Microsoft 365 Extractor Suite: complete and reliable acquisition of the Microsoft 365 Unified Audit Log

by do son ·

Microsoft 365 Unified Audit Log

Microsoft 365 Extractor Suite

This suite of scripts contains two different scripts that can be used to acquire the Microsoft 365 Unified Audit Log
Read the accompanying blog post here.

  1. Microsoft365_Extractor, the original script stems from the Office 365 Extractor and provides all features and complete customization. Choose this if you’re not sure what to use.
  2. Microsoft365_Extractor_light, lightweight version of the Microsoft365_Extractor that requires minimal configuration and grabs all available logging for the complete period.

Microsoft 365 Extractor

This script makes it possible to extract log data out of a Microsoft 365 environment. The script has four options, which enable the investigator to easily extract logging out of a Microsoft 365 environment.

  1. Show available log sources and the amount of logging
  2. Extract all audit logging
  3. Extract group audit logging
  4. Extract Specific audit logging (advanced mode)

Show available log sources and the amount of logging

Pretty straightforward a search is executed and the total number of logs within the
set timeframe will be displayed and written to a csv file called “Amount_Of_Audit_Logs.csv” the file is prefixed with a random number to prevent duplicates.

Extract all audit logs

Extract all audit logs” this option will get all available audit logs within the set timeframe and written out to a file called AuditRecords.CSV.

Extract group logging

Extract a group of logs. You can for example extract all Exchange or Azure logging in one go

Extract specific audit logs

Extract specific audit logs” Use this option if you want to extract a subset of the audit logs. To configure what logs will be extracted the tool needs to
be configured with the required Record Types. A full list of recordtypes can be found at the bottom of this page.
The output files will be written in a directory called ‘Log_Directory” and will be given the name of their recordtype e.g. (ExchangeItem_AuditRecords.csv)

Download & Use

Copyright (c) 2022 Invictus Incident Response

Tags: Microsoft 365 Extractor SuiteMicrosoft 365 Unified Audit Log