diff --git a/Azure-ARM/forensics_log_pull.ps1 b/Azure-ARM/forensics_log_pull.ps1
index b857efe..f0d718f 100644
--- a/Azure-ARM/forensics_log_pull.ps1
+++ b/Azure-ARM/forensics_log_pull.ps1
@@ -9,6 +9,9 @@ mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Monolith"
 mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Workflows"
 mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Web"
 mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Webportal"
+mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Monitor"
+mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Data"
+mkdir "$env:TEMP\all-Logs\$DT\ProfiseeLogs\ConnEx"
 mkdir "$env:TEMP\all-Logs\$DT\EventViewerLogs"
 mkdir "$env:TEMP\all-Logs\$DT\TCPLogs"
 mkdir "$env:TEMP\all-Logs\$DT\IISLogs"
@@ -22,6 +25,9 @@ robocopy "c:\profisee\services\monolith\logfiles" "$env:TEMP\all-Logs\$DT\Profis
 robocopy "c:\profisee\services\workflows\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Workflows" /E /COPYALL /DCOPY:T
 robocopy "c:\profisee\web\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Web" /E /COPYALL /DCOPY:T
 robocopy "c:\profisee\webportal\logfiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Webportal" /E /COPYALL /DCOPY:T
+robocopy "C:\Profisee\Services\Monitor\LogFiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Monitor" /E /COPYALL /DCOPY:T
+robocopy "C:\Profisee\Services\Data\LogFiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\Data" /E /COPYALL /DCOPY:T
+robocopy "C:\Profisee\Services\ConnEx\LogFiles" "$env:TEMP\all-Logs\$DT\ProfiseeLogs\ConnEx" /E /COPYALL /DCOPY:T
 robocopy "c:\inetpub\logs\LogFiles\W3SVC1" "$env:TEMP\all-Logs\$DT\IISLogs" /E /COPYALL /DCOPY:T
 netstat -anobq > $env:TEMP\all-Logs\$DT\TCPLogs\netstat.txt
 Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending | out-file $env:TEMP\all-Logs\$DT\TCPLogs\TCPconnections.txt