EntraAuditLogs‐Analyzer - LETHAL-FORENSICS/Microsoft-Analyzer-Suite GitHub Wiki

TL;DR

EntraAuditLogs-Analyzer.ps1 (formerly ADAuditLogsGraph-Analyzer.ps1) is a PowerShell script utilized to simplify the analysis of Microsoft Entra Audit Logs extracted via Microsoft-Extractor-Suite by Invictus-IR.

Microsoft Entra Audit Logs (previously AD Audit Logs) are found at the tenant layer and include the history of all logged events (e.g. changes to applications, groups, users, and licenses) executed within a particular tenant.

These logs play a crucial role in detecting and mitigating various security threats in your Microsoft Entra ID environment (e.g. Account Compromise, Role Escalation, Group Membership Changes, Configuration Changes, Malicious Application Activities, User Deletion or Suspension, License Assignment, etc.).

EntraAuditLogs-Analyzer
Fig 1: EntraAuditLogs-Analyzer

Hunt-View
Fig 2: Hunt.xlsx - Filter column 'Activity', 'Country Name' or 'ASN' by Color → Filter by Cell Color 'Red'

[!NOTE] Always filter columns 'Initiated By (UPN)' and 'TargetResources (UPN)' by your UPN of interest!

ActivityDisplayName
Fig 3: Activity (Stats)

StatusReason
Fig 4: StatusReason (Stats)

ASN
Fig 5: ASN (Stats) w/ ASN Blacklisting and ASN Whitelisting

Country
Fig 6: Country (Stats)

User-Agent
Fig 7: User-Agent (Stats)

GeoIP-Mapping
Fig 8: GeoIP-Mapping w/ IPinfo CLI ('Map.txt')

MessageBox
Fig 9: MessageBox

Links

What are Microsoft Entra audit logs?
Microsoft Entra audit log categories and activities