Loading repository data…
Loading repository data…
LETHAL-FORENSICS / repository
A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID
A collection of PowerShell scripts for analyzing data from Microsoft 365 and Microsoft Entra ID.
Automated Processing of Microsoft 365 Logs and Microsoft Entra ID Logs extracted by Microsoft-Extractor-Suite.
Output Files of Microsoft-Extractor-Suite v4.1.0 by Invictus-IR
[!TIP] Check out the Wiki for additional documentation!

Fig 1: RiskyDetections-Analyzer

Fig 2: Risky Detections (1)

Fig 3: Risky Detections (2)

Fig 4: Risky Detections (Line Chart)

Fig 5: MITRE ATT&CK Techniques (Stats)

Fig 6: RiskEventType (Stats)

Fig 7: RiskLevel (Stats)

Fig 8: Source (Stats)

Fig 9: RiskyUsers-Analyzer

Fig 10: Risky Users

Fig 11: You can specify a file path or launch the File Browser Dialog to select your log file
Contributions and suggestions are welcome! Please feel free to submit a Pull Request.
Note: If your change is larger, or adds a feature, please contact us beforehand so that we can discuss the change.
This project is licensed under the MIT License - see the LICENSE file for details.
Microsoft-Extractor-Suite by Invictus-IR
Microsoft-Extractor-Suite Documentation
Microsoft 365 Artifact Reference Guide by the Microsoft Incident Response Team
Awesome BEC - Repository of attack and defensive information for Business Email Compromise investigations
M365_Oauth_Apps - Repository of suspicious Enterprise Applications (BEC)
RogueApps by Huntress Labs
Microsoft First Party App Name Lookup
Tenable - Dangerous Delegated Permissions Affecting the Tenant
Tenable - Dangerous Application Permissions Affecting the Tenant
OAuthSentry - OAuth Application Intelligence
DuckDB - Fast Interactive Analytics Database