To get started with the Microsoft-Extractor-Suite, check out the Microsoft-Extractor-Suite docs.
Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.
The following Microsoft data sources are supported:
- Unified Audit Log
- Admin Audit Log
- Mailbox Audit Log
- Mailbox Rules
- Transport Rules
- Message Trace Logs
- Azure AD Sign-In Logs
- Azure AD Audit Logs
- Azure Activity Logs
- Azure Directory Activity Logs
In addition to the log sources above the tool is also able to retrieve other relevant information:
- Registered OAuth applications in Azure AD
- The MFA status for all users
- The creation time and date of the last password change for all users
- The risky users
- The risky detections
- The conditional access policies
- Administrator directory roles and their users
- A specific or list of e-mail(s) or attachment(s)
Microsoft-Extractor-Suite was created by Joey Rentenaar and Korstiaan Stam and is maintained by the Invictus IR team.
To get started with the Microsoft-Extractor-Suite tool, make sure the requirements are met. If you do not have the Connect-ExchangeOnline, AZ module or/and Connect-AzureAD installed check the installation guide.
Install the Microsoft-Extractor-Suite toolkit:
Install-Module -Name Microsoft-Extractor-Suite
To import the Microsoft-Extractor-Suite:
Import-Module .\Microsoft-Extractor-Suite.psd1
You must sign-in to Microsoft 365 or Azure depending on your use case before running the functions. To sign in, use one of the cmdlets:
Connect-M365
Connect-Azure
Connect-AzureAZ
To enhance your analysis, consider exploring the Microsoft-Analyzer-Suite developed by evild3ad. This suite offers a collection of PowerShell scripts specifically designed for analyzing Microsoft 365 and Microsoft Entra ID data, which can be extracted using the Microsoft-Extractor-Suite.