Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite

A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID
https://github.com/LETHAL-FORENSICS/Microsoft-Analyzer-Suite

azure-active-directory incident-response microsoft-365 microsoft-entra microsoft-graph powershell

Last synced: 2 months ago
JSON representation

A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID

Awesome Lists containing this project

README 

        
    



# Microsoft-Analyzer-Suite (Community Edition)

A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID.



## TL;DR  

Automated Processing of Microsoft 365 Logs and Microsoft Entra ID Logs extracted by [Microsoft-Extractor-Suite](https://github.com/invictus-ir/Microsoft-Extractor-Suite).



## The following Microsoft data sources are supported yet:



> Output Files of Microsoft-Extractor-Suite v1.3.5 by Invictus-IR



  * [Get-ADSignInLogsGraph](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/AzureSignInLogsGraph.html) → [ADSignInLogsGraph-Analyzer v0.1](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/ADSignInLogsGraph%E2%80%90Analyzer)  

  * [Get-MFA](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/GetUserInfo.html#retrieves-mfa-status) → [MFA-Analyzer v0.2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/MFA%E2%80%90Analyzer)

  * [Get-OAuthPermissions](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/OAuthPermissions.html) → [OAuthPermissions-Analyzer v0.2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/OAuthPermissions%E2%80%90Analyzer)  

  * [Get-RiskyDetections](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/GetUserInfo.html#retrieves-the-risky-detections) → [RiskyDetections-Analyzer v0.2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/RiskyDetections%E2%80%90Analyzer)

  * [Get-RiskyUsers](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/GetUserInfo.html#retrieves-the-risky-users) → [RiskyUsers-Analyzer v0.2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/RiskyUsers%E2%80%90Analyzer)  

  * [Get-UALAll](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/UnifiedAuditLog.html) → [UAL-Analyzer v0.3](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/UAL%E2%80%90Analyzer)  

  * [Get-Users](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/GetUserInfo.html) → [Users-Analyzer v0.1](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/Users%E2%80%90Analyzer)  

  * [Get-TransportRules](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/functionality/TransportRules.html) → [TransportRules-Analyzer v0.1](https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki/TransportRules%E2%80%90Analyzer)  

  

  



![RiskyDetections-Analyzer](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/01.png)  

**Fig 1:** RiskyDetections-Analyzer



![RiskyDetections-1](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/02.png)  

**Fig 2:** Risky Detections (1)



![RiskyDetections-2](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/03.png)  

**Fig 3:** Risky Detections (2)



![RiskyDetections-LineChart](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/04.png)  

**Fig 4:** Risky Detections (Line Chart)



![RiskyDetections-mitreTechniques](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/05.png)  

**Fig 5:** MITRE ATT&CK Techniques (Stats)



![RiskyDetections-RiskEventType](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/06.png)  

**Fig 6:** RiskEventType (Stats)



![RiskyDetections-RiskLevel](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/07.png)  

**Fig 7:** RiskLevel (Stats)



![RiskyDetections-Source](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/08.png)  

**Fig 8:** Source (Stats)



![RiskyUsers-Analyzer](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/09.png)  

**Fig 9:** RiskyUsers-Analyzer



![RiskyUsers](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/bf004f386ed5af210a0b326c24dcf50fccc9adf4/Screenshots/10.png)  

**Fig 10:** Risky Users  



![UAL-Analyzer](https://github.com/evild3ad/Microsoft-Analyzer-Suite/blob/8092610fb8576040fee6834c52d57b858c666248/Screenshots/11.png)  

**Fig 11:** You can specify a file path or launch the File Browser Dialog to select your log file  



## Links  

[Microsoft-Extractor-Suite by Invictus-IR](https://github.com/invictus-ir/Microsoft-Extractor-Suite)  

[Microsoft-Extractor-Suite Documentation](https://microsoft-365-extractor-suite.readthedocs.io/en/latest/)  

[Microsoft 365 Artifact Reference Guide by the Microsoft Incident Response Team](https://go.microsoft.com/fwlink/?linkid=2257423)  

[Awesome BEC - Repository of attack and defensive information for Business Email Compromise investigations](https://github.com/randomaccess3/Awesome-BEC)  

[M365_Oauth_Apps - Repository of suspicious Enterprise Applications (BEC)](https://github.com/randomaccess3/detections/blob/main/M365_Oauth_Apps/MaliciousOauthAppDetections.json)