A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
To get started with the Microsoft-Extractor-Suite, check out the Microsoft-Extractor-Suite docs.
Microsoft-Extractor-Suite is a fully-featured, actively-maintained, Powershell tool designed to streamline the process of collecting all necessary data and information from various sources within Microsoft.
The following Microsoft data sources are supported:
In addition to the log sources above the tool is also able to retrieve other relevant information:
Microsoft-Extractor-Suite was created by Joey Rentenaar and Korstiaan Stam and is maintained by the Invictus IR team.
To get started with the Microsoft-Extractor-Suite tool, make sure the requirements are met. If you do not have the Connect-ExchangeOnline, AZ module or/and Connect-AzureAD installed check the installation guide.
Install the Microsoft-Extractor-Suite toolkit:
Install-Module -Name Microsoft-Extractor-Suite
To import the Microsoft-Extractor-Suite:
Import-Module .\Microsoft-Extractor-Suite.psd1
You must sign-in to Microsoft 365 or Azure depending on your use case before running the functions. To sign in, use the cmdlets:
Connect-M365
Connect-Azure
Connect-AzureAZ
To enhance your analysis, consider exploring the Microsoft-Analyzer-Suite developed by evild3ad. This suite offers a collection of PowerShell scripts specifically designed for analyzing Microsoft 365 and Microsoft Entra ID data, which can be extracted using the Microsoft-Extractor-Suite.