o365AuditParser

Office 365 Audit Log Parser

This script will process Microsoft Office365 Protection Center Audit Logs into a useable form to allow efficient fitlering and pivoting off events of interest.

This script was written as the final project for Champlain's Scripting for Digital Forensics course (DFS-510-85)

Usage

usage: o365AuditParser.py [-h] [-o OUTPUT] [-p PREFIX] [-f {csv,json}]
                          (-w | -c) [-v] [--version]
                          input

o365 Audit Log Extractor

positional arguments:
  input                 File/Directory to process

optional arguments:
  -h, --help            show this help message and exit
  -o OUTPUT, --output OUTPUT
                        Output directory, defaults to current directory
  -p PREFIX, --prefix PREFIX
                        Prefix for output files, defaults to o365AuditLog
  -f {csv,json}, --format {csv,json}
                        Output file format, defaults to csv
  -w, --workload        Generate individual output files per workload
  -c, --combined        Generate one output file
  -v, --verbose         Enable debug logging
  --version             show program's version number and exit

The script supports processing a single file or a directory of files. Output can be generated in a single file (-c or --combined) or separate files (-w or --workload) per Office365 workload(application) in either JSON (--format json) or CSV (--format csv) format. Redacted sample input files are available in the examples directory along with output files in all possible formats.

About

Microsoft Office365 Protection Center Audit Log Parser

dfir forensics-investigations python3

GNU General Public License v3.0

Languages

Language:Python 100.0%