Update v3.0.0 – New Features and lots of improvements

New Functionalities Added to the Extractor Suite

• Get-AuditLogSettings - Retrieves audit status and settings for all mailboxes in Microsoft 365, including detailed information about mailbox audit settings, audit status, bypass settings, and configured audit actions for owners, delegates, and administrators.

• Get-MailboxPermissions - Retrieves detailed information about mailbox delegated permissions, including Full Access, Send As, Send on Behalf, Calendar permissions, and Inbox permissions for all mailboxes in Microsoft 365.

• Get-Devices - Retrieves information about all devices registered in Azure AD/Entra ID, including detailed information about device status, operating system details, trust type, and management information. Thanks to InfoSecGeoff for the input.

• Start-EvidenceCollection - Automates the collection of evidence from Microsoft 365 and Azure/Entra ID environments, supporting both interactive and automated collection modes with customizable scope and filtering options. You can kick-off this function and all Azure/Entra ID and Microsoft logs will be automatically acquired.

• Get-Licenses - Retrieves all licenses in the tenant with retention times and premium license indicators.

• Get-LicensesByUser - Retrieves license assignments for all users in the tenant.

• Get-EntraSecurityDefaults - Checks the status of Entra ID security defaults.

• Get-LicenseCompatibility - Checks the presence of E5, P2, P1, and E3 licenses and informs about functionality limitations.

• Get-Groups - Retrieves all groups in the organization, including their configuration and settings.

• Get-GroupMembers - Enumerates all members of every group in the organization.

• Get-DynamicGroups - Retrieves all dynamic groups and their membership rules, which determine automatic user inclusion.

SOF-ELK Support

• Unified Audit Log Acquisition: Introduced the -SOF-ELK parameter for the Unified Audit Log acquisition function, ensuring that JSON output is formatted according to SOF-ELK requirements. Special thanks to Cirosec for the contribution.

• Sign-in Logs via Graph API: Incorporated the -SOF-ELK parameter to the Get-GraphEntraSignInLogs function, ensuring that sign-in logs retrieved through Graph are correctly formatted for SOF-ELK.

• Audit Logs via Graph API: Incorporated the -SOF-ELK parameter into the Get-GraphEntraAuditLogs function, ensuring that audit logs fetched via Graph are correctly formatted for SOF-ELK.

Unified Audit Logs Improvements

• Default History Retrieval: The Get-UAL function now retrieves 180 days of history by default when no start date is provided, simplifying data retrieval for extended periods.

• Function Consolidation: Consolidated the following functions into a single Get-UAL function this change makes the tool more intuitive and easier to use, as suggested by Matthijs Vos:

Get-UALAll
Get-UALGroup
Get-UALSpecific
Get-UALSpecificActivity

• Improved Result Retrieval: Implemented a new approach to retrieve 50,000 results using the ReturnLargeSet method with a session ID. The function loops over the results to collect all data in a single operation, which is faster than retrieving 5,000 results at a time. This reduces unnecessary API calls, improving the efficiency of the data collection process.

• Optimized Log Collection: Reworked the Unified Audit Log script to dynamically calculate the optimal interval for log retrieval based on the time range and estimated number of results, replacing the fixed default interval of 720 minutes. This adjustment speeds up the log collection.

LogLevel Parameter Added to All Scripts

• A LogLevel parameter has been introduced across all scripts, offering flexibility in managing logging output. The available options are:

  • None: No logging output generated.
  • Minimal: Only critical errors that impact execution are logged.
  • Standard: Regular operational information is logged (default setting).

• Optimized for Automation: This new feature enables better control over logging in automated environments by reducing excessive terminal output, making it ideal for use in automation workflows.

• Integration with Start-EvidenceCollection: The LogLevel parameter is also integrated with the new Start-EvidenceCollection functionality.

Read The Docs Update

• The documentation has been updated to reflect the newly added functionalities.

• Quality of Life Improvements.

Accepted Pull Requests

• InfoSecGeoff:

  • Fixed issues with System.Object[] fields in the Get-MFA output.

  • Replaced the deprecated search-adminauditlog cmdlet with Search-UnifiedAudit, filtered by the record type ExchangeAdmin.

  • Added a disconnect function to all connect scripts for improved session management.

  • Created a user device retrieval script, and merged this with our Get-Devices function.

  • Developed four new functions under Get-ProductLicenses.ps1 to:

    • Retrieve all product licenses in a tenant.
    • Retrieve licenses assigned by user.
    • Fetch Entra security default status.

  • Include a compatibility checker to identify whether certain Extractor Suite cmdlets can run based on existing license levels.

  • Added Get-Groups.ps1 to retrieve all groups in Azure AD, group memberships, and dynamic group configurations.

WellKnitTech:

• Fixed several typos across scripts.

Cirosec:

• Added an output option for SOF-ELK in the Get-UAL cmdlets and Get-ADSignInLogsGraph.

Matthijs Vos:

• Implemented MessageTraceV2, enabling data queries up to 90 days back.

• Consolidated the separate functions (Get-UALAll, Get-UALGroup, Get-UALSpecific, and Get-UALSpecificActivity) into a single Get-UAL function.

Functionality Improvements

• Enhanced Terminal Output: Improved the terminal output across all functionalities, making it more informative and user-friendly.

• Get-Users: Added extra properties to the Get-Users function, as requested by evild3ad, to provide more detailed user data.

• Get-ConditionalAccessPolicies: Added extra fields to Get-ConditionalAccessPolicies to ensure complete data retrieval, addressing gaps in policy data.

• Get-Emails Issue Resolution:

  • Added a prefix to all emails downloaded by Get-Emails to resolve an issue reported by SecurityAura, where identical email message IDs were causing the overwriting of older emails.
  • Implemented try/catch blocks in Get-Emails to handle cases where the received date could not be parsed. This ensures that the file is still saved, even without the date in the filename.

• Get-MessageIDs Fix: Added a prefix to all emails downloaded by Get-MessageIDs to address the same issue of email message ID duplication, preventing overwriting of older emails.

• MessageTraceV2 Implementation: Thanks to Matthijs Vos, the MessageTraceV2 functionality was implemented, allowing data queries up to 90 days back.

Function Name Changes
To avoid confusion with Active Directory, the following function name changes have been made:

Get-ADSignInLogs → Get-EntraSignInLogs
Get-ADAuditLogs → Get-EntraAuditLogs
Get-ADSignInLogsGraph → Get-GraphEntraSignInLogs
Get-ADAuditLogsGraph → Get-GraphEntraAuditLogs

Bug Fixes

• Get-UAL Loop Issue: Fixed a bug that caused the Get-UAL function to enter an endless loop when the interval dropped below one minute. This was resolved by allowing decimals in the interval instead of rounding it to one digit.

• Token Retrieval for Azure Logs: Resolved an issue where token retrieval for Get-AzureActivityLogs and Get-DirectoryActivityLogs failed due to a Microsoft update. The Get-AZAccessToken method is now used to ensure proper token collection.

Deprecation of Admin Audit Log and Search Mailbox Audit Log

• Search-AdminAuditLog Deprecation: The Search-AdminAuditLog cmdlet is deprecated. The Get-AdminAuditLog now uses Search-UnifiedAuditLog -RecordType 'ExchangeAdmin' to retrieve administrator logs.

• Search-MailboxAuditLog Deprecation: The Search-MailboxAuditLog cmdlet is deprecated. The Get-MailboxAuditLog now uses Search-UnifiedAuditLog -RecordType 'ExchangeItem' to retrieve mailbox audit logs.

Update V2.1.1 - Updates & Improvements

Improvements

• Accepted pull request from @angry-bender updating the date format in Get-UALGraph for improved readability and consistency.
• Corrected a typo in the $filePath variable when using the -Download flag in Get-MessageIDs.
• Implemented suggestions from @Calvindd2f to add additional parameters for connection scripts. Users can now connect using an access token.
• Reworked the $areYouConnected functionality for the UAL scripts.
• Introduced the -All parameter to Get-ADAuditLogsGraph. By default, filtering with the UserIds field retrieves only actions directly performed by the specified user. With the new -All flag, the command now includes all related events involving the user, such as events where an MFA device was added for them.
• Fixed an issue where the merge output would throw "out of memory" errors. Now, while merging the output files, each file is written directly to the merged output file instead of reading everything into memory first and then saving it.

As suggested by @evild3ad:

• Updated the import command: Import-Module .\Microsoft-Extractor-Suite.psm1 -ArgumentList $true to suppress the logo output, optimizing it for automation scenarios.
• Replaced remaining Write-Host commands in Get-Rules.ps1 with the custom Write-LogFile function for consistent logging.
• Fixed an issue in Get-MailboxRules where using the -UserIDs flag with no rules found would incorrectly display the total inbox rules.
• Added support for the -UserIds flag to Risky Users and Detections.
• Added support for the -UserIds flag to the Get-MFA functionality.

Update V2.1.0 - Updates & Improvements

Get-MessageIDs:

• Added try/catch to handle errors when attempting to download emails that have already been deleted from the mailbox.

Get-UAL Scripts:

• Fixed JSON output format to ensure correct and consistent JSON formatting.

AzureADGraphLogs:

• Merged pull request from @Matthijsy, adding additional details to the acquisition output for audit and sign-in logs.

Graph Sign-in Endpoint Update:

• Changed to using the beta endpoint for sign-in logs, increasing the number of fields per event from 107 to 299, providing more useful data for analysis.

New Features & Enhancements:

• Added -mergeoutput flag to Get-UALSpecificActivity, as suggested by @SecurityAura.
• Added a warning when using the -Download flag in Get-MessageIDs without an active Graph connection, also as suggested by @SecurityAura.

Update V2.0.3 - Again some improvements & Bug fixes

General changes:

• Fixed incorrect scope for Get-Emails in both the script and documentation.
• Added mergeoutput flag for the Audit Logs Graph acquisition method.
• Fixed mergeoutput to generate correct JSON format for Microsoft-Analyzer-Suite.
• Added try/catch in the Activity Logs and Directory Activity Logs authentication flows to catch errors when the user is not connected.
• Removed filter from Get-AzureDirectoryActivityLogs to ensure all events are collected.
• Fixed a small logic error in Get-AdminUsers, preventing errors when removed user IDs are identified in a group.
• Added -ObjectId parameter to Get-UALGraph
• Added -ObjectId parameter to all Unified Audit Log acquisition scripts

Small fixes for Get-MailItemsAccessed:

• Made -Download a switch parameter.
• Fixed an issue where the InternetMessageId was not being retrieved correctly from the output.
• Added a try/catch block to handle potential errors as they occur.

Update V2.0.2 - Improvements & Bug fixes

Based on suggestions by Angry-Bender:

• Increased sleep timer by 5 seconds for the AD sign-in/audit logs.
• Replaced break statements inside loops with throw statements in all scripts.
• Fixed dates to be in a readable format again for the sign-in and audit logs. (Thanks to Calvindd2f for showing how to achieve this)
• Get-GraphAuthType now checks if the required scopes are used and, if not, will attempt to set up a connection with them. This should prevent you to close the browser if already greanted consent each time.

Fixed an issue reported by ReDoneX0 where the get-email was not saving in the correct EML format.

Had to fix a small error and can't update/remove the PowerShell Gallery listing, so I guess I'll just make it version 2.0.2.😓

Update V2.0 - Added acquisition for Azure Directory Activity logs and a variety of other improvements.

Acquisition for new log source added:

• Added Azure Directory Activity logs.

Output Structure Improvements:
Restructured the output to write results to specific folders instead of multiple outputs in Userinfo. For instance, the MFA functionality now generates a new folder named MFA for its output.

Performance improvements inspired by Calvindd2f:

• Replaced | Out-Null with > $null across multiple instances in the script for improved performance.
• Redesigned the log-writing mechanism for increased speed.
• Set default parameters in CmdletBindings across all scripts.
• Created a function for combining logs outside of the function utilizing this.

Authentication Type Detection:

• Implemented functionality to automatically detect whether the user is logged in via Graph with delegated or application permissions. This prevents unnecessary errors by ensuring that the script connects with the appropriate scopes based on the authentication type.
• Removed the need for the Application parameter. The script now automatically determines the authentication type in the background.

Optimized Graph API Requests:
Updated certain functionalities to use Invoke-MgGraphRequest instead of the Graph PowerShell Module cmdlets for improved performance and reliability.

• The Get-MFA script now utilizes Invoke-MgGraphRequest to ensure all output is captured, including nested objects that were previously missed.
• Get-Email, Get-Attachment, Show-Email are now using Invoke-MgGraphRequests for better performence and reliability.
• Get-UALGraph has been reworked and is now using Invoke-MgGraphrequest for better performence.
• Get-RiskyUsers & Get-RiskyDetections are both using Invoke-MgGraphrequest now.

Get-ADSignInLogsGraph and Get-ADAuditLogsGraph:
Inspired by code snippets from Calvindd2f, both functionalities have been reworked to use Invoke-MgGraphRequest. This change simplifies paging, eliminates the need for guessing the correct intervals, and allows for more efficient log retrieval. As a result, the script is now easier to use, faster, and should mitigate memory issues.

Get-ActivityLogs
This functionality now uses Invoke-RestMethod instead of the AzureAZ PowerShell Module cmdlets for improved performance and reliability. This change simplifies paging, eliminates the need to guess correct intervals, and enables more efficient log retrieval.

Read The Docs:
Updated Read The Docs so it's up to date with the latest changes.

areYouConnected:
The $areYouConnected function, which checks if the script can run the necessary actions and provides an error if it cannot, has been improved. It now displays the actual error message when the script fails, rather than a custom error message. Additionally, it no longer checks the module before running the main code (for most functions), making the script faster by avoiding unnecessary module checks.

Update V1.3.5 - Improvements to Get-AzureADLogs + Get AzureADGraphLogs

Get-AzureADLogs and Get-AzureADGraphLogs:

• Changed the output directory names for the Audit and Sign-in logs to make it clearer which folders contain what logs.
• Accepted pull request by angry-bender, which added the split by time feature to Get-AzureADAuditLogs with a 12-hour interval (larger dataset than SignInLogs).
• Both Graph and AD collections for the audit logs and sign-in logs now support date and time instead of only date.
• Added error handling to the Graph and AD functionalities to retry if they fail, ensuring all data is collected.

Get-Email

• The functionality Get-Email now supports an input text file containing multiple message IDs, and the functionality will download all messages.

Update V1.3.4 - Bug fixes

• Fixed a bug reported by Camel0101 where the number of log entries is not displayed in the Get-UALStatistics command.
• Fixed a bug reported by SecurityAura where LogFile.txt gives errors when the default Output directory is not present.
• Fixed an issue where the MergeOutput flag is not working correctly for Get-UALGroup and Get-UALSpecific.
• As requested by evild3ad, the LastUpdatedDateTime has been added to the Get-MFA command.

Update V1.3.3 - Some bug fixes

• Fixed some functionalities that did not return valid JSON output:
  • Get-UalGraph
  • Get-ADAuditLogs
• Removed incorrect parameter in the Azure Audit Logs documentation.
• Removed incorrect example for the Get-Session functionality.
• Added Microsoft-Analyzer-Suite by evild3ad to the readme.
• Added a try/catch loop for Get-ActivityLogs as requested by angry-bender.
• Fixed a bug in the Get-Sessions and Get-MessageIDs functionalities not correctly filtering.
• Added an extra output to the Get-MFA functionality, now writing two CSV files with user registration details and authentication methods utilized in the environment.
• Removed duplicate tempaccess/temporaryAccessPass in Get-MFA.
• Accepted Pull Request from angry-bender fixing some date format issues with the Graph Sign-in functionality.

Introduced a merge output flag for Azure AD Graph logs and AD logs

• Merge Output Option: Introduced a merge output flag for Azure AD Graph logs and AD logs.
• File Naming Correction: Corrected an issue where the .json extension was missing from the filename for AD sign-in logs, ensuring files are correctly recognized and processed by tools expecting JSON format.
• Option Renaming: The MergecsvOutput option has been renamed to MergeOutput to better reflect its functionality and to accommodate both CSV and JSON file formats.
• Fixed bug with wrong version number in the version check.