monte-carlo: The Office 365 log parser
monte-carlo
Monte Carlo is a collection of 3 tools to process Office 365 Unified audit logs in incident response investigations. It is extensible and breaks the processing tasks in 3 stages (sectors):
- Parse Office 365 unified audit log based on specific operations
- Geolocate operations for user accounts
- Import the processed csv files into one Excel spreadsheet with unique tabs for each user account
Named after the famous turns on the 3 sectors of Monte Carlo Grand Prix track
Download
git clone https://github.com/nov3mb3r/monte-carlo.git
Sector 1 – Sainte Devote: Parse the Office 365 Unified audit log
By default 3 properties are extracted: CreationTime, UserID, ClientIP, but properties can be extended according to the investigation needs. A detailed list can be found on Microsoft documentation.
Usage
PS >.\sainte-devote.ps1 -path 'directory_of_Audit Logs' -output 'directory_of_parsed_logs'
Sector 2 – Mirabeau: Geolocate Office 365 operations
The geolocation feature uses the python-geoip library. To install:
pip install python-geoip-geolite2
Make sure you have downloaded locally the geolocation database from MaxMind to import it into mirabeau.py
Usage
python3 mirabeau.py directory_of_parsed_logs output_directory
Sector 3 – La Piscine: Import all processed files into Excel
Usage
PS >.\piscine.ps1 input_directory
Copyright (C) 2020 nov3mb3r
Source: https://github.com/nov3mb3r/
