search

invictus-ir / Microsoft-Extractor-Suite

A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
https://microsoft-365-extractor-suite.readthedocs.io/en/latest/
GNU General Public License v2.0
481 stars 68 forks source link

'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet #104

Open MTekinAU opened 5 days ago

MTekinAU commented 5 days ago

Hi, I can view logs using Audit Portal in Microsoft Purview, however when I run Get-UALAll I get the following error:

"[ERROR] An error occurred: The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. Search-UnifiedAuditLog : The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\Users-\Downloads\Microsoft-Extractor-Suite\Microsoft-Extractor-Suite-main\Scripts\Get-UAL.ps1:91 char:22

I tried to install Microsoft-Extractor-Suite on different device + upgraded to PowerShell 7, but I am still having same problem.

How can I fix it?
Thank you.

JoeyInvictus commented 5 days ago

Hi,

The Extractor Suite relies on the Search-UnifiedAuditLog cmdlet from the Exchange Online PowerShell module. This error indicates that the cmdlet cannot be found, which prevents the extractor from running properly. My guess would be that the module may not be installed, or the session is not connected or you don't have the right permissions.

You need to install the ExchangeOnlineManagement module: Install-Module -Name ExchangeOnlineManagement

Connect to Exchange Online (you will be prompted for credentials) Connect-ExchangeOnline

Make sure the account you're using has the required permissions to access the Search-UnifiedAuditLog cmdlet. Specifically, this requires:

You might find this snippet from our documentation helpful for setting up an account with the correct permissions: https://microsoft-365-extractor-suite.readthedocs.io/en/latest/installation/Prerequisites.html

During our investigations we often ask for a Global Reader account with Audit Log roles assigned, which can be accomplished via the following steps:

  1. Create a new user account in the Microsoft 365 admin center (admin.microsoft.com)
  2. Assign the new user ‘Global Reader’ role
  3. Go to Roles and select ‘Exchange’ and create a new role group
  4. Next, select the ‘Unified Audit’ role and go to ‘Permissions’ and select the ‘View-Only Audit Logs’ permission
  5. Add the new user to this role group
gja3 commented 1 day ago

Hi Joey,

I'm running into the same issue and have in the past. Unfortunately, this has prevented me from using this tool thus far.

I can confirm that I have installed ExchangeOnlineManagement using the given the command. I've connected to Exchange using Connect-ExchangeOnline and authenticating with MFA through the pop-up window, as an account with Global Reader. I've also tried using Connect-M365 as well or instead in case that made any difference. Nevertheless, I run into the same issue.

I am having this same issue across two different machines, a fresh install of Windows 10 (with requirements set up according to the M-E-S documentation) and a relatively fresh install of Windows 11. I come from the *nix world and am not well versed in PowerShell so perhaps it's just a simple path/dependency issue of some sort, but in any case this seems to be an issue by default.

I appreciate your support and look forward to getting this thing working.

[ERROR] An error occurred: The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. Search-UnifiedAuditLog : The term 'Search-UnifiedAuditLog' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

MTekinAU commented 1 day ago

Hi @gja3,

Ensure that you have the required permissions. Then I would recommend trying the following:

  1. Start administrator PowerShell
  2. Download GitHub M-E-S source code and cd into the folder
  3. Run Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
  4. Run Install-module -name ExchangeOnlineManagement
  5. Run Install-module -name Microsoft.Graph
  6. Run Install-module -name Az
  7. Run Install-Module -Name AzureADPreview
  8. RunInstall-Module -Name Microsoft-Extractor-Suite
  9. Run Import-Module .\Microsoft-Extractor-Suite.psd1
  10. Run Connect-M365
  11. Get-UALAll
gja3 commented 1 day ago

Thanks for the response. Unfortunately, still no joy. I tried your steps since I hadn't touched the execution policy and am not sure whether I was running as Administrator before. FWIW, when I run all of the Install-Module commands, the prompt returns instantly with no output which says to me that each of those modules is already installed (the first time I ran them, it went through the whole sequence of loading and prompting me to confirm things).

The account I'm using might be missing the required permissions. I have Global Reader in M365 Purview and am able to export audit logs from there for the entire organization, but I don't have anything specific to Exchange.

evild3ad commented 1 day ago

Your error message indicates that you are missing the permission to access the audit logs via the audit log cmdlets. You need to assign the management role View-Only Audit Logs in the Exchange Admin Center. I prefer creating a custom role group for this.

https://admin.exchange.microsoft.com/
Home --> Roles --> Admin roles --> Add role group (e.g. M365-Investigation)
Fill out the basic information Select the permission View-Only Audit Logs
Assign your user to this new role group.
Done!

Happy Hunting! 🕵️

JoeyInvictus commented 1 day ago

@gja3, what @evild3ad is saying, do you have the View-Only Audit Logs assigned to the user? See: https://learn.microsoft.com/en-us/purview/audit-search?tabs=microsoft-purview-portal

You have to be assigned the Audit Logs or View-Only Audit Logs roles in the Microsoft Purview portal or Microsoft Purview compliance portal to search the audit log. By default, these roles are assigned to the Audit Manager and Audit Reader role groups on the Permissions page in the compliance portal. For more information, see [Get started with auditing solutions](https://learn.microsoft.com/en-us/purview/audit-get-started). To access audit cmdlets, you must be assigned the Audit Logs or View-Only Audit Logs roles in the Exchange admin center. You can also create custom role groups with the ability to search the audit log by adding the View-Only Audit Logs or Audit Logs roles to a custom role group.