| Automate the security assessment of Microsoft Office 365 environments |
Soteria Security |
365Inspect |
| A set of functions that allow the DFIR analyst to collect logs relevant for Office 365 Business Email Compromise and Azure investigations |
ANSSI-FR |
DFIR-O365RC |
| Queries configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments |
CrowdStrike |
CrowdStrike Reporting Tool for Azure (CRT) |
| Aviary is a new dashboard that CISA and partners developed to help visualize and analyze outputs from its Sparrow detection tool released in December 2020 |
CISA |
Aviary/SPARROW |
| The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure. |
T0pCyber |
Hawk |
| This repository contains a PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity. |
Mandiant |
Mandiant AzureAD Investigator |
| This project is to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API. |
Glen Scales |
O365 InvestigationTooling |
| MIA makes it possible to extract Sessions, MessageID(s) and find emails belonging to the MessageID(s) |
PwC IR |
MIA-MailItemsAccessed |
| This script makes it possible to extract log data out of an Office365 environment. |
JoeyRentenaar |
Office 365 Extractor |
| Invoke-AZExplorer is a set of functions that retrieve vital data from an Azure and 0365 environment used for intrusion analysis. |
Fernando Tomlinson |
Invoke-AZExplorer |
| This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest. |
Ian Day |
o365AuditParser |
| DART AzureAD IR Powershell Module |
Microsoft DART |
AzureADIncidentResponse |
| Magnet AXIOM Cloud |
Magnet Forensics |
Magnet AXIOM Cloud |
| Metaspike Forensic Email Collector |
Metaspike |
Metaspike Forensic Email Collector |
| Metaspike Forensic Email Intelligence |
Metaspike |
Metaspike Forensic Email Intelligence |
| This [Splunk] app contains over 20 unique searches that will help you identify suspicious activity in your Office 365 and Azure environment. |
Invictus IR |
Blue-team-app-Office-365-and-Azure |
| Script to retrieve information via O365 and AzureAD with a valid cred |
nyxgeek |
o365recon |
| A Powershell module to run threat hunting playbooks on data from Azure and O365 for Cloud Forensics purposes. |
Darkquasar |
AzureHunter |
| SOF-ELK® is a “big data analytics” platform focused on the typical needs of computer forensic investigators/analysts and information security operations personnel. |
Phil Hagen at SANS |
SOF-ELK |
| A collection of scripts for finding threats in Office365 |
Martin Rothe |
Py365 |
| Parsing the O365 Unified Audit Log with Python |
Koen Van Impe |
O365-python-parse |
| Identifying phishing page toolkits |
Brian Kondracki, Babak Amin Azad, Oleksii Starov, and Nick Nikiforakis |
Phoca |
| An Open Source PowerShell O365 Business Email Compromise Investigation Tool |
intrepidtechie |
KITT-O365-Tool |
| Tooling for assessing an Azure AD tenant state and configuration |
Microsoft |
Microsoft Azure AD Assessment |
| ROADtools is a framework to interact with Azure AD |
Dirk-jan |
ROADtools |
| Automated Audit Log Forensic Analysis for Google Workspace |
Invictus IR |
ALFA |
| Tool aids hunting and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments |
CISA |
Untitled Goose |
| PowerShell module to collect logs and rules from M365 |
Invictus IR |
Microsoft Extractor Suite |
| A fork of the Hawk PowerShell module which adds additional data-gathing features and removes deprecated modules and commands. |
Syne0 |
Osprey |