Automate the security assessment of Microsoft Office 365 environments | Soteria Security | 365Inspect |
A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations | ANSSI-FR | DFIR-O365RC |
Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments | CrowdStrike | CrowdStrike Reporting Tool for Azure (CRT) |
Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 | CISA | Aviary/SPARROW |
The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. | T0pCyber | Hawk |
This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. | Mandiant | Mandiant AzureAD Investigator |
This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. | Glen Scales | O365 InvestigationTooling |
MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) | PwC IR | MIA-MailItemsAccessed |
This script makes it possible to extract log data out of an Office365 environment. | JoeyRentenaar | Office 365 Extractor |
Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. | Fernando Tomlinson | Invoke-AZExplorer |
This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. | Ian Day | o365AuditParser |
DART AzureAD IR Powershell Module | Microsoft DART | AzureADIncidentResponse |
Magnet AXIOM Cloud | Magnet Forensics | Magnet AXIOM Cloud |
Metaspike Forensic Email Collector | Metaspike | Metaspike Forensic Email Collector |
Metaspike Forensic Email Intelligence | Metaspike | Metaspike Forensic Email Intelligence |
This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. | Invictus IR | Blue-team-app-Office-365-and-Azure |
Script to retrieve information via O365 and AzureAD with a valid cred | nyxgeek | o365recon |
A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. | Darkquasar | AzureHunter |
SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. | Phil Hagen at SANS | SOF-ELK |
A collection of scripts for finding threats in Office365 | Martin Rothe | Py365 |
Parsing the O365 Unified Audit Log with Python | Koen Van Impe | O365-python-parse |
Identifying phishing page toolkits | Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis | Phoca |
An Open Source PowerShell O365 Business Email Compromise Investigation Tool | intrepidtechie | KITT-O365-Tool |
Tooling for assessing an Azure AD tenant state and configuration | Microsoft | Microsoft Azure AD Assessment |
ROADtools is a framework to interact with Azure AD | Dirk-jan | ROADtools |
Automated Audit Log Forensic Analysis for Google Workspace | Invictus IR | ALFA |
Tool aids hunting and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments | CISA | Untitled Goose |
PowerShell module to collect logs and rules from M365 | Invictus IR | Welcome 👋 Microsoft Extractor Suite |
A fork of the Hawk PowerShell module which adds additional data-gathing features and removes deprecated modules and commands. | Syne0 | Osprey |