Forensics

olaf: Office365 Log Analysis Framework

by do son · May 9, 2019

Office365 Log Analysis Framework (OLAF)

OLAF is a collection of tools, scripts, and analysis techniques dealing with O365 Investigations. Office365 Log Analysis Framework

This repo include

OLAF – DashboardsThis folder contains Elastic dashboard(s) that can be used for rapid O365 analysis. This is to assist you in parsing through the noise of O365 data and getting right to the breach details.

OLAF – Logstash ConfigsThis folder holds Logstash configuration file(s) for automatic ingestion of O365 logs. Due to some of the different formats of the logs, here are some config settings you should be aware of:

#	Option	Description
1	<tsv_monitor>	Folder to monitor for TSV logs (typically generated from Web UI)
2	<csv_monitor>	Folder to monitor for CSV logs (typically generated from PowerShell)
3	<elk_server>	Your Elastic server address
4	<elk_server_port>	Your Elastic server port
5	<pointer_to_maxmind_db>	The local MaxMind DB for geolocation

OLAF – PowerShellThis folder contains a set of PowerShell commands and scripts that may be useful in collecting or parsing data from O365 instances. Credit is given where due.