Skip to content

Instantly share code, notes, and snippets.

@invictus-korstiaan

invictus-korstiaan/AllEvidence-GraphRunner.csv

Last active December 4, 2023 11:02
Show Gist options
  • Save invictus-korstiaan/388b5f409b7fe7427479197e5edacb9e to your computer and use it in GitHub Desktop.
Save invictus-korstiaan/388b5f409b7fe7427479197e5edacb9e to your computer and use it in GitHub Desktop.
Download ZIP
AllEvidence
Raw
AllEvidence-GraphRunner.csv
Module Log Source Indicator
Get-GraphToken Entra ID SignInLogs AuthenticationProtocol == deviceCode
Get-GraphToken Entra ID SignInLogs ResourceDisplayName == Microsoft Graph
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/search/query
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/{ID}
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/organization
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppID}')/appRoleAssignedTo
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/applications
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals/{ID}
Invoke-GraphRecon MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={Token}
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/search/query
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/{ID}
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/organization
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppId}')/appRoleAssignedTo
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/applications
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals/{ID}
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={Token}
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{GroupID}/members
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups?=securityEnabled%20eq%20true
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users
Invoke-GraphRunner MicrosoftGraphActivityLogs https://graph.microsoft.com/beta/policies/authorizationPolicy
Invoke-GraphOpenInboxFinder MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/search/query
Invoke-GraphOpenInboxFinder MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/{Email}/mailFolders/Inbox/messages
Get-SharePointSiteURLs MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/search/query
Get-DynamicGroups MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups
Get-UpdatableGroups MicrosoftGraphActivityLogs https://graph.microsoft.com/beta/roleManagement/directory/estimateAccess
Get-UpdatableGroups MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups
Invoke-DumpApps MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/
Invoke-DumpApps MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/{Id}
Invoke-DumpApps MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/organization
Invoke-DumpApps MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppId}')/appRoleAssignedTo
Invoke-DumpApps MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/applications
Invoke-DumpApps MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals/{Id}
Invoke-DumpApps MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={Token}
Invoke-DumpApps MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals
Get-SecurityGroups MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{ID}/members
Get-SecurityGroups MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups?=securityEnabled%20eq%20true
Get-AzureADUsers MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users
Invoke-InjectOAuthApp MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/applications/{ID}/addPassword
Invoke-InjectOAuthApp MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/applications
Invoke-InjectOAuthApp MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals{ID}
Invoke-InjectOAuthApp MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={TOKEN}
Invoke-InjectOAuthApp MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/servicePrincipals
Invoke-InjectOAuthApp Entra ID Audit Log Update application
Invoke-InjectOAuthApp Entra ID Audit Log Update application – Certificates and secrets management
Invoke-InjectOAuthApp Entra ID Audit Log Add application
Invoke-SecurityGroupCloner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{ID}/members
Invoke-SecurityGroupCloner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{ID}/members/$ref
Invoke-SecurityGroupCloner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups?=securityEnabled%20eq%20true
Invoke-SecurityGroupCloner MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/me
Invoke-SecurityGroupCloner Entra ID Audit Log Add member to group
Invoke-SecurityGroupCloner Entra ID Audit Log Add group
Invoke-InviteGuest MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/invitations
Invoke-InviteGuest MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/organization
Invoke-InviteGuest Entra ID Audit Log Invite external user
Invoke-InviteGuest Entra ID Audit Log Add user
Invoke-AddGroupMember MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{ID}/members/$ref
Invoke-AddGroupMember Entra ID Audit Log Add member to group
Invoke-AddGroupMember Unified Audit Log Add member to group.
Invoke-SearchSharePointAndOneDrive MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/search/query
Invoke-SearchSharePointAndOneDrive MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/drives/{ID}/items/{ID}
Invoke-SearchSharePointAndOneDrive Unified Audit Log SearchQueryInitiatedSharePoint
Invoke-SearchSharePointAndOneDrive Unified Audit Log FileDownloaded
Invoke-ImmersiveFileReader Unified Audit Log FileDownloaded
Invoke-SearchMailbox MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/search/query
Invoke-SearchMailbox MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/me/messages/{ID}
Invoke-SearchMailbox Unified Audit Log MailItemsAccessed
Invoke-SearchMailbox Unified Audit Log SearchQueryInititiatedExchange
Invoke-SearchTeams MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/me/messages/{ID}
Invoke-SearchUserAttributes MicrosoftGraphActivityLogs select=accountEnabled,ageGroup,assignedLicenses,businessPhones,city,companyName,consentProvidedForMinor,country,createdDateTime,creationType,department,displayName,mail,employeeId,employeeHireDate,employeeOrgData,employeeType,onPremisesExtensionAttributes,externalUserStateChangeDateTime,faxNumber,givenName,imAddresses,identities,externalUserState,jobTitle,surname,lastPasswordChangeDateTime,legalAgeGroupClassification,mailNickname,mobilePhone,id,officeLocation,onPremisesSamAccountName,onPremisesDistinguishedName,onPremisesDomainName,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesProvisioningErrors,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,otherMails,passwordPolicies,passwordProfile,preferredDataLocation,preferredLanguage,proxyAddresses,Comment,Info,Password,Information,Description,login,signin,credential,cred,credentials,data,signInSessionsValidFromDateTime,sponsors,state,streetAddress,usageLocation,userPrincipalName,userType,postalCode&$expand=manager
Get-Inbox MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/{Email}/mailFolders/Inbox/messages?$top=25
Get-TeamsChat MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/me/chats?$expand=members,lastMessagePreview&orderby=lastMessagePreview/createdDateTime%20desc
Get-TeamsChat MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/chats/{ID}/messages
Invoke-DeleteOAuthApp MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/applications/
Invoke-DeleteOAuthApp Entra ID Audit Log Delete application
Invoke-DeleteOAuthApp Entra ID Audit Log Remove service principal
Invoke-DeleteOAuthApp Unified Audit Log Delete application.
Invoke-DeleteOAuthApp Unified Audit Log Remove service principal.
Invoke-DeleteGroup MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/
Invoke-DeleteGroup Entra ID Audit Log Delete group
Invoke-DeleteGroup Unified Audit Log Delete group.
Invoke-RemoveGroupMember MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/groups/{GroupID}/members/[USER}/$ref
Invoke-RemoveGroupMember Entra ID Audit Log Remove member from group
Invoke-RemoveGroupMember Unified Audit Log Remove member from group.
Invoke-DriveFileDownload MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/drives/b!{DRIVEID}//items/{ITEMID}/content
Invoke-DriveFileDownload Unified Audit Log FileDownloaded
Invoke-CheckAccess MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/me
Get-UserObjectID MicrosoftGraphActivityLogs https://graph.microsoft.com/v1.0/users/{UPN}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment