fatcousin
// evidence type

cloud audit log / tenant export

aws cloudtrail json · azure activity · m365 unified audit · okta system log · google workspace export. identity, consent, and data-plane events in one pass.

tools
14
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. aws cloudtrail forensic deep analyzerdrop cloudtrail json logs · detect privilege escalation paths · credential theft · data exfiltration · lateral movement between services · unusual api patterns · flag attacker ips · runs locally
  2. aws cloudtrail log forensic analyzerdrop aws cloudtrail json log files or csv export · parse api call records across all aws services · surface credential abuse privilege escalation data exfiltration and infrastructure manipulation · reconstruct attacker activity timeline · runs locally
  3. o365 audit log parserunified audit log json · timeline · suspicious · users · ips · mailbox · inbox rules · csv export · runs locally
  4. office365 audit log analyzerdrop m365 unified audit log json or csv · flag inbox forward rules · mailbox forwarding · bulk downloads · global admin role adds · high-scope consent · audit log disabled · runs locally
  5. microsoft 365 unified audit log analyzerdrop m365 unified audit log csv or json export · parse all audit events across exchange sharepoint teams onedrive and azure ad · surface suspicious operations privilege changes and data access events · reconstruct user activity timeline · runs locally
  6. okta log analyzerokta system log json · timeline · suspicious · mfa fatigue · tor/proxy · users · ips · policy · csv export · runs locally
  7. google takeout archive forensic parserdrop google takeout zip or individual takeout json csv html files · parse account activity across all google services · reconstruct location history search history youtube watch history gmail metadata and drive activity · surface forensic timeline across all google products · runs locally
  8. gcp audit log analyzerdrop google cloud audit log json · api calls · iam changes · storage access · vm events · security findings · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. azure activity log analyzerdrop azure activity log json · operations timeline · rbac changes · vm events · security · network changes · runs locally
  2. google takeout parserdrop a Google Takeout ZIP · parse location history · YouTube watch history · search activity · Chrome history · activity logs · export CSV · runs locally
  3. aws iam policy analyzerpaste iam policy json · effective permissions · wildcard expansion · risks · escalation hints · plain english · runs locally
  4. iam escalation graphiam policy json · wildcard expansion · 15 escalation patterns · attack chains · severity · csv + json export · runs locally
  5. aws s3 access log analyzerdrop s3 server access logs · request timeline · top requesters · error analysis · exfiltration detection · unauthorized access · runs locally
  6. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready