anssi-fr / dfir-o365rc Goto Github PK
View Code? Open in Web Editor NEWPowerShell module for Office 365 and Azure log collection
License: GNU General Public License v3.0
dfir-o365rc's Issues
Failed to create EXO session - unexpected character encountered while parsing value: F.
The script Get-O365Light failed after authenticating, both from the Docker container and the Linux pwsh.
Output:
PS /mnt/host/output> Get-O365Light -StartDate $startdate -Enddate $enddate -Debug
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DF[...]VZ to authenticate.
Get-O365Light: [email protected] does not have the required permissions to get Office 365 Unified Audit Logs : doees not have the 'View-Only Audit Logs' role on https://admin.exchange.microsoft.com/. See https://learn.microsoft.com/en-us/purview/audit-log-search?view=o365-worldwide#before-you-search-the-audit-log. Cannot continue
And the logfile:
2024-04-18 13:02:50, INFO, Asking Oauth token for EXO
2024-04-18 13:03:37, INFO, Fetching all operations from the subset, this is the default configuration
2024-04-18 13:03:37, INFO, Asking Oauth silent token renewal for EXO
2024-04-18 13:03:37, INFO, Checking permissions for [email protected]
2024-04-18 13:03:37, WARNING, Failed to create EXO session EXO_0f3b[...]834c - sleeping and retrying - Unexpected character encountered while parsing value: F. Path '', line 1, position 1.
2024-04-18 13:04:37, WARNING, Failed to create EXO session EXO_0f3b[...]834c - sleeping and retrying - Unexpected character encountered while parsing value: F. Path '', line 1, position 1.
2024-04-18 13:06:37, WARNING, Failed to create EXO session EXO_0f3b[...]834c - sleeping and retrying - Unexpected character encountered while parsing value: F. Path '', line 1, position 1.
2024-04-18 13:09:38, WARNING, Failed to create EXO session EXO_0f3b[...]834c - sleeping and retrying - Unexpected character encountered while parsing value: F. Path '', line 1, position 1.
2024-04-18 13:13:38, ERROR, Failed to create EXO session EXO_0f3b[...]834c 4 times - aborting
2024-04-18 13:13:38, ERROR, [email protected] does not have the required permissions to get Office 365 Unified Audit Logs : doees not have the 'View-Only Audit Logs' role on https://admin.exchange.microsoft.com/. See https://learn.microsoft.com/en-us/purview/audit-log-search?view=o365-worldwide#before-you-search-the-audit-log. Cannot continue
The permissions in Entra / Exchange are definitely correct, since I was able to run the commands that the script runs on my own:
PS> Connect-ExchangeOnline -UserPrincipalName [email protected]
(success)
PS> $sessionName = [guid]::NewGuid().ToString()
PS> $Alloperations= @()
PS> $myObject = [PSCustomObject]@{
>> GroupName= "Exchange";
>> Operations = '"Add-MailboxPermission", "AddFolderPermissions", "Add-RecipientPermission", "Remove-RecipientPermission", "New-InboxRule", "Set-InboxRule", "Set-TransportRule", "New-TransportRule", "Hard Delete user", "Remove-MailboxPermission", "RemoveFolderPermissions", "UpdateInboxRules", "Set-CASMailbox", "Set-Mailbox","SearchCreated", "SearchExported","MailboxLogin"'
>> }
PS> $Alloperations += $myObject
[do this for all the other objects]
PS> foreach ($operationsset in $Alloperations) {
>> Get-LargeUnifiedAuditLog -StartDate $startdate -EndDate $enddate -outputfile test2.txt -requesttype "Operations" -sessionName $sessionName -logfile test2.log -Operations $operationsset.Operations
>> }
[this generates the correct output]
Unfortunately I wasn't able to find out what value:F was expected to be, or what the unexpected character was.
Set-PSRepository: No repository with the name 'PSGallery" was found
Hello,
I wanted to give DFIR-O365RC a try but when I tried running it with Docker I got the following error:
Set-PSRepository: No repository with the name 'PSGallery" was found
I installed powershell on my Tsurugi workstation (Ubuntu 20.04) and run the following commang manually without any error.
pwsh -command Set-PSRepository PSGallery -InstallationPolicy Trusted
Do you have an idea on what might be the issue here?
Thanks !
URL specified in the request does not match the reply URLs configured in the application
Wen running search-o365, I get the following error. Any ideas?
AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: 'a0c73c16-a7e3-4564-9a95-2bdf47383716'.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.