDirMerged = "$OutputDir\Merged\"
+	  	If (!(test-path $outputDirMerged)) {
+			Write-LogFile -Message "[INFO] Creating the following directory: $outputDirMerged"
+		  	New-Item -ItemType Directory -Force -Path $outputDirMerged | Out-Null
+	  	}
+
+		$allJsonObjects = @()
+
+		Get-ChildItem $OutputDir -Filter *.json | ForEach-Object {
+			$content = Get-Content -Path $_.FullName -Raw
+			$jsonObjects = $content | ConvertFrom-Json
+			$allJsonObjects += $jsonObjects
+		}
+
+		$allJsonObjects | ConvertTo-Json -Depth 100 | Set-Content "$outputDirMerged\SignInLogs-Combined.json"
+	}
+
 	Write-LogFile -Message "[INFO] Acquisition complete, check the $($OutputDir) directory for your files.." -Color "Green"		
 }
 

diff --git a/Scripts/Get-UAL.ps1 b/Scripts/Get-UAL.ps1
@@ -34,8 +34,8 @@ function Get-UALAll
 	OutputDir is the parameter specifying the output directory.
 	Default: Output\UnifiedAuditLog
 
- 	.PARAMETER MergeCSVOutput
-    MergeCSVOutput is the parameter specifying if you wish to merge CSV outputs to a single file
+ 	.PARAMETER MergeOutput
+    MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file
     Default: No
 
 	.PARAMETER Encoding
@@ -63,7 +63,7 @@ function Get-UALAll
 	Gets all the unified audit log entries with a time interval of 720.
 
  	.EXAMPLE
-	Get-UALAll -UserIds [email protected] -MergeCSVOutput
+	Get-UALAll -UserIds [email protected] -MergeOutput
 	Gets all the unified audit log entries for the user [email protected] and adds a combined output csv file at the end of acquisition
 	
 	.EXAMPLE
@@ -78,7 +78,7 @@ function Get-UALAll
 		[string]$UserIds,
 		[string]$Interval,
 		[string]$Output,
-		[switch]$MergeCSVOutput,
+		[switch]$MergeOutput,
 		[string]$OutputDir,
 		[string]$Encoding
 	)
@@ -228,17 +228,16 @@ function Get-UALAll
 		}
 	}
 
-	if ($Output -eq "CSV" -and ($MergeCSVOutput.IsPresent))
+	if ($Output -eq "CSV" -and ($MergeOutput.IsPresent))
 	{
-		Write-LogFile -Message "[INFO] MergeCSVOutput set to y"
+		Write-LogFile -Message "[INFO] Merging output files into one file"
 	  	$outputDirMerged = "$OutputDir\Merged\"
 	  	If (!(test-path $outputDirMerged)) {
 			Write-LogFile -Message "[INFO] Creating the following directory: $outputDirMerged"
 		  	New-Item -ItemType Directory -Force -Path $outputDirMerged | Out-Null
 	  	}
 
 	    Get-ChildItem $OutputDir -Filter *.csv | Select-Object -ExpandProperty FullName | Import-Csv | Export-Csv "$outputDirMerged/UAL-Combined.csv" -NoTypeInformation -Append
-		Write-LogFile -Message "[INFO] Merging UAL Files" -Color "Green"
 	}
 
 	Write-LogFile -Message "[INFO] Acquisition complete, check the Output directory for your files.." -Color "Green"
@@ -282,8 +281,8 @@ function Get-UALGroup
 	OutputDir is the parameter specifying the output directory.
 	Default: Output\UnifiedAuditLog
  
- 	.PARAMETER MergeCSVOutput
-    MergeCSVOutput is the parameter specifying if you wish to merge CSV outputs to a single file
+ 	.PARAMETER MergeOutput
+    MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file
     Default: No
     
 	.PARAMETER Encoding
@@ -311,7 +310,7 @@ function Get-UALGroup
 	Gets all the Defender related unified audit log entries for the user [email protected] in JSON format with a time interval of 720.
 
   	.EXAMPLE
-	Get-UALGroup -Group Exchange -MergeCSVOutput
+	Get-UALGroup -Group Exchange -MergeOutput
 	Gets the Azure related unified audit log entries and adds a combined output csv file at the end of acquisition
 #>
 	[CmdletBinding()]
@@ -322,7 +321,7 @@ function Get-UALGroup
 		[string]$Interval,
 		[string]$Group,
 		[string]$Output,
-  		[string]$MergeCSVOutput,
+  		[string]$MergeOutput,
 		[string]$OutputDir,
 		[string]$Encoding
 	)
@@ -511,16 +510,16 @@ function Get-UALGroup
 			Write-LogFile -message "[INFO] No Records found for $Record"
 		}
 	}
-	if ($Output -eq "CSV" -and ($MergeCSVOutput.IsPresent))
+	if ($Output -eq "CSV" -and ($MergeOutput.IsPresent))
   	{
+		Write-LogFile -Message "[INFO] Merging output files into one file"
 		$outputDirMerged = "$OutputDir\Merged\"
 		If (!(test-path $outputDirMerged)) {
 			Write-LogFile -Message "[INFO] Creating the following directory: $outputDirMerged"
 			New-Item -ItemType Directory -Force -Path $outputDirMerged | Out-Null
 		}
 
  		Get-ChildItem $OutputDir -Filter *.csv | Select-Object -ExpandProperty FullName | Import-Csv | Export-Csv "$outputDirMerged/UAL-Combined.csv" -NoTypeInformation -Append
-   		Write-LogFile -Message "[INFO] Merging UAL Files" -Color "Green"
     }
 
 	Write-LogFile -Message "[INFO] Acquisition complete, check the Output directory for your files.." -Color "Green"
@@ -568,8 +567,8 @@ function Get-UALSpecific
     Encoding is the parameter specifying the encoding of the CSV/JSON output file.
 	Default: UTF8
 
-  	.PARAMETER MergeCSVOutput
-    MergeCSVOutput is the parameter specifying if you wish to merge CSV outputs to a single file
+  	.PARAMETER MergeOutput
+    MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file
     Default: No
 
 	.EXAMPLE
@@ -593,7 +592,7 @@ function Get-UALSpecific
 	Gets all the MicrosoftFlow logging from the unified audit log for the user [email protected] in JSON format with a time interval of 720.
 
   	.EXAMPLE
-	Get-UALSpecific -RecordType MipAutoLabelExchangeItem -MergeCSVOutput
+	Get-UALSpecific -RecordType MipAutoLabelExchangeItem -MergeOutput
 	Gets the ExchangeItem logging from the unified audit log and adds a combined output csv file at the end of acquisition
 #>
 	[CmdletBinding()]
@@ -604,7 +603,7 @@ function Get-UALSpecific
 		[string]$Interval,
 		[Parameter(Mandatory=$true)]$RecordType,
 		[string]$Output,
-  		[string]$MergeCSVOutput,
+  		[string]$MergeOutput,
   		[string]$OutputDir,
 		[string]$Encoding
 	)
@@ -769,8 +768,9 @@ function Get-UALSpecific
 		}
 	}
 
-	if ($Output -eq "CSV" -and ($MergeCSVOutput.IsPresent))
+	if ($Output -eq "CSV" -and ($MergeOutput.IsPresent))
 	{
+	Write-LogFile -Message "[INFO] Merging output files into one file"
 	  $outputDirMerged = "$OutputDir\Merged\"
 	  write-host $outputDirMerged
 	  If (!(test-path $outputDirMerged)) {
@@ -779,7 +779,6 @@ function Get-UALSpecific
 	  }
 
 	    Get-ChildItem $OutputDir -Filter *.csv | Select-Object -ExpandProperty FullName | Import-Csv | Export-Csv "$outputDirMerged/UAL-Combined.csv" -NoTypeInformation -Append
-		Write-LogFile -Message "[INFO] Merging UAL Files" -Color "Green"
 	  }
 
 	Write-LogFile -Message "[INFO] Acquisition complete, check the Output directory for your files.." -Color "Green"

diff --git a/docs/source/functionality/AzureAuditLogsGraph.rst b/docs/source/functionality/AzureAuditLogsGraph.rst
@@ -43,6 +43,10 @@ Parameters
     - Encoding is the parameter specifying the encoding of the JSON output file.
     - Default: UTF8
 
+-MergeOutput (optional)
+    - MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
+    - Default: No
+
 -UserIds (optional)
     - UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.
 

diff --git a/docs/source/functionality/AzureSignInLogsGraph.rst b/docs/source/functionality/AzureSignInLogsGraph.rst
@@ -43,6 +43,10 @@ Parameters
     - Application is the parameter specifying App-only access (access without a user) for authentication and authorization.
     - Default: Delegated access (access on behalf a user)
 
+-MergeOutput (optional)
+    - MergeOutput is the parameter specifying if you wish to merge CSV outputs to a single file.
+    - Default: No
+
 -UserIds (optional)
     - UserIds is the UserIds parameter filtering the log entries by the account of the user who performed the actions.