A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID.

Automated Processing of Microsoft 365 Logs and Microsoft Entra ID Logs extracted by Microsoft-Extractor-Suite.

Output Files of Microsoft-Extractor-Suite v1.3.2 by Invictus-IR

• Get-ADSignInLogsGraph → ADSignInLogsGraph-Analyzer v0.1
• Get-MFA → MFA-Analyzer v0.1
• Get-RiskyDetections → RiskyDetections-Analyzer v0.2
• Get-RiskyUsers → RiskyUsers-Analyzer v0.2

Fig 1: RiskyDetections-Analyzer

Fig 2: Risky Detections (1)

Fig 3: Risky Detections (2)

Fig 4: Risky Detections (Line Chart)

Fig 5: MITRE ATT&CK Techniques (Stats)

Fig 6: RiskEventType (Stats)

Fig 7: RiskLevel (Stats)

Fig 8: Source (Stats)

Fig 9: RiskyUsers-Analyzer

Fig 10: Risky Users

Microsoft-Extractor-Suite by Invictus-IR
Microsoft-Extractor-Suite Documentation
Microsoft 365 Artifact Reference Guide by the Microsoft Incident Response Team
Awesome BEC - Repository of attack and defensive information for Business Email Compromise investigations
M365_Oauth_Apps - Repository of suspicious Enterprise Applications (BEC)