{"id":13598398,"url":"https://github.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite","last_synced_at":"2025-04-10T09:31:11.647Z","repository":{"id":223654570,"uuid":"761092355","full_name":"LETHAL-FORENSICS/Microsoft-Analyzer-Suite","owner":"LETHAL-FORENSICS","description":"A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID","archived":false,"fork":false,"pushed_at":"2025-03-25T06:11:51.000Z","size":17047,"stargazers_count":453,"open_issues_count":0,"forks_count":51,"subscribers_count":17,"default_branch":"main","last_synced_at":"2025-04-10T05:42:27.485Z","etag":null,"topics":["azure-active-directory","incident-response","microsoft-365","microsoft-entra","microsoft-graph","powershell"],"latest_commit_sha":null,"homepage":"https://lethal-forensics.com","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/LETHAL-FORENSICS.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-21T08:18:35.000Z","updated_at":"2025-04-05T13:44:02.000Z","dependencies_parsed_at":"2024-03-24T18:24:05.754Z","dependency_job_id":"d9b82c77-0d9f-4d0b-b3f6-e641cfed5861","html_url":"https://github.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite","commit_stats":null,"previous_names":["evild3ad/microsoft-analyzer-suite","lethal-forensics/microsoft-analyzer-suite"],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LETHAL-FORENSICS%2FMicrosoft-Analyzer-Suite","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LETHAL-FORENSICS%2FMicrosoft-Analyzer-Suite/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LETHAL-FORENSICS%2FMicrosoft-Analyzer-Suite/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/LETHAL-FORENSICS%2FMicrosoft-Analyzer-Suite/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/LETHAL-FORENSICS","download_url":"https://codeload.github.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248191683,"owners_count":21062551,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure-active-directory","incident-response","microsoft-365","microsoft-entra","microsoft-graph","powershell"],"created_at":"2024-08-01T17:00:52.270Z","updated_at":"2025-04-10T09:31:06.635Z","avatar_url":"https://github.com/LETHAL-FORENSICS.png","language":"PowerShell","funding_links":[],"categories":["PowerShell","Other Lists"],"sub_categories":["🛡️ DFIR:"],"readme":"\u003cimg src=\"https://img.shields.io/badge/Language-Powershell-blue\"\u003e \u003ca href=\"https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki\"\u003e\u003cimg src=\"https://img.shields.io/badge/Wiki-Documentation-blue\"\u003e\u003c/a\u003e \u003cimg src=\"https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen\"\u003e \u003ca href=\"https://twitter.com/Evild3ad79\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/Evild3ad79?style=social\"\u003e\u003c/a\u003e \u003ca href=\"https://twitter.com/InvictusIR\"\u003e\u003cimg src=\"https://img.shields.io/twitter/follow/InvictusIR?style=social\"\u003e\u003c/a\u003e\n\n# Microsoft-Analyzer-Suite (Community Edition)\nA collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID.\n\n## TL;DR  \nAutomated Processing of Microsoft 365 Logs and Microsoft Entra ID Logs extracted by [Microsoft-Extractor-Suite](https://github.com/invictus-ir/Microsoft-Extractor-Suite).\n\n## The following Microsoft data sources are supported yet:\n\n\u003e Output Files of Microsoft-Extractor-Suite v1.3.5 by Invictus-IR\n\n  * [Get-ADSignInLogsGraph](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/AzureSignInLogsGraph.html) \u0026#8594; [ADSignInLogsGraph-Analyzer v0.1](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/ADSignInLogsGraph%E2%80%90Analyzer)  \n  * [Get-MFA](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/GetUserInfo.html#retrieves-mfa-status) \u0026#8594; [MFA-Analyzer v0.2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/MFA%E2%80%90Analyzer)\n  * [Get-OAuthPermissions](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/OAuthPermissions.html) \u0026#8594; [OAuthPermissions-Analyzer v0.2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/OAuthPermissions%E2%80%90Analyzer)  \n  * [Get-RiskyDetections](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/GetUserInfo.html#retrieves-the-risky-detections) \u0026#8594; [RiskyDetections-Analyzer v0.2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/RiskyDetections%E2%80%90Analyzer)\n  * [Get-RiskyUsers](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/GetUserInfo.html#retrieves-the-risky-users) \u0026#8594; [RiskyUsers-Analyzer v0.2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/RiskyUsers%E2%80%90Analyzer)  \n  * [Get-UALAll](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/UnifiedAuditLog.html) \u0026#8594; [UAL-Analyzer v0.3](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/UAL%E2%80%90Analyzer)  \n  * [Get-Users](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/GetUserInfo.html) \u0026#8594; [Users-Analyzer v0.1](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/Users%E2%80%90Analyzer)  \n  * [Get-TransportRules](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/TransportRules.html) \u0026#8594; [TransportRules-Analyzer v0.1](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/TransportRules%E2%80%90Analyzer)  \n  \n  \u003cbr\u003e\n\n![RiskyDetections-Analyzer](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/01.png)  \n**Fig 1:** RiskyDetections-Analyzer\n\n![RiskyDetections-1](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/02.png)  \n**Fig 2:** Risky Detections (1)\n\n![RiskyDetections-2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/03.png)  \n**Fig 3:** Risky Detections (2)\n\n![RiskyDetections-LineChart](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/04.png)  \n**Fig 4:** Risky Detections (Line Chart)\n\n![RiskyDetections-mitreTechniques](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/05.png)  \n**Fig 5:** MITRE ATT\u0026CK Techniques (Stats)\n\n![RiskyDetections-RiskEventType](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/06.png)  \n**Fig 6:** RiskEventType (Stats)\n\n![RiskyDetections-RiskLevel](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/07.png)  \n**Fig 7:** RiskLevel (Stats)\n\n![RiskyDetections-Source](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/08.png)  \n**Fig 8:** Source (Stats)\n\n![RiskyUsers-Analyzer](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/09.png)  \n**Fig 9:** RiskyUsers-Analyzer\n\n![RiskyUsers](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/10.png)  \n**Fig 10:** Risky Users  \n\n![UAL-Analyzer](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/8092610fb8576040fee6834c52d57b858c666248/Screenshots/11.png)  \n**Fig 11:** You can specify a file path or launch the File Browser Dialog to select your log file  \n\n## Links  \n[Microsoft-Extractor-Suite by Invictus-IR](https://github.com/invictus-ir/Microsoft-Extractor-Suite)  \n[Microsoft-Extractor-Suite Documentation](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/)  \n[Microsoft 365 Artifact Reference Guide by the Microsoft Incident Response Team](https://go.microsoft.com/fwlink/?linkid=2257423)  \n[Awesome BEC - Repository of attack and defensive information for Business Email Compromise investigations](https://github.com/randomaccess3/Awesome-BEC)  \n[M365_Oauth_Apps - Repository of suspicious Enterprise Applications (BEC)](https://github.com/randomaccess3/detections/blob/main/M365_Oauth_Apps/MaliciousOauthAppDetections.json)  ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FLETHAL-FORENSICS%2FMicrosoft-Analyzer-Suite","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FLETHAL-FORENSICS%2FMicrosoft-Analyzer-Suite","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FLETHAL-FORENSICS%2FMicrosoft-Analyzer-Suite/lists"}