A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID.
Automated Processing of Microsoft 365 Logs and Microsoft Entra ID Logs extracted by Microsoft-Extractor-Suite.
Output Files of Microsoft-Extractor-Suite v2.1.1 by Invictus-IR
- Get-ADAuditLogsGraph → ADAuditLogsGraph-Analyzer
- Get-ADSignInLogsGraph → ADSignInLogsGraph-Analyzer
- Get-MessageTraceLog → MTL-Analyzer
- Get-MFA → MFA-Analyzer
- Get-OAuthPermissions → OAuthPermissions-Analyzer
- Get-RiskyDetections → RiskyDetections-Analyzer
- Get-RiskyUsers → RiskyUsers-Analyzer
- Get-UALAll → UAL-Analyzer
- Get-Users → Users-Analyzer
- Get-TransportRules → TransportRules-Analyzer
Tip
Check out the Wiki for additional documentation!
Fig 1: RiskyDetections-Analyzer
Fig 4: Risky Detections (Line Chart)
Fig 5: MITRE ATT&CK Techniques (Stats)
Fig 11: You can specify a file path or launch the File Browser Dialog to select your log file
Contributions are welcome! Please feel free to submit a Pull Request.
Note: If your change is larger, or adds a feature, please contact me beforehand so that we can discuss the change.
This project is licensed under the MIT License - see the LICENSE file for details.
Microsoft-Extractor-Suite by Invictus-IR
Microsoft-Extractor-Suite Documentation
Microsoft 365 Artifact Reference Guide by the Microsoft Incident Response Team
Awesome BEC - Repository of attack and defensive information for Business Email Compromise investigations
M365_Oauth_Apps - Repository of suspicious Enterprise Applications (BEC)
RogueApps by Huntress Labs