fatcousin
// case type

cloud account compromise (M365 / Workspace)

tenant-level intrusion — OAuth grants, app consent abuse, mailbox rule planting, exchange transport rule tampering.

tools
14
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this case type.

  1. office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  2. microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  3. o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  4. okta log analyzerokta system log json · timeline · suspicious · mfa fatigue · tor/proxy · users · ips · policy · csv export · runs locally
  5. mail rule parserdrop Outlook rules.dat or Thunderbird msgFilterRules.dat · rule names conditions actions · flag suspicious forward redirect · CSV export · runs locally
  6. google takeout parserdrop a Google Takeout ZIP · parse location history · YouTube watch history · search activity · Chrome history · activity logs · export CSV · runs locally
  7. google takeout archive forensic parserdrop google takeout zip or individual takeout json csv html files · parse account activity across all google services · reconstruct location history search history youtube watch history gmail metadata and drive activity · surface forensic timeline across all google products · runs locally
  8. aws cloudtrail forensic deep analyzerdrop cloudtrail json logs · detect privilege escalation paths · credential theft · data exfiltration · lateral movement between services · unusual api patterns · flag attacker ips · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. aws iam policy analyzerpaste iam policy json · effective permissions · wildcard expansion · risks · escalation hints · plain english · runs locally
  2. iam escalation graphiam policy json · wildcard expansion · 15 escalation patterns · attack chains · severity · csv + json export · runs locally
  3. gcp audit log analyzerdrop google cloud audit log json · api calls · iam changes · storage access · vm events · security findings · runs locally
  4. azure activity log analyzerdrop azure activity log json · operations timeline · rbac changes · vm events · security · network changes · runs locally
  5. aws s3 access log analyzerdrop s3 server access logs · request timeline · top requesters · error analysis · exfiltration detection · unauthorized access · runs locally
  6. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
// case-kit pipeline

run as a stack

skip the click-through. these presets are curated forensic pipelines you can save as a stack with one click and run on your evidence locally.

  • cloud account compromise — audit kit

    8 steps

    drop M365 / Google / AWS / Azure exports → parse each tenant log → unified timeline → report

    1. 01evidence-manifest-generatorhash raw audit exports — most CSPs won't re-issue them
    2. 02office365-audit-log-analyzerparse Exchange / SharePoint / Teams audit events
    3. 03microsoft365-audit-log-analyzerunified M365 audit log parsing for cross-workload events
    4. 04google-takeout-forensic-parserparse Google Takeout / Workspace activity exports
    5. 05aws-cloudtrail-deep-analyzerdeep-parse CloudTrail JSON for IAM + API abuse patterns
    6. 06azure-ad-signin-analyzerAzure AD sign-in log analysis for OAuth / consent abuse
    7. 07forensic-timeline-buildermerge all tenant events into one cross-cloud timeline
    8. 08case-report-generatordraft a report identifying persistence windows + recommended revocations

  • cloud account compromise — OAuth abuse kit

    8 steps

    drop M365 + Okta audit exports → parse tenant logs → mail rules → IAM policy → escalation graph → timeline → report

    1. 01evidence-manifest-generatorhash raw audit exports — CSPs rarely re-issue them
    2. 02office365-audit-log-analyzerparse Exchange / SharePoint / Teams audit events for OAuth grant abuse
    3. 03okta-log-analyzerparse Okta system log for app consent + MFA bypass events
    4. 04mail-rule-parserextract mailbox rules planted after OAuth consent — common persistence vector
    5. 05iam-policy-analyzeranalyze IAM policy changes during the compromise window
    6. 06iam-escalation-graphbuild an escalation graph from IAM policy + role assumption events
    7. 07forensic-timeline-buildermerge OAuth consent + rule change + IAM events into one timeline
    8. 08case-report-generatordraft a report identifying malicious app grants + recommended revocations
// pattern-matched

related tools

tools that the manifest-classifier flagged as plausibly useful here but that aren't in the hand-curated lists above. less editorial weight — scan, don't work top-down.

+ 26 more in this pattern match. browse the full forensics catalog via the forensics category.

ready