Microsoft Extractor Suite: acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes
Microsoft-Extractor-Suite
Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.
The following Microsoft data sources are supported:
| Source | Description |
|---|---|
| Unified Audit Log | The unified audit log contains user, group, application, domain, and directory activities performed in the Microsoft 365 admin center or in the Azure management portal. |
| Admin Audit Log | Administrator audit logging records when a user or administrator makes a change in your organization (in the Exchange admin center or by using cmdlets). |
| Mailbox Audit Log | Mailbox audit logs are generated for each mailbox that has mailbox audit logging enabled. This tracks all user actions on any items in a mailbox. |
| Message Trace Log | The message tracking log contains messages as they pass through the organization. |
| OAuth Permissions | OAuth is a way of authorizing third-party applications to login into user accounts. |
| Inbox Rules | Inbox rules process messages in the inbox based on conditions and take actions such as moving a message to a specified folder or deleting a message. |
| Transport Rules | Transport rules take action on messages while they’re in transit. |
| Azure Active Directory sign-in logs | Gets the Azure Active Directory sign-in log. |
| Azure Active Directory Audit Log | Gets the Azure Active Directory audit log. |
Install & Use
Copyright Copyright (c) 2023 Invictus Incident Response
