Microsoft 365 Extractor Suite: complete and reliable acquisition of the Microsoft 365 Unified Audit Log
Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.
The following Microsoft data sources are supported:
- Unified Audit Log
- Admin Audit Log
- Mailbox Audit Log
- Mailbox Rules
- Transport Rules
- Message Trace Logs
- Entra ID Sign-In Logs
- Entra ID Audit Logs
- Azure Activity Logs
- Azure Directory Activity Logs
In addition to the log sources above the tool is also able to retrieve other relevant information:
- Registered OAuth applications in Entra ID
- The MFA status for all users
- The creation time and date of the last password change for all users
- The risky users
- The risky detections
- The conditional access policies
- Administrator directory roles and their users
- A specific or list of e-mail(s) or attachment(s)
- Delegated permissions for all mailboxes in Microsoft 365
- Information about all devices registered in Entra ID
- Audit status and settings for all mailboxes in Microsoft 365
- Functions designed to gather information about groups
- Functions designed to gather information about licenses
- Retrieve Role Activity Information
- Generates an overview of all Privileged Identity Management (PIM) role assignments
- Security alerts
Microsoft-Extractor-Suite was created by Joey Rentenaar and Korstiaan Stam and is maintained by the Invictus IR team.
Download & Use
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce
