{"id":13598408,"url":"https://github.com/invictus-ir/Microsoft-Extractor-Suite","last_synced_at":"2025-04-10T09:31:08.246Z","repository":{"id":40897587,"uuid":"496155745","full_name":"invictus-ir/Microsoft-Extractor-Suite","owner":"invictus-ir","description":"A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.","archived":false,"fork":false,"pushed_at":"2025-04-03T06:42:32.000Z","size":4436,"stargazers_count":603,"open_issues_count":4,"forks_count":89,"subscribers_count":23,"default_branch":"main","last_synced_at":"2025-04-03T07:34:48.201Z","etag":null,"topics":["microsoft","microsoft365"],"latest_commit_sha":null,"homepage":"https://microsoft-365-extractor-suite.readthedocs.io/en/latest/","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/invictus-ir.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"invictus-ir"}},"created_at":"2022-05-25T09:00:19.000Z","updated_at":"2025-04-03T06:42:37.000Z","dependencies_parsed_at":"2023-09-22T21:17:07.687Z","dependency_job_id":"35b488e2-e507-4375-8768-85bbd2190513","html_url":"https://github.com/invictus-ir/Microsoft-Extractor-Suite","commit_stats":null,"previous_names":[],"tags_count":16,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/invictus-ir%2FMicrosoft-Extractor-Suite","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/invictus-ir%2FMicrosoft-Extractor-Suite/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/invictus-ir%2FMicrosoft-Extractor-Suite/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/invictus-ir%2FMicrosoft-Extractor-Suite/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/invictus-ir","download_url":"https://codeload.github.com/invictus-ir/Microsoft-Extractor-Suite/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248191676,"owners_count":21062551,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["microsoft","microsoft365"],"created_at":"2024-08-01T17:00:52.347Z","updated_at":"2025-04-10T09:31:08.237Z","avatar_url":"https://github.com/invictus-ir.png","language":"PowerShell","funding_links":["https://github.com/sponsors/invictus-ir"],"categories":["PowerShell","Tools"],"sub_categories":["CLI"],"readme":"![alt text](https://github.com/invictus-ir/Microsoft-Extractor-Suite/blob/main/docs/source/Images/Invictus-Incident-Response.jpg?raw=true)\n![Language](https://img.shields.io/badge/Language-Powershell-blue)\n[![Documentation](https://img.shields.io/badge/Read%20the%20Docs-Documentation-blue)](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/)\n[![Latest Version](https://img.shields.io/powershellgallery/v/Microsoft-Extractor-Suite?label=Latest%20Version\u0026color=brightgreen)](https://www.powershellgallery.com/packages/Microsoft-Extractor-Suite)\n![GitHub stars](https://img.shields.io/github/stars/invictus-ir/Microsoft-Extractor-Suite?style=social)\n![Contributors](https://img.shields.io/github/contributors/invictus-ir/Microsoft-Extractor-Suite)\n![PS Gallery Downloads](https://img.shields.io/powershellgallery/dt/Microsoft-Extractor-Suite?label=PS%20Gallery%20Downloads)\n![Maintenance](https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen)\n\n# Getting started with the Microsoft-Extractor-Suite\n\nTo get started with the Microsoft-Extractor-Suite, check out the [Microsoft-Extractor-Suite docs.](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/)\n\n## About Microsoft-Extractor-Suite\nMicrosoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.\n\nThe following Microsoft data sources are supported:\n* Unified Audit Log\n* Admin Audit Log\n* Mailbox Audit Log\n* Mailbox Rules\n* Transport Rules\n* Message Trace Logs\n* Entra ID Sign-In Logs\n* Entra ID Audit Logs\n* Azure Activity Logs\n* Azure Directory Activity Logs\n\nIn addition to the log sources above the tool is also able to retrieve other relevant information:\n* Registered OAuth applications in Entra ID\n* The MFA status for all users\n* The creation time and date of the last password change for all users\n* The risky users\n* The risky detections\n* The conditional access policies\n* Administrator directory roles and their users\n* A specific or list of e-mail(s) or attachment(s)\n* Delegated permissions for all mailboxes in Microsoft 365.\n* Information about all devices registered in Entra ID. \n* Audit status and settings for all mailboxes in Microsoft 365.\n* Functions designed to gather information about groups.\n* Functions designed to gather information about licenses.\n\nMicrosoft-Extractor-Suite was created by Joey Rentenaar and Korstiaan Stam and is maintained by the [Invictus IR](https://www.invictus-ir.com/) team.\n\n## Usage\nTo get started with the Microsoft-Extractor-Suite tool, make sure the requirements are met. If you do not have the Connect-ExchangeOnline, AZ module or/and Connect-AzureAD installed check [the installation guide](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/installation/Installation.html).\n\nInstall the Microsoft-Extractor-Suite toolkit:\n\u003e Install-Module -Name Microsoft-Extractor-Suite\n\nTo import the Microsoft-Extractor-Suite:\n\u003e Import-Module .\\Microsoft-Extractor-Suite.psd1\n\nYou must sign-in to Microsoft 365 or Azure depending on your use case before running the functions. To sign in, use one of the cmdlets:\n\u003e Connect-M365 or connect-exchangeonline\n\n\u003e Connect-Azure or Connect-AzureAD\n\n\u003e Connect-AzureAZ or Connect-AzAccount\n\n## Available Functions\n\n### Unified Audit Log\n- `Get-UAL` - Collect all Unified Audit Logs\n- `Get-UALStatistics` - Displays the total number of logs within the Unified Audit Logs per Record Type\n- `Get-MailboxAuditLog` - Collect Mailbox Audit Logs\n- `Get-AdminAuditLog` - Collect Admin Audit Logs\n\n### Mailbox \u0026 Transport Rules\n- `Show-MailboxRules` - Shows mailbox rules\n- `Get-MailboxRules` - Export mailbox rules\n- `Get-TransportRules` - Export transport rules\n- `Show-TransportRules` - Shows transport rules\n\n### Mail and Message Tracking\n- `Get-MessageTraceLog` - Collect message tracking logs\n- `Get-Email` - Download specific or bullk emails\n- `Show-Email` - Show email content\n- `Get-Attachment` - Download email attachments\n- `Get-Sessions` - Collect session information related to MailItemsaccessed events\n- `Get-MessageIDs` - Extract message IDs from MailItemsaccessed events\n\n### Sign-In \u0026 Audit Logging\n- `Get-EntraAuditLogs` - Collect audit logs via AzureAD\n- `Get-EntraSignInLogs` - Collect sign-in logs via AzureAD\n- `Get-GraphEntraSignInLogs` - Collect sign-in logs via Graph API\n- `Get-GraphEntraAuditLogs` - Collect audit logs via Graph API\n\n### Activity Logging\n- `Get-ActivityLogs` - Collect activity logs\n- `Get-DirectoryActivityLogs` - Collect directory activity logs\n\n### OAuth apps\n- `Get-OAuthPermissions` - Collect OAuth application permissions Via AZ module\n- `Get-OAuthPermissionGraph` - Collect OAuth application permissions via Graph API\n\n### User Related\n- `Get-Users` - Collect user information\n- `Get-AdminUsers` - Collect users with administrative privileges\n- `Get-MFA` - Collect MFA status for users\n- `Get-RiskyUsers` - Collect risky users\n- `Get-RiskyDetections` - Collect risky detection events\n\n## Conditional Access Policies\n- `Get-ConditionalAccessPolicies` - Collect conditional access policies\n\n### Device Management\n- `Get-Devices` - Collect device registration information\n\n### Permissions and Audit Settings\n- `Get-MailboxAuditStatus` - Collect the mailbox audit configurations\n- `Get-MailboxPermissions` - Collect delegated mailbox permissions\n\n### License Management\n- `Get-Licenses` - Collect all licenses in the tenant with retention times and premium license indicators\n- `Get-LicenseCompatibility` - Checks the presence of E5, P2, P1, and E3 licenses and informs about functionality limitations\n- `Get-EntraSecurityDefaults` - Checks the status of Entra ID security defaults\n- `Get-LicensesByUser` - Collect license assignments for all users in the tenant\n\n### Group Management\n- `Get-Groups` - Collect all groups in the organization including details such as group ID and display name\n- `Get-GroupMembers` - Collect all members of each group and their relevant details\n- `Get-DynamicGroups` - Collect all dynamic groups and their membership rules\n\n### Automatically collect everything you want\n- `Get-AllEvidence` - Collect all (almost) available evidence types automatically\n\n### Authentication \u0026 Session Management\n- `Connect-M365` - Connect to Microsoft 365 services\n- `Connect-Azure` - Connect to Azure/Entra ID\n- `Connect-AzureAZ` - Connect using Az module\n- `Disconnect-M365` - Disconnect from Microsoft 365 services\n- `Disconnect-Azure` - Disconnect from Azure/Entra ID\n- `Disconnect-AzureAZ` - Disconnect from Az module session\n\n## Related Projects\nTo enhance your analysis, consider exploring the [Microsoft-Analyzer-Suite](https://github.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite) developed by LETHAL FORENSICS. This suite offers a collection of PowerShell scripts specifically designed for analyzing Microsoft 365 and Microsoft Entra ID data, which can be extracted using the Microsoft-Extractor-Suite.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finvictus-ir%2FMicrosoft-Extractor-Suite","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finvictus-ir%2FMicrosoft-Extractor-Suite","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finvictus-ir%2FMicrosoft-Extractor-Suite/lists"}