Skip to content

A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID

License

Notifications You must be signed in to change notification settings

evild3ad/Microsoft-Analyzer-Suite

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Microsoft-Analyzer-Suite (Community Edition)

A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID.

TL;DR

Automated Processing of Microsoft 365 Logs and Microsoft Entra ID Logs extracted by Microsoft-Extractor-Suite.

The following Microsoft data sources are supported yet:

Output Files of Microsoft-Extractor-Suite v2.1.1 by Invictus-IR


Tip

Check out the Wiki for additional documentation!


RiskyDetections-Analyzer
Fig 1: RiskyDetections-Analyzer

RiskyDetections-1
Fig 2: Risky Detections (1)

RiskyDetections-2
Fig 3: Risky Detections (2)

RiskyDetections-LineChart
Fig 4: Risky Detections (Line Chart)

RiskyDetections-mitreTechniques
Fig 5: MITRE ATT&CK Techniques (Stats)

RiskyDetections-RiskEventType
Fig 6: RiskEventType (Stats)

RiskyDetections-RiskLevel
Fig 7: RiskLevel (Stats)

RiskyDetections-Source
Fig 8: Source (Stats)

RiskyUsers-Analyzer
Fig 9: RiskyUsers-Analyzer

RiskyUsers
Fig 10: Risky Users

UAL-Analyzer
Fig 11: You can specify a file path or launch the File Browser Dialog to select your log file

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.
Note: If your change is larger, or adds a feature, please contact me beforehand so that we can discuss the change.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Links

Microsoft-Extractor-Suite by Invictus-IR
Microsoft-Extractor-Suite Documentation
Microsoft 365 Artifact Reference Guide by the Microsoft Incident Response Team
Awesome BEC - Repository of attack and defensive information for Business Email Compromise investigations
M365_Oauth_Apps - Repository of suspicious Enterprise Applications (BEC)
RogueApps by Huntress Labs