MergeOutput Parameters

Question

MergeOutput Parameters

Closed this issue 9 months ago · 4 comments

Hi All,

Thanks for creating this tool. Just having an issue with MergeOutput parameter is defined but I can't get it to actually merge and still getting indvidiual files for the same activity etc.

Can someone please advise the correct parameter options to use?

Cheers

Answer 1 · 2024-04-13T21:08:02.000Z

Hi,

What version are you running, and what functionality are you trying to execute? The MergeOutput is supported by multiple functionalities of the Microsoft Extractor Suite.

If you are talking about the Get-UALAll, you can run something like this:

Get-UALAll -UserIds test[@]invictus-ir.com -StartDate 1/4/2024 -EndDate 5/4/2024 -MergeOutput

If you have an older version you might have to run:

Get-UALAll -UserIds test[@]invictus-ir.com -StartDate 1/4/2024 -EndDate 5/4/2024 -MergeOutput y

In the output in the Terminal do you see that it's trying to merge the output files and that it created a directory?

Answer 2 · 2024-04-13T23:50:31.000Z

Hi Joey,

Thanks for the weekend response. I'm trying to pull the AzureActiveDirectoryStsLogon Record type.

I've reinstalled all the modules and on the newest version.

Tested:
Get-UALAll -UserIds test[@]example.com -StartDate 1/4/2024 -EndDate 5/4/2024 -MergeOutput

This worked and was merged.

Then attempted to run:
Get-UALSpecific -RecordType AzureActiveDirectoryStsLogon -UserIds "test[@]example.com" -StartDate 1/4/2024 -EndDate 5/4/2024 -MergeOutput

With the error
Get-UALSpecific : Missing an argument for parameter 'MergeOutput'. Specify a parameter of type 'System.String' and try again.

Attempted to run the above but with the -MergeOuput y which ran successfully but did not convert the CSVs.

[INFO] Running Get-UALSpecific
[INFO] Setting the Interval to the default value of 1440
[INFO] Output set to CSV
[INFO] Extracting all available audit logs between 2024-04-01T14:00:00Z and 2024-04-07T14:00:00Z
[INFO] The following RecordType(s) are configured to be extracted:
-AzureActiveDirectoryStsLogon
[INFO] Acquisition complete, check the Output directory for your files..

Answer 3 · 2024-04-14T07:39:47.000Z

Thanks for pointing this out, we will fix this in our next update.

If you want to change this manually so it works now, you can change line 606 of Get-Ual.ps1 from:

from

[string]$MergeOutput, --> [switch]$MergeOutput,

Answer 4 · 2024-04-14T09:28:59.000Z

Cheers, confirmed working for me after that change.

Thanks!