Files are written in .psm1 instead of calling functions. This changes case somehow

Author: EmilienCourt

DFIR-O365RC/DFIR-O365RC.psd1

@@ -7,7 +7,7 @@
     RootModule = '.\DFIR-O365RC.psm1'
 
     # Version number of this module.
-    ModuleVersion = '2.2.1'
+    ModuleVersion = '2.2.2'
 
     # Supported PSEditions
     CompatiblePSEditions = 'Core', 'Desktop'
@@ -110,6 +110,7 @@
                 2.1.0 - Add Get-AADUsers
                 2.2.0 - Get Purview results using Graph instead of PowerShell. Use ToJsonString() to fix case. Recover deleted items
                 2.2.1 - Fix PSGallery CI
+                2.2.1 - Files are now written in the function where they are collected. This will change case somehow.
             '
         } # End of PSData hashtable
     } # End of PrivateData hashtable

DFIR-O365RC/DFIR-O365RC.psm1

@@ -472,7 +472,9 @@ function Get-AzDevOpsAuditLogs {
         [Parameter(Mandatory = $true)]
         [String]$uri,
         [Parameter(Mandatory = $true)]
-        [String]$logFile
+        [String]$logFile,
+        [Parameter(Mandatory = $true)]
+        [String]$outputFile
     )
     try {
         $token = Get-AzAccessToken -ResourceUrl "499b84ac-1321-427f-aa17-267ca6975798" -AsSecureString:$false -ErrorAction Stop
@@ -562,7 +564,15 @@ function Get-AzDevOpsAuditLogs {
     else {
         "No events to dump from Azure DevOps URI $($uri)" | Write-Log -LogPath $logFile
     }
-    return $APIresults
+    
+    if ($APIresults){
+        $nbAPIresults = ($APIresults | Measure-Object).Count
+        "Dumping $($nbAPIresults) Azure DevOps activity logs events to $($outputFile)" | Write-Log -LogPath $logFile
+        $APIresults | ConvertTo-Json -Depth 99 | Out-File $outputFile -Encoding UTF8
+    }
+    else {
+        "No Azure DevOps activity logs event to dump to $($outputFile)" | Write-Log -LogPath $logFile -LogLevel "Warning"
+    }
 }
 
 function Get-MgPurviewAuditLog {
@@ -780,7 +790,9 @@ function Get-MicrosoftGraphLogs {
         [Parameter(Mandatory = $true)]
         [String]$tenant,
         [Parameter(Mandatory = $true)]
-        [String]$logFile
+        [String]$logFile,
+        [Parameter(Mandatory = $true)]
+        [String]$outputFile
     )
     $stopLoop = $false
     [Int]$retryCount = "0"
@@ -817,7 +829,14 @@ function Get-MicrosoftGraphLogs {
             }
         }
     } while ($stopLoop -eq $false)
-    return $AzureADEvents
+    if ($AzureADEvents -ne $null){
+        $AzureADEventsCount = ($AzureADEvents | Measure-Object).Count
+        "Dumping $($AzureADEventsCount) Entra ID $($type) events to $($outputFile)" | Write-Log -LogPath $logFile
+        $AzureADEvents | ConvertTo-Json -Depth 99 | Out-File $outputFile -Encoding UTF8
+    }
+    else {
+        "No Entra ID $($type) events to dump to $($outputFile)" | Write-Log -LogPath $logFile -LogLevel "Warning" 
+    }
 }
 
 function Get-AzureRMActivityLog {
@@ -838,7 +857,9 @@ function Get-AzureRMActivityLog {
         [Parameter(Mandatory = $true)]
         [String]$tenant,
         [Parameter(Mandatory = $true)]
-        [String]$logFile
+        [String]$logFile,
+        [Parameter(Mandatory = $true)]
+        [String]$outputFile
     )
     $stopLoop = $false
     [Int]$retryCount = "0"
@@ -862,7 +883,18 @@ function Get-AzureRMActivityLog {
             }
         }
     } while ($stopLoop -eq $false)
-    return $azureRMActivityEvents
+    if ($azureRMActivityEvents){
+        $nbAzureRMActivityEvents = ($azureRMActivityEvents | Measure-Object).Count
+        "Dumping $($nbAzureRMActivityEvents) Azure Resource Manager activity logs events to $($outputFile)" | Write-Log -LogPath $logFile
+        for ($i=0; $i -lt $nbAzureRMActivityEvents; $i++){
+            # we can't use ConvertTo-Json, cf. https://github.com/Azure/azure-powershell/issues/11353
+            $azureRMActivityEvents[$i] = [Newtonsoft.Json.JsonConvert]::SerializeObject($azureRMActivityEvents[$i])
+        }
+        $azureRMActivityEvents | Out-File $outputFile -Encoding UTF8
+    }
+    else {
+        "No Azure Resource Manager activity logs event to dump to $($outputFile)" | Write-Log -LogPath $logFile -LogLevel "Warning"
+    }
 }
 
 function Get-UnifiedAuditLogPurview {

DFIR-O365RC/Get-AADLogs.ps1

@@ -94,15 +94,7 @@ function Get-AADLogs {
             $outputFile = $AzureADAuditFolder + "\AADAuditLog_" + $tenant + "_" + $outputdate + ".json"
             $auditStart = "{0:s}" -f $newStartDate + "Z"
             $auditEnd = "{0:s}" -f $newEndDate + "Z"
-            $AzureADAuditEvents = Get-MicrosoftGraphLogs -type "AuditLogs" -dateStart $auditStart -dateEnd $auditEnd -certificate $cert -appId $appId -tenant $tenant -logFile $logFile
-            if ($AzureADAuditEvents){
-                $nbAzureADAuditEvents = ($AzureADAuditEvents | Measure-Object).Count
-                "Dumping $($nbAzureADAuditEvents) Entra ID audit events to $($outputFile)" | Write-Log -LogPath $logFile
-                $AzureADAuditEvents | ConvertTo-Json -Depth 99 | Out-File $outputFile -Encoding UTF8
-            }
-            else {
-                "No Entra ID audit event to dump to $($outputFile)" | Write-Log -LogPath $logFile -LogLevel "Warning" 
-            }
+            Get-MicrosoftGraphLogs -type "AuditLogs" -dateStart $auditStart -dateEnd $auditEnd -certificate $cert -appId $appId -tenant $tenant -logFile $logFile -outputFile $outputFile
         }
 
         # Get Entra ID sign in logs 
@@ -136,20 +128,13 @@ function Get-AADLogs {
 
                     $signInsStart = "{0:s}" -f $newStartHour + "Z"
                     $signInsEnd = "{0:s}" -f $newEndHour + "Z"
-                    $AzureADSignInEvents = Get-MicrosoftGraphLogs -type "SignIns" -tenantSize $tenantSize -dateStart $signInsStart -dateEnd $signInsEnd -certificate $cert -appId $appId -tenant $tenant -logFile $logFile
                     $folderToProcess = $AzureADSignInsFolder + "\" + $dateToProcess
                     if ((Test-Path $folderToProcess) -eq $false){
                         New-Item $folderToProcess -Type Directory
                     }
                     $outputFile = $folderToProcess + "\AADSigninLog_" + $tenant + "_" + $outputdate + ".json"
-                    if ($AzureADSignInEvents){
-                        $nbADSigninEvents = ($AzureADSignInEvents | Measure-Object).Count
-                        "Dumping $($nbADSigninEvents) Entra ID sign in events to $($outputFile)" | Write-Log -LogPath $logFile
-                        $AzureADSignInEvents | ConvertTo-Json -Depth 99 | Out-File $outputFile -Encoding UTF8 
-                    }
-                    else {
-                        "No Entra ID sign in events to dump to $($outputFile)" | Write-Log -LogPath $logFile -LogLevel "Warning"
-                    }
+
+                    Get-MicrosoftGraphLogs -type "SignIns" -tenantSize $tenantSize -dateStart $signInsStart -dateEnd $signInsEnd -certificate $cert -appId $appId -tenant $tenant -logFile $logFile -outputFile $outputFile
                 }
             }
             else {

DFIR-O365RC/Get-AzDevOpsActivityLogs.ps1

@@ -143,22 +143,13 @@ function Get-AzDevOpsActivityLogs {
             $auditStart = "{0:s}" -f $newStartHour + "Z"
             $auditEnd = "{0:s}" -f $newEndhour + "Z"
             $uri = "https://auditservice.dev.azure.com/$($organizationName)/_apis/audit/auditlog?startTime=$($auditStart)&endTime=$($auditEnd)&api-version=7.1-preview.1"
-
-            $azureDevOpsActivityEvents = Get-AzDevOpsAuditLogs -certificatePath $certificatePath -certificateSecurePassword $certificateSecurePassword -needPassword $needPassword -tenant $tenant -appId $appId -uri $uri -logFile $logFile
-
             $folderToProcess = $azureDevOpsActivityFolder + "\" + $dateToProcess
             if ((Test-Path $folderToProcess) -eq $false){
                 New-Item $folderToProcess -Type Directory
             }
             $outputFile = $folderToProcess + "\AzDevOps_" + $tenant + "_" + $organizationName + "_" + $outputDate + ".json"
-            if ($azureDevOpsActivityEvents){
-                $nbAzureDevOpsActivityEvents = ($azureDevOpsActivityEvents | Measure-Object).Count
-                "Dumping $($nbAzureDevOpsActivityEvents) Azure DevOps activity logs events to $($outputFile)" | Write-Log -LogPath $logFile
-                $azureDevOpsActivityEvents | ConvertTo-Json -Depth 99 | Out-File $outputFile -Encoding UTF8
-            }
-            else {
-                "No Azure DevOps activity logs event to dump to $($outputFile)" | Write-Log -LogPath $logFile -LogLevel "Warning"
-            }
+
+            Get-AzDevOpsAuditLogs -certificatePath $certificatePath -certificateSecurePassword $certificateSecurePassword -needPassword $needPassword -tenant $tenant -appId $appId -uri $uri -logFile $logFile -outputFile $outputFile
         }
     }
 

DFIR-O365RC/Get-AzRMActivityLogs.ps1

@@ -122,25 +122,12 @@ function Get-AzRMActivityLogs {
             $dateStart = "{0:s}" -f $newStartHour + "Z"
             $dateEnd  = "{0:s}" -f $newEndHour + "Z"
 
-            $azureRMActivityEvents = Get-AzureRMActivityLog -dateStart $dateStart -dateEnd $dateEnd -certificatePath $certificatePath -certificateSecurePassword $certificateSecurePassword -needPassword $needPassword -appId $appId -tenant $tenant -logFile $logFile
-
             $folderToProcess = $azureRMActivityFolder + "\" + $dateToProcess
             if ((Test-Path $folderToProcess) -eq $false){
                 New-Item $folderToProcess -Type Directory
             }
             $outputFile = $folderToProcess + "\AzRM_" + $tenant + "_" + $subscriptionId + "_" + $outputDate + ".json"
-            if ($azureRMActivityEvents){
-                $nbAzureRMActivityEvents = ($azureRMActivityEvents | Measure-Object).Count
-                "Dumping $($nbAzureRMActivityEvents) Azure Resource Manager activity logs events to $($outputFile)" | Write-Log -LogPath $logFile
-                for ($i=0; $i -lt $nbAzureRMActivityEvents; $i++){
-                    # we can't use ConvertTo-Json, cf. https://github.com/Azure/azure-powershell/issues/11353
-                    $azureRMActivityEvents[$i] = [Newtonsoft.Json.JsonConvert]::SerializeObject($azureRMActivityEvents[$i])
-                }
-                $azureRMActivityEvents | Out-File $outputFile -Encoding UTF8
-            }
-            else {
-                "No Azure Resource Manager activity logs event to dump to $($outputFile)" | Write-Log -LogPath $logFile -LogLevel "Warning"
-            }
+            Get-AzureRMActivityLog -dateStart $dateStart -dateEnd $dateEnd -certificatePath $certificatePath -certificateSecurePassword $certificateSecurePassword -needPassword $needPassword -appId $appId -tenant $tenant -logFile $logFile -outputFile $outputFile
         }
     }