https://github.com/invictus-ir/Microsoft-Extractor-Suite
A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
https://github.com/invictus-ir/Microsoft-Extractor-Suite
microsoft microsoft365
Last synced: 6 days ago
JSON representation
A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
- Host: GitHub
- URL: https://github.com/invictus-ir/Microsoft-Extractor-Suite
- Owner: invictus-ir
- License: gpl-2.0
- Created: 2022-05-25T09:00:19.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2025-04-03T06:42:32.000Z (13 days ago)
- Last Synced: 2025-04-03T07:34:48.201Z (13 days ago)
- Topics: microsoft, microsoft365
- Language: PowerShell
- Homepage: https://microsoft-365-extractor-suite.readthedocs.io/en/latest/
- Size: 4.23 MB
- Stars: 603
- Watchers: 23
- Forks: 89
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
- License: LICENSE
Awesome Lists containing this project
- awesome-rainmana - invictus-ir/Microsoft-Extractor-Suite - A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes. (PowerShell)
- awesome-entra - Microsoft-Extractor-Suite - Invictus IR - PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes. [](https://badgen.net/github/stars/invictus-ir/Microsoft-Extractor-Suite) (Tools / CLI)
README
[](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/)
[](https://www.powershellgallery.com/packages/Microsoft-Extractor-Suite)
# Getting started with the Microsoft-Extractor-Suite
To get started with the Microsoft-Extractor-Suite, check out the [Microsoft-Extractor-Suite docs.](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/)
## About Microsoft-Extractor-Suite
Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.
The following Microsoft data sources are supported:
* Unified Audit Log
* Admin Audit Log
* Mailbox Audit Log
* Mailbox Rules
* Transport Rules
* Message Trace Logs
* Entra ID Sign-In Logs
* Entra ID Audit Logs
* Azure Activity Logs
* Azure Directory Activity Logs
In addition to the log sources above the tool is also able to retrieve other relevant information:
* Registered OAuth applications in Entra ID
* The MFA status for all users
* The creation time and date of the last password change for all users
* The risky users
* The risky detections
* The conditional access policies
* Administrator directory roles and their users
* A specific or list of e-mail(s) or attachment(s)
* Delegated permissions for all mailboxes in Microsoft 365.
* Information about all devices registered in Entra ID.
* Audit status and settings for all mailboxes in Microsoft 365.
* Functions designed to gather information about groups.
* Functions designed to gather information about licenses.
Microsoft-Extractor-Suite was created by Joey Rentenaar and Korstiaan Stam and is maintained by the [Invictus IR](https://www.invictus-ir.com/) team.
## Usage
To get started with the Microsoft-Extractor-Suite tool, make sure the requirements are met. If you do not have the Connect-ExchangeOnline, AZ module or/and Connect-AzureAD installed check [the installation guide](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/installation/Installation.html).
Install the Microsoft-Extractor-Suite toolkit:
> Install-Module -Name Microsoft-Extractor-Suite
To import the Microsoft-Extractor-Suite:
> Import-Module .\Microsoft-Extractor-Suite.psd1
You must sign-in to Microsoft 365 or Azure depending on your use case before running the functions. To sign in, use one of the cmdlets:
> Connect-M365 or connect-exchangeonline
> Connect-Azure or Connect-AzureAD
> Connect-AzureAZ or Connect-AzAccount
## Available Functions
### Unified Audit Log
- `Get-UAL` - Collect all Unified Audit Logs
- `Get-UALStatistics` - Displays the total number of logs within the Unified Audit Logs per Record Type
- `Get-MailboxAuditLog` - Collect Mailbox Audit Logs
- `Get-AdminAuditLog` - Collect Admin Audit Logs
### Mailbox & Transport Rules
- `Show-MailboxRules` - Shows mailbox rules
- `Get-MailboxRules` - Export mailbox rules
- `Get-TransportRules` - Export transport rules
- `Show-TransportRules` - Shows transport rules
### Mail and Message Tracking
- `Get-MessageTraceLog` - Collect message tracking logs
- `Get-Email` - Download specific or bullk emails
- `Show-Email` - Show email content
- `Get-Attachment` - Download email attachments
- `Get-Sessions` - Collect session information related to MailItemsaccessed events
- `Get-MessageIDs` - Extract message IDs from MailItemsaccessed events
### Sign-In & Audit Logging
- `Get-EntraAuditLogs` - Collect audit logs via AzureAD
- `Get-EntraSignInLogs` - Collect sign-in logs via AzureAD
- `Get-GraphEntraSignInLogs` - Collect sign-in logs via Graph API
- `Get-GraphEntraAuditLogs` - Collect audit logs via Graph API
### Activity Logging
- `Get-ActivityLogs` - Collect activity logs
- `Get-DirectoryActivityLogs` - Collect directory activity logs
### OAuth apps
- `Get-OAuthPermissions` - Collect OAuth application permissions Via AZ module
- `Get-OAuthPermissionGraph` - Collect OAuth application permissions via Graph API
### User Related
- `Get-Users` - Collect user information
- `Get-AdminUsers` - Collect users with administrative privileges
- `Get-MFA` - Collect MFA status for users
- `Get-RiskyUsers` - Collect risky users
- `Get-RiskyDetections` - Collect risky detection events
## Conditional Access Policies
- `Get-ConditionalAccessPolicies` - Collect conditional access policies
### Device Management
- `Get-Devices` - Collect device registration information
### Permissions and Audit Settings
- `Get-MailboxAuditStatus` - Collect the mailbox audit configurations
- `Get-MailboxPermissions` - Collect delegated mailbox permissions
### License Management
- `Get-Licenses` - Collect all licenses in the tenant with retention times and premium license indicators
- `Get-LicenseCompatibility` - Checks the presence of E5, P2, P1, and E3 licenses and informs about functionality limitations
- `Get-EntraSecurityDefaults` - Checks the status of Entra ID security defaults
- `Get-LicensesByUser` - Collect license assignments for all users in the tenant
### Group Management
- `Get-Groups` - Collect all groups in the organization including details such as group ID and display name
- `Get-GroupMembers` - Collect all members of each group and their relevant details
- `Get-DynamicGroups` - Collect all dynamic groups and their membership rules
### Automatically collect everything you want
- `Get-AllEvidence` - Collect all (almost) available evidence types automatically
### Authentication & Session Management
- `Connect-M365` - Connect to Microsoft 365 services
- `Connect-Azure` - Connect to Azure/Entra ID
- `Connect-AzureAZ` - Connect using Az module
- `Disconnect-M365` - Disconnect from Microsoft 365 services
- `Disconnect-Azure` - Disconnect from Azure/Entra ID
- `Disconnect-AzureAZ` - Disconnect from Az module session
## Related Projects
To enhance your analysis, consider exploring the [Microsoft-Analyzer-Suite](https://github.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite) developed by LETHAL FORENSICS. This suite offers a collection of PowerShell scripts specifically designed for analyzing Microsoft 365 and Microsoft Entra ID data, which can be extracted using the Microsoft-Extractor-Suite.