Update V4.0.2 - Accepting PR's and small fixes

Bug Fixes:

• Fixed debug parameter error in Get-Roles and Get-SecurityAlerts (PR by @k8pl3r-sh)
• Fixed Start-EvidenceCollection "Custom base directory invalid" error (PR by @k8pl3r-sh)
• Fixed output directory bug in Start-EvidenceCollection reported by @etaylor77
• Fixed issue with excessive folder creation when downloading large volumes of emails via Get-Email

Improvements

• Changed folder format back to include hh:mm:ss timestamp to prevent logs being overwritten when running cmdlets multiple times with different filters (requested by @SecurityAura)
• Increased max retries from 3 to 5 for Get-GraphEntraSignInLogs
• Added UpdateInboxRules to the standard template

New Features

• Added -IPAddresses parameter to Get-UAL for filtering by IP address
• Added -DownloadDuplicates flag to Get-Email to control whether duplicate items should be downloaded

Update V4.0.1 - Bug fixes

• Fixed an issue with date parsing on non-US system cultures for Sign-in and Audit Log acquisition (thanks to @pikkunikke).
• Re-added missing JSONL support to Get-UAL (credit to @Bloggzy) and renamed “operation” to “operations” for consistency with Microsoft documentation and the Get-UALGraph function.
• Fixed a bug (reported by @Bloggzy) where using the -sofelk parameter together with the -mergeoutput flag caused merged data to lose the sofelk/JSONL format.
• Removed the legacy Get-OAuthPermissions function that relied on the deprecated AzureAD module.
• Refactored summary, output, and logging logic into reusable functions, suggested by @Matthijsy,to avoid duplication across scripts. Also made general improvements to Get-OAuthPermissionsGraph.
• Fixed a typo in the Get-Devices functionality (reported by @0xtter).
• Added -AuditDataOnly switch for Get-UAL to extract only the AuditData field from Unified Audit Logs, providing cleaner and more focused output.
• Improved Get-UALGraph to correctly display elapsed time in days when collection spans multiple days.

Update V4.0.0 - Start-MESTriage and more

New functions added:

• Get-SecurityAlerts - Retrieves security alerts from Microsoft Graph, choosing between Get-MgSecurityAlert and
  Get-MgSecurityAlertV2 based on the authentication type used.

• Get-PIMAssignments - Generates an overview of all Entra ID PIM role assignments.

• Get-AllRoleActivity - Exports all directory role memberships with last login information.

• Start-MesTriage - The Start-MESTriage function performs a quick security triage for specific users across Azure, Entra ID and Microsoft 365 environments. It executes multiple data collection tasks based on customizable templates, making it ideal for incident response and security investigations.

Get-MFAStatus:

• As suggested by Bloggzy, added phone numbers to MFA output when using the -IncludePhoneNumbers flag.

Other:

• Due to the deprecation of the AzureAD module, we removed the related commands Get-EntraSignInLogs and Get-EntraAuditLogs.

Added the following fields to the Get-AdminUsers output:

• LastInteractiveSignIn
• LastNonInteractiveSignIn
• DaysSinceLastSignIn

Pull Requests:
Accepted pull request by FlorianGross: added JSONL as an output format.
Accepted pull request by TheDFIRJournal: added SOF-ELK output support for Get-UALGraph.
Accepted pull request by Get-UAL Optimization, only uses ReturnLargeSet when needed.
Accepted pull request by Matthijsy: Added -LogLevel Debug support for detailed logging for all scripts
Accepted pull request by Matthijsy: Fix UAL interval calculation for small collections
Accepted pull request by evild3ad: Show-TransportRules and Get-TransportRules automatically convert the WhenChanged timestamp to UTC.

Bug Fixes:

• Sign-in Graph: Fixed issue where service principals and managed identities were incorrectly included when using the UserIds filter.
• Message Trace Logs: Fixed error during connection check caused by legacy Get-MessageTrace.
• Mailbox Rules: Fixed bug in get-mailboxrules where an empty $UserIds value caused the script to fail.

Update V3.0.4 - Updates & Improvements

Improvements:

• Added -UserIds parameter to Get-Users for filtering by specific user IDs.

• Renamed function OAuthPermissionGraph to OAuthPermissionsGraph for consistency with the non-Graph variant.

• Updated Get-UALGraph:

  • Added -MaxEventsPerFile parameter to specify the maximum number of events per output file. A new file is created once this limit is reached.
  • Added -SplitFiles parameter to enable automatic splitting of output into multiple files based on the specified event limit.
  • Accepted a pull request from @marbaugh adding CSV output format support.

• Get-UAL: Improved interval calculation logic when collecting logs. Previously, in large environments, timeout errors could cause the script to exit with no results. Now, if a timeout occurs, it falls back to calculating the interval based on a 1-day data sample. Also added a validation check to compare expected and actual log counts due to occasional inconsistencies in Search-UnifiedAuditLog.

• Get-UALStatistics: Introduced retry logic (up to 3 attempts) when timeouts occur. This helps ensure more reliable results in large environments. It’s recommended to reduce the time interval when running this command in such cases.

• Get-MailboxRules: Expanded the output to include several additional fields, providing deeper visibility into mailbox rule configurations. Thanks to @evild3ad for pointing out the missing fields.

• Added Get-MailboxAuditLogLegacy, which uses the old/deperaceded way of collecting the mailbox audit logs. According to MS it should not work anymore and you should use the UAL since the logs are in there as well. However, it still seems to be working we had some cases where the UAL was disabled and we managed to get logs via this way.

• Added guidance on the differences between delegated and application permissions, clarifying usage scenarios and helping users choose the appropriate one for their needs.

Bug Fixes:

• Fixed an issue in Get-AzureActivityLogs where an error was thrown when no subscriptions were found.
• Get-MessageIDs: Added additional error handling to avoid script failure when multiple IDs are returned.
• Get-GraphEntraSignInLogs: Implemented retry and catch logic to handle re-authentication during timeout scenarios.

Update V3.0.3 - Bug fixes

• a bug reported by evild3ad in Get-OAuthPermissionsGraph, now correctly showing whether the application is enabled or disabled.
• Fixed a bug reported by SecurityAura where Get-GraphEntraSignInLogs -EventTypes nonInteractiveUser was not working as expected, along with some incorrect information in ReadTheDocs.
• Fixed a bug reported by suvis1 where Get-MessageIDs was not working correctly due to incorrect parameter mapping.

Update V3.0.2 - Updates & Improvements

New Features & Improvements:

• Implemented a Graph-based variant for collecting OAuth applications: Get-OAuthPermissionGraph (credit to @evild3ad).
• Added -encoding flag to Message Trace and Activity Directory logs (thanks to @pgarcia-ncd for the contribution).
• Introduced -OutputDir option to Start-EvidenceCollection, requested by @DoubtfulTurnip.
• Updated the Prerequisites page in Read The Docs with improvements.
• Added MaxItemsPerInterval to Get-UAL, allowing users to specify the maximum number of items processed per interval (range: 5000–50000).
• Added Get-OAuthPermissionGraph to the automatic collection when running Start-EvidenceCollection.

Bug Fixes:

• Get-MailItemsAccessed.ps1 now strictly accepts Yes/No for the -Output field to prevent errors from entering just Y.

• Resolved an issue with the -MergeOutput flag in Get-UAL when selecting a group (reported by @Matthijsy).

• Fixed a bug in the Microsoft cmdlet’s beta variant that caused missing log types (nonInteractiveUser, servicePrincipal, and managedIdentity) (microsoftgraph/msgraph-sdk-powershell#2753). The filter now ensures all event types are collected correctly.

• Sign-in logs collection via Graph now generates separate files for:

  • servicePrincipal
  • interactiveUser + nonInteractiveUser
  • ManagedIdentity

Update v3.0.0 – New Features and lots of improvements

New Functionalities Added to the Extractor Suite

• Get-AuditLogSettings - Retrieves audit status and settings for all mailboxes in Microsoft 365, including detailed information about mailbox audit settings, audit status, bypass settings, and configured audit actions for owners, delegates, and administrators.

• Get-MailboxPermissions - Retrieves detailed information about mailbox delegated permissions, including Full Access, Send As, Send on Behalf, Calendar permissions, and Inbox permissions for all mailboxes in Microsoft 365.

• Get-Devices - Retrieves information about all devices registered in Azure AD/Entra ID, including detailed information about device status, operating system details, trust type, and management information. Thanks to InfoSecGeoff for the input.

• Start-EvidenceCollection - Automates the collection of evidence from Microsoft 365 and Azure/Entra ID environments, supporting both interactive and automated collection modes with customizable scope and filtering options. You can kick-off this function and all Azure/Entra ID and Microsoft logs will be automatically acquired.

• Get-Licenses - Retrieves all licenses in the tenant with retention times and premium license indicators.

• Get-LicensesByUser - Retrieves license assignments for all users in the tenant.

• Get-EntraSecurityDefaults - Checks the status of Entra ID security defaults.

• Get-LicenseCompatibility - Checks the presence of E5, P2, P1, and E3 licenses and informs about functionality limitations.

• Get-Groups - Retrieves all groups in the organization, including their configuration and settings.

• Get-GroupMembers - Enumerates all members of every group in the organization.

• Get-DynamicGroups - Retrieves all dynamic groups and their membership rules, which determine automatic user inclusion.

SOF-ELK Support

• Unified Audit Log Acquisition: Introduced the -SOF-ELK parameter for the Unified Audit Log acquisition function, ensuring that JSON output is formatted according to SOF-ELK requirements. Special thanks to Cirosec for the contribution.

• Sign-in Logs via Graph API: Incorporated the -SOF-ELK parameter to the Get-GraphEntraSignInLogs function, ensuring that sign-in logs retrieved through Graph are correctly formatted for SOF-ELK.

• Audit Logs via Graph API: Incorporated the -SOF-ELK parameter into the Get-GraphEntraAuditLogs function, ensuring that audit logs fetched via Graph are correctly formatted for SOF-ELK.

Unified Audit Logs Improvements

• Default History Retrieval: The Get-UAL function now retrieves 180 days of history by default when no start date is provided, simplifying data retrieval for extended periods.

• Function Consolidation: Consolidated the following functions into a single Get-UAL function this change makes the tool more intuitive and easier to use, as suggested by Matthijs Vos:

Get-UALAll
Get-UALGroup
Get-UALSpecific
Get-UALSpecificActivity

• Improved Result Retrieval: Implemented a new approach to retrieve 50,000 results using the ReturnLargeSet method with a session ID. The function loops over the results to collect all data in a single operation, which is faster than retrieving 5,000 results at a time. This reduces unnecessary API calls, improving the efficiency of the data collection process.

• Optimized Log Collection: Reworked the Unified Audit Log script to dynamically calculate the optimal interval for log retrieval based on the time range and estimated number of results, replacing the fixed default interval of 720 minutes. This adjustment speeds up the log collection.

LogLevel Parameter Added to All Scripts

• A LogLevel parameter has been introduced across all scripts, offering flexibility in managing logging output. The available options are:

  • None: No logging output generated.
  • Minimal: Only critical errors that impact execution are logged.
  • Standard: Regular operational information is logged (default setting).

• Optimized for Automation: This new feature enables better control over logging in automated environments by reducing excessive terminal output, making it ideal for use in automation workflows.

• Integration with Start-EvidenceCollection: The LogLevel parameter is also integrated with the new Start-EvidenceCollection functionality.

Read The Docs Update

• The documentation has been updated to reflect the newly added functionalities.

• Quality of Life Improvements.

Accepted Pull Requests

• InfoSecGeoff:

  • Fixed issues with System.Object[] fields in the Get-MFA output.

  • Replaced the deprecated search-adminauditlog cmdlet with Search-UnifiedAudit, filtered by the record type ExchangeAdmin.

  • Added a disconnect function to all connect scripts for improved session management.

  • Created a user device retrieval script, and merged this with our Get-Devices function.

  • Developed four new functions under Get-ProductLicenses.ps1 to:

    • Retrieve all product licenses in a tenant.
    • Retrieve licenses assigned by user.
    • Fetch Entra security default status.

  • Include a compatibility checker to identify whether certain Extractor Suite cmdlets can run based on existing license levels.

  • Added Get-Groups.ps1 to retrieve all groups in Azure AD, group memberships, and dynamic group configurations.

WellKnitTech:

• Fixed several typos across scripts.

Cirosec:

• Added an output option for SOF-ELK in the Get-UAL cmdlets and Get-ADSignInLogsGraph.

Matthijs Vos:

• Implemented MessageTraceV2, enabling data queries up to 90 days back.

• Consolidated the separate functions (Get-UALAll, Get-UALGroup, Get-UALSpecific, and Get-UALSpecificActivity) into a single Get-UAL function.

Functionality Improvements

• Enhanced Terminal Output: Improved the terminal output across all functionalities, making it more informative and user-friendly.

• Get-Users: Added extra properties to the Get-Users function, as requested by evild3ad, to provide more detailed user data.

• Get-ConditionalAccessPolicies: Added extra fields to Get-ConditionalAccessPolicies to ensure complete data retrieval, addressing gaps in policy data.

• Get-Emails Issue Resolution:

  • Added a prefix to all emails downloaded by Get-Emails to resolve an issue reported by SecurityAura, where identical email message IDs were causing the overwriting of older emails.
  • Implemented try/catch blocks in Get-Emails to handle cases where the received date could not be parsed. This ensures that the file is still saved, even without the date in the filename.

• Get-MessageIDs Fix: Added a prefix to all emails downloaded by Get-MessageIDs to address the same issue of email message ID duplication, preventing overwriting of older emails.

• MessageTraceV2 Implementation: Thanks to Matthijs Vos, the MessageTraceV2 functionality was implemented, allowing data queries up to 90 days back.

Function Name Changes
To avoid confusion with Active Directory, the following function name changes have been made:

Get-ADSignInLogs → Get-EntraSignInLogs
Get-ADAuditLogs → Get-EntraAuditLogs
Get-ADSignInLogsGraph → Get-GraphEntraSignInLogs
Get-ADAuditLogsGraph → Get-GraphEntraAuditLogs

Bug Fixes

• Get-UAL Loop Issue: Fixed a bug that caused the Get-UAL function to enter an endless loop when the interval dropped below one minute. This was resolved by allowing decimals in the interval instead of rounding it to one digit.

• Token Retrieval for Azure Logs: Resolved an issue where token retrieval for Get-AzureActivityLogs and Get-DirectoryActivityLogs failed due to a Microsoft update. The Get-AZAccessToken method is now used to ensure proper token collection.

Deprecation of Admin Audit Log and Search Mailbox Audit Log

• Search-AdminAuditLog Deprecation: The Search-AdminAuditLog cmdlet is deprecated. The Get-AdminAuditLog now uses Search-UnifiedAuditLog -RecordType 'ExchangeAdmin' to retrieve administrator logs.

• Search-MailboxAuditLog Deprecation: The Search-MailboxAuditLog cmdlet is deprecated. The Get-MailboxAuditLog now uses Search-UnifiedAuditLog -RecordType 'ExchangeItem' to retrieve mailbox audit logs.

Update V2.1.1 - Updates & Improvements

Improvements

• Accepted pull request from @angry-bender updating the date format in Get-UALGraph for improved readability and consistency.
• Corrected a typo in the $filePath variable when using the -Download flag in Get-MessageIDs.
• Implemented suggestions from @Calvindd2f to add additional parameters for connection scripts. Users can now connect using an access token.
• Reworked the $areYouConnected functionality for the UAL scripts.
• Introduced the -All parameter to Get-ADAuditLogsGraph. By default, filtering with the UserIds field retrieves only actions directly performed by the specified user. With the new -All flag, the command now includes all related events involving the user, such as events where an MFA device was added for them.
• Fixed an issue where the merge output would throw "out of memory" errors. Now, while merging the output files, each file is written directly to the merged output file instead of reading everything into memory first and then saving it.

As suggested by @evild3ad:

• Updated the import command: Import-Module .\Microsoft-Extractor-Suite.psm1 -ArgumentList $true to suppress the logo output, optimizing it for automation scenarios.
• Replaced remaining Write-Host commands in Get-Rules.ps1 with the custom Write-LogFile function for consistent logging.
• Fixed an issue in Get-MailboxRules where using the -UserIDs flag with no rules found would incorrectly display the total inbox rules.
• Added support for the -UserIds flag to Risky Users and Detections.
• Added support for the -UserIds flag to the Get-MFA functionality.

Update V2.1.0 - Updates & Improvements

Get-MessageIDs:

• Added try/catch to handle errors when attempting to download emails that have already been deleted from the mailbox.

Get-UAL Scripts:

• Fixed JSON output format to ensure correct and consistent JSON formatting.

AzureADGraphLogs:

• Merged pull request from @Matthijsy, adding additional details to the acquisition output for audit and sign-in logs.

Graph Sign-in Endpoint Update:

• Changed to using the beta endpoint for sign-in logs, increasing the number of fields per event from 107 to 299, providing more useful data for analysis.

New Features & Enhancements:

• Added -mergeoutput flag to Get-UALSpecificActivity, as suggested by @SecurityAura.
• Added a warning when using the -Download flag in Get-MessageIDs without an active Graph connection, also as suggested by @SecurityAura.

Update V2.0.3 - Again some improvements & Bug fixes

General changes:

• Fixed incorrect scope for Get-Emails in both the script and documentation.
• Added mergeoutput flag for the Audit Logs Graph acquisition method.
• Fixed mergeoutput to generate correct JSON format for Microsoft-Analyzer-Suite.
• Added try/catch in the Activity Logs and Directory Activity Logs authentication flows to catch errors when the user is not connected.
• Removed filter from Get-AzureDirectoryActivityLogs to ensure all events are collected.
• Fixed a small logic error in Get-AdminUsers, preventing errors when removed user IDs are identified in a group.
• Added -ObjectId parameter to Get-UALGraph
• Added -ObjectId parameter to all Unified Audit Log acquisition scripts

Small fixes for Get-MailItemsAccessed:

• Made -Download a switch parameter.
• Fixed an issue where the InternetMessageId was not being retrieved correctly from the output.
• Added a try/catch block to handle potential errors as they occur.