Tools
Microsoft-Extractor-Suite
Connect-M365 or connect-exchangeonline
Connect-Azure or Connect-AzureAD
Connect-AzureAZ or Connect-AzAccount
Format
Transform to table
| Format-Table -AutoSize
Export to CSV
| Export-Csv -Path "<path\file.csv>" -NoTypeInformation
Quick overview for JSON audit logs
cat UnifiedAuditLog.json | jq ".[]" | jq "{time : .createdDateTime, user : .userPrincipalName, operation : .operation, service : .service, object : .objectId, id : .id}"
O365
Activity from a malicious IP
Get-UALGraph -startDate "2025-03-11" -endDate "2025-03-12" -IPAddress 80.125.9.52
Activity from a malicious user
Get-UALGraph -startDate "2025-03-11" -endDate "2025-03-12" -IPAddress 80.125.9.52
GRAPH API
Installation
Install-Module Microsoft.Graph
Powershell Authentication
$tenantId = "<ID>"
$clientId = "<ID>"
$clientSecret = ConvertTo-SecureString "<SECRET>" -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential($clientId, $clientSecret)
Connect-MgGraph -NoWelcome -ClientSecretCredential $credential -TenantId $tenantId
Quick Wins
Sign-ins
Get-MgAuditLogSignIn -Filter "createdDateTime ge <2025-04-11T08:00:00Z> and createdDateTime le <2025-04-11T09:00:00Z>" -Top 1000 | Select-Object CreatedDateTime, userDisplayName, UserPrincipalName, ipAddress, clientAppUsed, isInteractive, conditionalAccessStatus, resourceDisplayName, {$_.location.CountryOrRegion}, {$_.location.city} | Export-Csv -Path "test.csv" -NoTypeInformation
Users
Get-MgUser
Groups
Get-MgUser
