It has been 7 months since we released version 2, but today is the day we are excited to announce version 3. It is our biggest release to date and in this post we will highlight the important bits. If you can't wait to get started open PowerShell and run:
Install-Module Microsoft-Extractor-Suite
or update with:
Update-Module Microsoft-Extractor-Suite
Release notes
New features
- Start-EvidenceCollection - Automates the collection of evidence from Microsoft 365 and Azure/Entra ID environments, supporting both interactive and automated collection modes with customizable scope and filtering options. You can kick-off this function and all Azure/Entra ID and Microsoft logs will be automatically acquired.
- Get-AuditLogSettings - Retrieves audit status and settings for all mailboxes in Microsoft 365, including detailed information about mailbox audit settings, audit status, bypass settings, and configured audit actions for owners, delegates, and administrators.
- Get-MailboxPermissions - Retrieves detailed information about mailbox delegated permissions, including Full Access, Send As, Send on Behalf, Calendar permissions, and Inbox permissions for all mailboxes in Microsoft 365.
- Get-Devices - Retrieves information about all devices registered in Azure AD/Entra ID, including detailed information about device status, operating system details, trust type, and management information. Thanks to InfoSecGeoff for the input.
- Get-Licenses - Retrieves all licenses in the tenant with retention times and premium license indicators.
- Get-LicensesByUser - Retrieves license assignments for all users in the tenant.
- Get-EntraSecurityDefaults - Checks the status of Entra ID security defaults.
- Get-LicenseCompatibility - Checks the presence of E5, P2, P1, and E3 licenses and informs about functionality limitations.
- Get-Groups - Retrieves all groups in the organization, including their configuration and settings.
- Get-GroupMembers - Enumerates all members of every group in the organization.
- Get-DynamicGroups - Retrieves all dynamic groups and their membership rules, which determine automatic user inclusion.
SOF-ELK Support
- Unified Audit Log Acquisition: Introduced the -SOF-ELK parameter for the Unified Audit Log acquisition function, ensuring that JSON output is formatted according to SOF-ELK requirements. Special thanks to Cirosec for the contribution.
- Sign-in Logs via Graph API: Incorporated the -SOF-ELK parameter to the Get-GraphEntraSignInLogs function, ensuring that sign-in logs retrieved through Graph are correctly formatted for SOF-ELK.
- Audit Logs via Graph API: Incorporated the -SOF-ELK parameter into the Get-GraphEntraAuditLogs function, ensuring that audit logs fetched via Graph are correctly formatted for SOF-ELK.
Unified Audit Logs Improvements
- Default History Retrieval: The Get-UAL function now retrieves 180 days of history by default when no start date is provided, simplifying data retrieval for extended periods.
- Function Consolidation: Consolidated the following functions into a single Get-UAL function this change makes the tool more intuitive and easier to use, as suggested by Matthijs Vos:
Get-UALAllGet-UALGroupGet-UALSpecificGet-UALSpecificActivity
- Improved Result Retrieval: Implemented a new approach to retrieve 50,000 results using the ReturnLargeSet method with a session ID. The function loops over the results to collect all data in a single operation, which is faster than retrieving 5,000 results at a time. This reduces unnecessary API calls, improving the efficiency of the data collection process.
- Optimized Log Collection: Reworked the Unified Audit Log script to dynamically calculate the optimal interval for log retrieval based on the time range and estimated number of results, replacing the fixed default interval of 720 minutes. This adjustment speeds up the log collection.
LogLevel Parameter Added to All Scripts
- The LogLevel parameter has been introduced across all scripts, offering flexibility in managing logging output. The available options are:
- None: No logging output generated.
- Minimal: Only critical errors that impact execution are logged.
- Standard: Regular operational information is logged (default setting).
- Optimized for Automation: This new feature enables better control over logging in automated environments by reducing excessive terminal output, making it ideal for use in automation workflows.
- Integration with Start-EvidenceCollection: The LogLevel parameter is also integrated with the new Start-EvidenceCollection functionality.
Read The Docs Update
- The documentation has been updated to reflect the newly added functionalities.
- Quality of Life Improvements.
Accepted Pull Requests
- InfoSecGeoff:
- Fixed issues with System.Object[] fields in the Get-MFA output.
- Replaced the deprecated search-adminauditlog cmdlet with Search-UnifiedAudit, filtered by the record type ExchangeAdmin.
- Added a disconnect function to all connect scripts for improved session management.
- Created a user device retrieval script, and merged this with our Get-Devices function.
- Developed four new functions under Get-ProductLicenses.ps1 to:
- Retrieve all product licenses in a tenant.
- Retrieve licenses assigned by user.
- Fetch Entra security default status.
- Include a compatibility checker to identify whether certain Extractor Suite cmdlets can run based on existing license levels.
- Added Get-Groups.ps1 to retrieve all groups in Azure AD, group memberships, and dynamic group configurations.
- WellKnitTech:
- Fixed several typos across scripts.
- Cirosec:
- Added an output option for SOF-ELK in the Get-UAL cmdlets and Get-ADSignInLogsGraph.
- Matthijs Vos:
- Implemented MessageTraceV2, enabling data queries up to 90 days back.
- Consolidated the separate functions (Get-UALAll, Get-UALGroup, Get-UALSpecific, and Get-UALSpecificActivity) into a single Get-UAL function.
Functionality Improvements
- Enhanced Terminal Output: Improved the terminal output across all functionalities, making it more informative and user-friendly.
- Get-Users: Added extra properties to the Get-Users function, as requested by evild3ad, to provide more detailed user data.
- Get-ConditionalAccessPolicies: Added extra fields to Get-ConditionalAccessPolicies to ensure complete data retrieval, addressing gaps in policy data.
- Get-Emails Issue Resolution:
- Added a prefix to all emails downloaded by Get-Emails to resolve an issue reported by SecurityAura, where identical email message IDs were causing the overwriting of older emails.
- Implemented try/catch blocks in Get-Emails to handle cases where the received date could not be parsed. This ensures that the file is still saved, even without the date in the filename.
- Get-MessageIDs Fix: Added a prefix to all emails downloaded by Get-MessageIDs to address the same issue of email message ID duplication, preventing overwriting of older emails.
- MessageTraceV2 Implementation: Thanks to Matthijs Vos, the MessageTraceV2 functionality was implemented, allowing data queries up to 90 days back.
Function Name Changes
To avoid confusion with Active Directory, the following function name changes have been made:
Get-ADSignInLogs → Get-EntraSignInLogs
Get-ADAuditLogs → Get-EntraAuditLogs
Get-ADSignInLogsGraph → Get-GraphEntraSignInLogs
Get-ADAuditLogsGraph → Get-GraphEntraAuditLogs
Bug Fixes
- Get-UAL Loop Issue: Fixed a bug that caused the Get-UAL function to enter an endless loop when the interval dropped below one minute. This was resolved by allowing decimals in the interval instead of rounding it to one digit.
- Token Retrieval for Azure Logs: Resolved an issue where token retrieval for Get-AzureActivityLogs and Get-DirectoryActivityLogs failed due to a Microsoft update. The Get-AZAccessToken method is now used to ensure proper token collection.
Deprecation of Admin Audit Log and Search Mailbox Audit Log
- Search-AdminAuditLog Deprecation: The Search-AdminAuditLog cmdlet is deprecated. The Get-AdminAuditLog now uses Search-UnifiedAuditLog -RecordType 'ExchangeAdmin' to retrieve administrator logs.
- Search-MailboxAuditLog Deprecation: The Search-MailboxAuditLog cmdlet is deprecated. The Get-MailboxAuditLog now uses Search-UnifiedAuditLog -RecordType 'ExchangeItem' to retrieve mailbox audit logs.
Examples
This and much more, all for the grand price of 0$. If you want to support our efforts consider engaging us for support with analysis, training or our other services.
About Invictus Incident Response
We are an incident response company and we ❤️ the cloud and specialize in supporting organizations in preparing and responding to a cyber attack. We help our clients stay undefeated!
🆘 Incident Response support reach out to cert@invictus-ir.com or go to https://www.invictus-ir.com/24-7