Mandiant-Azure-AD-Investigator icon indicating copy to clipboard operation
Mandiant-Azure-AD-Investigator copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Get-MandiantBulkUAL Error

Open SeriesOfTubez opened this issue 4 years ago • 10 comments

When running the script, I get a bunch of errors when it hits the Get-MandiantBulkUAL function.

Get-MandiantBulkUAL : Cannot process argument transformation on parameter 'ResultSize'. Cannot convert value "-" to type "System.Int32". Error: "Input string was not in a correct format."

Nothing stuck out when I looked at the actual script, I see the $ResultSize parameter variable set to '1000' by default and I didn't pass a different value in when I launched the script.

SeriesOfTubez avatar Jan 19 '21 21:01 SeriesOfTubez

I have this error

Get-MandiantBulkUAL : The result index is greater than the result count. Rerunning the query In riga:1 car:1

  • Get-MandiantBulkUAL -Operations 'Update service principal' -DateOffse ...
  •   + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
  + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-MandiantBulkUAL

Pieraldo avatar Jan 21 '21 09:01 Pieraldo

Same error here...

Search for 'Update Application' events
Get-MandiantBulkUAL : The result index is greater than the result count. Rerunning the query
At line:1 char:1
+ Get-MandiantBulkUAL -Operations 'Update application' -DateOffset 90 - ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
    + FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Get-MandiantBulkUAL

update: I ran "Get-MandiantBulkUAL -Operations 'Update application' -DateOffset 90" manually and the results are the same as when running Invoke-MandiantAllChecks and no errors are thrown

hafenschiffer avatar Jan 21 '21 12:01 hafenschiffer

I am receiving the exact same error as the OP during these events:

  • Search for 'Update Application' events
  • Search for 'Set domain authentication' events
  • Search for 'Set federation settings on domain' events
  • Search for 'Update application - Certificates and secrets management' events
  • Search for Mailbox Login events using PowerShell
  • Search for 'Update service principal' events
  • Search for 'Add service principal credentials' events
  • Search for Add app role assignment' events
  • Search for 'Add app role assignment grant to user.' events
  • Search for PowerShell authentication events. These events are not inherently bad

No output files are generated.

vwi-mattdejonge avatar Jan 21 '21 12:01 vwi-mattdejonge

Thanks for the feedback! I see that one submitter was able to fix the issue by re-running the tool, can the rest of you give that a shot and report back?

There are a number of nuances with searching the Unified Audit Log that are outside of our control (related to the MSFT backend itself). Sometimes this causes the search itself to fail. We tried to account for this, but it looks like we missed a few.

dmb2168 avatar Jan 21 '21 14:01 dmb2168

Running 'Invoke-MandiantAllChecks' fails with the errors others reported. I am able to successfully run these individual checks.

  • Get-MandiantBulkUAL
  • Invoke-MandiantAuditAzureADApplications
  • Invoke-MandiantAuditAzureADDomains
  • Invoke-MandiantAuditAzureADServicePrincipals

It would help to see a sample successfully generated report, from a demo environment. Would you folks have one?

heygautam avatar Jan 22 '21 06:01 heygautam

Hi All, any update on a solution on this? I am also having same error with vwi-mattdejonge and no results being generated. Perform individual checks below and also prompt "Checking for suspicious" but no output file being provided except for ADDomains. Appreciate if someone can assist to help on what is the next step to do? Thanks

  1. Invoke-MandiantAuditAzureADApplications - no results provided
  2. Invoke-MandiantAuditAzureADDomains - results provided
  3. Invoke-MandiantAuditAzureADServicePrincipals - no results provided

Support12345 avatar Feb 10 '21 03:02 Support12345

Hi - do you see this output to the window?

Checking for suspicious Azure AD App Registrations.

If you see that message but nothing else, then it means the tool did not find anything risky or suspicious to report.

dmb2168 avatar Feb 10 '21 14:02 dmb2168

Hi dmb2168- thank you for the response and yes I am seeing the "Checking for suspicious Azure AD App Registrations".

How about for the "Invoke-MandiantAllChecks -OutputPath <path\to\output\files>" why is showing error on the following below and csv result only provide for Federated Domains?

Search for 'Update Application' events Search for 'Set domain authentication' events Search for 'Set federation settings on domain' events Search for 'Update application - Certificates and secrets management' events Search for Mailbox Login events using PowerShell Search for 'Update service principal' events Search for 'Add service principal credentials' events Search for Add app role assignment' events Search for 'Add app role assignment grant to user.' events Search for PowerShell authentication events. These events are not inherently bad

Support12345 avatar Feb 11 '21 02:02 Support12345

hello @Support12345 if there were not csv files, then it means the tool did not find anything risky or suspicious to report.

jurajsucik avatar Oct 28 '21 15:10 jurajsucik

I just ran into the same error as OP and found it was occurring due to the -OutputPath I was using containing spaces. I was surrounding my path in quotes but it seems these get stripped out when the Get-MandiantUAL query is being built.

grayfold3d avatar May 12 '22 19:05 grayfold3d