UAL‐Analyzer
UAL-Analyzer.ps1 is a PowerShell script utilized to simplify the analysis of Microsoft 365 Unified Audit Logs (UAL) extracted via Microsoft-Extractor-Suite by Invictus-IR.
Note
Single User Audit only.
Features:
- Beautified Excel Sheets w/ Conditional Formatting
- Data Enrichment w/ IP Intelligence
- (Enterprise) Application Blacklist
- ASN Blacklist
- Country Blacklist
- Multiple Statistics (e.g. ASN, ClientIP, ClientInfoString) and Line Charts
- GeoIP Mapping
- Detects Suspicious Operations (e.g. Inbox Rules, Transport Rules, etc.)
- Suspicious SessionIds and Sessions Duration
- Find-AiTMSuspiciousUserLogin via Timespan operator (Special thanks to Frank Lindenblatt)
- Mailbox Auditing
- SharePoint Auditing
- and much more
Dependencies:
-
Create your free IPinfo account (Access Token required)
https://ipinfo.io/signup?ref=cli -
ImportExcel (PowerShell Module)
https://github.com/dfinke/ImportExcel -
IPinfo CLI (Standalone Binary)
https://github.com/ipinfo/cli -
xsv (Standalone Binary)
https://github.com/BurntSushi/xsv
Fig 1: Select your 'UAL-Combined.csv' file
Fig 2: UAL-Analyzer #1 (PowerShell 7)
Fig 3: UAL-Analyzer #2 (PowerShell 5.1)
Fig 4: GeoIP-Mapping w/ IPinfo CLI ('Map_Authenticated-Operations.txt')
Fig 5: Check 'Summary.txt' to spot new VPN-Services
Fig 6: Hunt.xlsx - Filter column 'Country Name' or 'ASN' by Color → Filter by Cell Color 'Red'
Fig 7: Stats
Fig 8: ClientIP (Stats)
Fig 9: ASN (Stats) → Colorize your findings to track adversary activity
Fig 10: ClientInfoString (Stats) → 'Client=OWA;Action=ViaProxy'
Fig 11: Suspicious SessionIds
Fig 12: SessionIds Duration
Fig 13: Detect consecutive user logins from different ClientIPs and ASN which occur within about 30 seconds
Fig 14: Operations (Line Chart) → Helps you to identify anomalies!
Fig 15: MessageBox → Wake up! ;-)