-
Notifications
You must be signed in to change notification settings - Fork 30
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
version 2.0.0. Reworking of the authentication and major refactoring …
…of the code.
- Loading branch information
EmilienCourt
authored and
EmilienCourt
committed
Sep 16, 2024
1 parent
69acb1f
commit 67f1bb7
Showing
17 changed files
with
3,989 additions
and
2,923 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,89 +3,107 @@ | |
| # | ||
|
|
||
| @{ | ||
|
|
||
| # Script module or binary module file associated with this manifest. | ||
| RootModule = '.\DFIR-O365RC.psm1' | ||
|
|
||
| # Version number of this module. | ||
| ModuleVersion = '1.2.0' | ||
|
|
||
| # Supported PSEditions | ||
| CompatiblePSEditions = 'Core', 'Desktop' | ||
|
|
||
| # ID used to uniquely identify this module | ||
| GUID = '84b1ed98-447f-4d4e-aa52-fd9339cf7cca' | ||
|
|
||
| # Author of this module | ||
| Author = '[email protected]' | ||
|
|
||
| # Company or vendor of this module | ||
| CompanyName = 'CERT-FR' | ||
|
|
||
| # Description of the functionality provided by this module | ||
| Description = 'The DFIR-O365RC module will extract logs from O365 Unified audit logs, Azure AD signin logs, Azure AD audit logs, Azure RM and DevOps activity logs' | ||
|
|
||
|
|
||
| # Minimum version of the Windows PowerShell engine required by this module | ||
| PowerShellVersion = '5.0' | ||
|
|
||
|
|
||
|
|
||
| # Modules that must be imported into the global environment prior to importing this module | ||
| RequiredModules = @( | ||
| @{ModuleName = 'PoshRSJob'; ModuleVersion = '1.7.4.4'; }, | ||
| @{ModuleName = 'MSAL.PS'; ModuleVersion = '4.37.0.0'; } | ||
| @{ModuleName = 'ExchangeOnlineManagement'; ModuleVersion = '3.1.0'; } | ||
| # Script module or binary module file associated with this manifest. | ||
| RootModule = '.\DFIR-O365RC.psm1' | ||
|
|
||
| # Version number of this module. | ||
| ModuleVersion = '2.0.0' | ||
|
|
||
| # Supported PSEditions | ||
| CompatiblePSEditions = 'Core', 'Desktop' | ||
|
|
||
| # ID used to uniquely identify this module | ||
| GUID = '84b1ed98-447f-4d4e-aa52-fd9339cf7cca' | ||
|
|
||
| # Author of this module | ||
| Author = '[email protected]' | ||
|
|
||
| # Company or vendor of this module | ||
| CompanyName = 'CERT-FR' | ||
|
|
||
| # Description of the functionality provided by this module | ||
| Description = 'The DFIR-O365RC module will extract logs from the unified audit log (using Exchange Online and Purview), Entra ID Sign In logs, Entra ID Audit Logs, Azure Monitor and Azure DevOps activity logs' | ||
|
|
||
| # Minimum version of the Windows PowerShell engine required by this module | ||
| PowerShellVersion = '5.0' | ||
|
|
||
| # Modules that must be imported into the global environment prior to importing this module | ||
| RequiredModules = @( | ||
| @{ModuleName = 'Az.Accounts'; ModuleVersion = '3.0.2'; } | ||
| @{ModuleName = 'Az.Monitor'; ModuleVersion = '5.2.1'; } | ||
| @{ModuleName = 'Az.Resources'; ModuleVersion = '7.2.0'; } | ||
| @{ModuleName = 'ExchangeOnlineManagement'; ModuleVersion = '3.5.1'; } | ||
| @{ModuleName = 'Microsoft.Graph.Authentication'; ModuleVersion = '2.20.0'; } | ||
| @{ModuleName = 'Microsoft.Graph.Applications'; ModuleVersion = '2.20.0'; } | ||
| @{ModuleName = 'Microsoft.Graph.Beta.Reports'; ModuleVersion = '2.20.0'; } | ||
| @{ModuleName = 'Microsoft.Graph.Beta.Security'; ModuleVersion = '2.20.0'; } | ||
| @{ModuleName = 'Microsoft.Graph.Identity.DirectoryManagement'; ModuleVersion = '2.20.0'; } | ||
| @{ModuleName = 'PoshRSJob'; ModuleVersion = '1.7.4.4'; } | ||
| ) | ||
|
|
||
| # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess | ||
| NestedModules = @( | ||
| 'Get-AADApps.ps1', | ||
| 'Get-AADDevices.ps1', | ||
| 'Get-AADLogs.ps1', | ||
| 'Get-AzDevOpsActivityLogs.ps1', | ||
| 'Get-AzRMActivityLogs.ps1', | ||
| 'Get-O365.ps1', | ||
| 'Manage-Applications.ps1' | ||
| ) | ||
|
|
||
| # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. | ||
| FunctionsToExport = @( | ||
| 'Connect-AzApplication', | ||
| 'Connect-AzUser', | ||
| 'Connect-ExchangeOnlineApplication', | ||
| 'Connect-ExchangeOnlineUser', | ||
| 'Connect-MicrosoftGraphApplication', | ||
| 'Connect-MicrosoftGraphUser', | ||
| 'Get-AADApps', | ||
| 'Get-AADDevices', | ||
| 'Get-AADLogs', | ||
| 'Get-AzDevOpsActivityLogs', | ||
| 'Get-AzDevOpsAuditLogs', | ||
| 'Get-AzDevOpsRestAPIResponseUser', | ||
| 'Get-AzRMActivityLogs', | ||
| 'Get-AzureRMActivityLog', | ||
| 'Get-LargeUnifiedAuditLog', | ||
| 'Get-MailboxAuditLog', | ||
| 'Get-MicrosoftGraphLogs', | ||
| 'Get-O365Defender', | ||
| 'Get-O365Full', | ||
| 'Get-O365Light', | ||
| 'Get-UnifiedAuditLogPurview', | ||
| 'New-Application', | ||
| 'Remove-Application', | ||
| 'Import-Certificate', | ||
| 'Search-O365', | ||
| 'Update-Application', | ||
| 'Write-Log' | ||
| ) | ||
|
|
||
| # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess | ||
|
|
||
| NestedModules = @( | ||
| 'Get-O365Full.ps1', | ||
| 'Get-O365Light.ps1', | ||
| 'Get-AADApps.ps1', | ||
| 'Get-DefenderforO365.ps1', | ||
| 'Search-O365.ps1', | ||
| 'Get-AADDevices.ps1', | ||
| 'Get-AzRMActivityLogs.ps1', | ||
| 'Get-AzDevOpsActivityLogs.ps1', | ||
| 'Get-AADLogs.ps1' | ||
| ) | ||
|
|
||
| # Functions to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no functions to export. | ||
| FunctionsToExport = 'Get-OAuthToken', 'Get-RestAPIResponse', 'Connect-EXOPsearchUnified', 'Get-LargeUnifiedAuditLog', 'Get-MailboxAuditLog', 'Get-AADApps', 'Get-AADLogs', 'Get-O365Full', 'Get-O365Light', 'Get-DefenderforO365', 'Search-O365', 'Get-AADDevices', 'Get-AzRMActivityLogs', 'Write-Log', 'Get-AzDevOpsActivityLogs' | ||
|
|
||
|
|
||
| # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. | ||
| CmdletsToExport = @() | ||
|
|
||
| # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. | ||
| AliasesToExport = @() | ||
|
|
||
|
|
||
| # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. | ||
| PrivateData = @{ | ||
|
|
||
| PSData = @{ | ||
|
|
||
| # Tags applied to this module. These help with module discovery in online galleries. | ||
| Tags = @("O365","Security","Forensics","DFIR","Exchange","Defender","AzureAD","MSGraph","Azure", "DevOps") | ||
|
|
||
|
|
||
| # ReleaseNotes of this module | ||
| ReleaseNotes =' | ||
| 1.0.0 - Initial release | ||
| 1.1.0 - Added Get-AADDevices and Get-AzRMActivityLogs functions | ||
| 1.2.0 - Added Get-AzDevOpsActivityLogs function and added mailobx audit logs retrieval to the Search-o365 function | ||
| ' | ||
|
|
||
| # Cmdlets to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no cmdlets to export. | ||
| CmdletsToExport = @() | ||
|
|
||
| } # End of PSData hashtable | ||
| # Aliases to export from this module, for best performance, do not use wildcards and do not delete the entry, use an empty array if there are no aliases to export. | ||
| AliasesToExport = @() | ||
|
|
||
| } # End of PrivateData hashtable | ||
| # Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell. | ||
| PrivateData = @{ | ||
|
|
||
| PSData = @{ | ||
|
|
||
| # Tags applied to this module. These help with module discovery in online galleries. | ||
| Tags = @("O365", "Security", "Forensics", "DFIR", "Exchange", "Defender", "AzureAD", "MSGraph", "Azure", "DevOps", "Purview", "Entra ID", "Logs") | ||
|
|
||
| # ReleaseNotes of this module | ||
| ReleaseNotes = ' | ||
| 1.0.0 - Initial release | ||
| 1.1.0 - Added Get-AADDevices and Get-AzRMActivityLogs functions | ||
| 1.2.0 - Added Get-AzDevOpsActivityLogs function and added mailobx audit logs retrieval to the Search-O365 function | ||
| 2.0.0 - Rework of the project: use of an application to do the log collection, instead of an authenticated user. Add Purview | ||
| ' | ||
| } # End of PSData hashtable | ||
| } # End of PrivateData hashtable | ||
| } | ||
Oops, something went wrong.