cisagov / untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Creative Commons Zero v1.0 Universal
912 stars 79 forks source link

Bugfix in AzureAD Audit Log Dumper #26

Closed 0x534a closed 1 year ago

0x534a commented 1 year ago

🗣 Description

This PR fixes a bug in the AzureAD datadumper module which leads to incomplete results.

💭 Motivation and context

The PR is needed to acquire a complete set of AzureAD audit log data. Otherwise acquiring AzureAD audit logs with Untitled Goose will lead to incomplete results and, thus, to an incomplete data basis for investigations.

The function dump_azuread_audit has a retry loop which is not terminated if the log data was dumped successfully. This leads to an incomplete data acquisition, since the start date is incremented in the retry loop by one day for each loop pass. For example, dumping the data from 01.04.2023 to 13.04.2023 will only extract the audit log data for the days 01.04.2023, 06.04.2023 and 11.04.2023 since the retry counter is set to 5 by default.

🧪 Testing

This PR was tested manually against a Microsoft 365 development tenant (E5 license).

✅ Pre-approval checklist

✅ Pre-merge checklist

✅ Post-merge checklist

victoriawallace-cisa commented 1 year ago

Thanks! We tested it and it works well. We'll go ahead and incorporate the pull request. Thank you!