search

invictus-ir / Microsoft-Extractor-Suite

A PowerShell module for acquisition of data from Microsoft 365 and Azure for Incident Response and Cyber Security purposes.
https://microsoft-365-extractor-suite.readthedocs.io/en/latest/
GNU General Public License v2.0
481 stars 68 forks source link

Fix Date Time conversion #62

Closed angry-bender closed 7 months ago

angry-bender commented 7 months ago

Forgot to add in date time conversion to schema (Causes issues downstream, when ingesting to log platforms) as it will show / date(1234567) /

JoeyInvictus commented 7 months ago

Hi, thanks again, let me check the pull request! I removed all the Select-Object commands because people had issues loading the data since it was not in a valid JSON format, as we changed some field values, like the date. I'm not sure what tool you are using, but doesn't it process the date like this? It's the default output.

angry-bender commented 7 months ago

Hi, thanks again, let me check the pull request! I removed all the Select-Object commands because people had issues loading the data since it was not in a valid JSON format, as we changed some field values, like the date. I'm not sure what tool you are using, but doesn't it process the date like this? It's the default output.

Mainly seems to be on the Created datetime, AuthenticationDetails.AuthenticationStepDetails, where it's coming out as a string in a non standard PowerShell object like below

\ date(1234567)\

Converting this to an ISO time appears to fix the issue on injest into a Microsoft Solution. I did try previously to parse out the date number in regex, but perhaps Im not choosing the right time format.

I too hate the select-object parser, I wish I could just parse the required time fields.

angry-bender commented 7 months ago

I will note I did check the raw output against that from a graph API request, it definitely seems to be PowerShell changing the date format 😞

JoeyInvictus commented 7 months ago

Haha, it looks like it works and the output is valid JSON. Thanks for fixing it! Maybe PowerShell changes the date format during the ConvertTo-Json part. I need to find a PowerShell expert to teach me how to work with those annoying fields/objects. :)

angry-bender commented 7 months ago

Haha, it looks like it works and the output is valid JSON. Thanks for fixing it! Maybe PowerShell changes the date format during the ConvertTo-Json part. I need to find a PowerShell expert to teach me how to work with those annoying fields/objects. :)

Ha ha I know the feel! Thanks for that