Awesome

<p align="center"><a href="https://github.com/PowerShell/PowerShell"><img src="https://img.shields.io/badge/Language-Powershell-blue" style="text-align:center;display:block;"></a> <a href="https://github.com/evild3ad/Microsoft-Analyzer-Suite/wiki"><img src="https://img.shields.io/badge/Wiki-Documentation-blue" style="text-align:center;display:block;"></a> <a href="https://github.com/evild3ad/Microsoft-Analyzer-Suite/releases/latest"><img src="https://img.shields.io/github/v/release/evild3ad/Microsoft-Analyzer-Suite?label=Release" style="text-align:center;display:block;"></a> <img src="https://img.shields.io/badge/Maintenance%20Level-Actively%20Developed-brightgreen" style="text-align:center;display:block;"> <img src="https://img.shields.io/badge/Digital%20Signature-Valid-brightgreen" style="text-align:center;display:block;"> <a href="https://twitter.com/Evild3ad79"><img src="https://img.shields.io/twitter/follow/Evild3ad79?style=social" style="text-align:center;display:block;"></a> <a href="https://twitter.com/InvictusIR"><img src="https://img.shields.io/twitter/follow/InvictusIR?style=social" style="text-align:center;display:block;"></a></p>

Microsoft-Analyzer-Suite (Community Edition)

A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID.

TL;DR

Automated Processing of Microsoft 365 Logs and Microsoft Entra ID Logs extracted by Microsoft-Extractor-Suite.

The following Microsoft data sources are supported yet:

Output Files of Microsoft-Extractor-Suite v2.1.1 by Invictus-IR

Get-ADAuditLogsGraph → ADAuditLogsGraph-Analyzer
Get-ADSignInLogsGraph → ADSignInLogsGraph-Analyzer
Get-MessageTraceLog → MTL-Analyzer
Get-MFA → MFA-Analyzer
Get-OAuthPermissions → OAuthPermissions-Analyzer
Get-RiskyDetections → RiskyDetections-Analyzer
Get-RiskyUsers → RiskyUsers-Analyzer
Get-UALAll → UAL-Analyzer
Get-Users → Users-Analyzer
Get-TransportRules → TransportRules-Analyzer

<br>

[!TIP] Check out the Wiki for additional documentation!

<br>

Fig 1: RiskyDetections-Analyzer

RiskyDetections-1
Fig 2: Risky Detections (1)

RiskyDetections-2
Fig 3: Risky Detections (2)

RiskyDetections-LineChart
Fig 4: Risky Detections (Line Chart)

RiskyDetections-mitreTechniques
Fig 5: MITRE ATT&CK Techniques (Stats)

RiskyDetections-RiskEventType
Fig 6: RiskEventType (Stats)

RiskyDetections-RiskLevel
Fig 7: RiskLevel (Stats)

RiskyDetections-Source
Fig 8: Source (Stats)

Fig 9: RiskyUsers-Analyzer

RiskyUsers
Fig 10: Risky Users

UAL-Analyzer
Fig 11: You can specify a file path or launch the File Browser Dialog to select your log file

Links

Microsoft-Extractor-Suite by Invictus-IR
Microsoft-Extractor-Suite Documentation
Microsoft 365 Artifact Reference Guide by the Microsoft Incident Response Team
Awesome BEC - Repository of attack and defensive information for Business Email Compromise investigations
M365_Oauth_Apps - Repository of suspicious Enterprise Applications (BEC)