Introduction of the Microsoft 365 Extractor suite

The Microsoft 365 Extractor Suite

Why?

  • MFA, the script uses the Connect-ExchangeOnline PowerShell cmdlet to authenticate and uses modern authentication and supports both MFA and non-MFA enabled accounts;
  • RecordTypes, to access the Unified Audit Log, the Search-UnifiedAuditLog PowerShell cmdlet is used to grab all types of logs. The Office365 Extractor grabs 76 RecordTypes, the Microsoft365 Extractor Suite grabs 100 RecordTypes;
  • Light version, a new version that is just a lightweight version of the script that simply grabs all the logs for all users;
  • Interval, the reason for the script is that we cannot simply acquire all logs in one go. The limit is 5k records per PowerShell session and for most environments this is way too small. Therefore the script uses an interval to acquire logs in a given timeframe. E.g. if you have a period of 1 month that you want to acquire and the interval is set to 60 the script will use that interval to search for logs in a period of 60 minutes and then move on to the next 60 minutes until the complete month is acquired. As you can imagine this might take some time and the script is smart enough to lower the interval if it finds more than 5k records for a given period. Therefore we have decided to set the initial interval to 480(1 day) which should speed up the acquisition especially for smaller environments.
  • Documentation, updates to the documentation and added some known issues mostly around using the script in a non-Windows environment. Which can cause some weird errors, we suggest you to run this in a Windows (virtual) environment.

What?

  1. Microsoft365_Extractor, the original script originates from the Office 365 Extractor and provides all features and complete customization. Choose this if you’re not sure what to use.
  2. Microsoft365_Extractor_light, lightweight version of the Microsoft365_Extractor that requires minimal configuration and grabs all available logging for the defined period.

Examples

Important

Further reading

About Invictus Incident Response

--

--

--

We are an incident response company specialised in supporting organisations facing a cyber attack. We help our clients stay undefeated!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CVE Program Expands Partnership with Google

Fraud Losses in 2019 Topped $1.9B, FTC Reports

The Different Fronts of Automotive Cyber-Security

Plutos Network launches Synthetic System V1.0 on Ropsten and Reward Bounty Program.

Hats Finance Opens New Bug Bounty Program with Fuji DAO

{UPDATE} Тачки Гравити Фолз Hack Free Resources Generator

{UPDATE} 如果明天是晴天 Hack Free Resources Generator

What you should know about IoT security management

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Invictus Incident Response

Invictus Incident Response

We are an incident response company specialised in supporting organisations facing a cyber attack. We help our clients stay undefeated!

More from Medium

You Cannot Detect Techniques in the Execution Tactic! And What To Do Instead

Threat Hunting: How to do it in easy way

Analyzing Malware Activity Using Wireshark

Diamond Model of Intrusion Analysis in Practice