Skill

analyzing-office365-audit-logs-for-compromise

From asi

Parses Office 365 Unified Audit Logs via Microsoft Graph API to detect account compromise indicators like forwarding rules, inbox delegation, and OAuth grants. For SOC incident investigations and threat hunting.

Python

Azure

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Business Email Compromise (BEC) attacks often leave traces in Office 365 audit logs: suspicious inbox rule creation, email forwarding to external addresses, mailbox delegation changes, and unauthorized OAuth application consent grants. This skill uses the Microsoft Graph API to query the Unified Audit Log, enumerate inbox rules across mailboxes, detect forwarding configurations, and identify co...

SKILL.md

Similar Skills

analyzing-office365-audit-logs-for-compromise

5.9k

Parses Office 365 audit logs via Microsoft Graph API to detect account compromise like forwarding rules, inbox delegation, OAuth grants, and suspicious events.

3 files

cybersecurity-skills

analyzing-office365-audit-logs-for-compromise

Analyzes Office 365 unified audit logs via Microsoft Graph API to detect account compromise indicators: forwarding rules, inbox delegation, suspicious OAuth apps, BEC traces. Useful for cloud security investigations.

3 files

cybersecurity-skills-zh

detecting-email-account-compromise

Detects compromised Office 365 and Google Workspace email accounts by analyzing inbox rules, suspicious sign-ins, mail forwarding, and API access via Microsoft Graph and audit logs. For incident response and threat hunting.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Analyzing Office 365 Audit Logs for Compromise

Overview

When to Use

When investigating security incidents that require analyzing office365 audit logs for compromise

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Azure AD app registration with AuditLog.Read.All, MailboxSettings.Read, Mail.Read (application permissions)

Python 3.9+ with msal, requests

Client secret or certificate for authentication

Global Reader or Security Reader role

Steps

Authenticate to Microsoft Graph using MSAL client credentials flow

Query Unified Audit Log for suspicious operations (Set-Mailbox, New-InboxRule)

Enumerate inbox rules across mailboxes and flag forwarding rules

Detect mailbox delegation changes (Add-MailboxPermission)

Identify OAuth consent grants to suspicious applications

Check for suspicious sign-in patterns from audit logs

Generate compromise indicator report with timeline

Expected Output

JSON report listing forwarding rules, delegation changes, OAuth grants, and suspicious audit events with risk scores

Timeline of compromise indicators with affected mailboxes