Last active
December 4, 2023 11:02
-
-
Save invictus-korstiaan/388b5f409b7fe7427479197e5edacb9e to your computer and use it in GitHub Desktop.
AllEvidence
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Module | Log Source | Indicator | |
---|---|---|---|
Get-GraphToken | Entra ID SignInLogs | AuthenticationProtocol == deviceCode | |
Get-GraphToken | Entra ID SignInLogs | ResourceDisplayName == Microsoft Graph | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/search/query | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/ | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/{ID} | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/organization | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppID}')/appRoleAssignedTo | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/applications | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals/{ID} | |
Invoke-GraphRecon | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={Token} | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/search/query | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/{ID} | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/organization | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppId}')/appRoleAssignedTo | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/applications | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals/{ID} | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={Token} | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{GroupID}/members | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups?=securityEnabled%20eq%20true | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users | |
Invoke-GraphRunner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/beta/policies/authorizationPolicy | |
Invoke-GraphOpenInboxFinder | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/search/query | |
Invoke-GraphOpenInboxFinder | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/{Email}/mailFolders/Inbox/messages | |
Get-SharePointSiteURLs | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/search/query | |
Get-DynamicGroups | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups | |
Get-UpdatableGroups | MicrosoftGraphActivityLogs | https://graph.microsoft.com/beta/roleManagement/directory/estimateAccess | |
Get-UpdatableGroups | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups | |
Invoke-DumpApps | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/ | |
Invoke-DumpApps | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/{Id} | |
Invoke-DumpApps | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/organization | |
Invoke-DumpApps | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals(appId='{AppId}')/appRoleAssignedTo | |
Invoke-DumpApps | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/applications | |
Invoke-DumpApps | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals/{Id} | |
Invoke-DumpApps | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={Token} | |
Invoke-DumpApps | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals | |
Get-SecurityGroups | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{ID}/members | |
Get-SecurityGroups | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups?=securityEnabled%20eq%20true | |
Get-AzureADUsers | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users | |
Invoke-InjectOAuthApp | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/applications/{ID}/addPassword | |
Invoke-InjectOAuthApp | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/applications | |
Invoke-InjectOAuthApp | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals{ID} | |
Invoke-InjectOAuthApp | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals?$skiptoken={TOKEN} | |
Invoke-InjectOAuthApp | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/servicePrincipals | |
Invoke-InjectOAuthApp | Entra ID Audit Log | Update application | |
Invoke-InjectOAuthApp | Entra ID Audit Log | Update application – Certificates and secrets management | |
Invoke-InjectOAuthApp | Entra ID Audit Log | Add application | |
Invoke-SecurityGroupCloner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{ID}/members | |
Invoke-SecurityGroupCloner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{ID}/members/$ref | |
Invoke-SecurityGroupCloner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups?=securityEnabled%20eq%20true | |
Invoke-SecurityGroupCloner | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/me | |
Invoke-SecurityGroupCloner | Entra ID Audit Log | Add member to group | |
Invoke-SecurityGroupCloner | Entra ID Audit Log | Add group | |
Invoke-InviteGuest | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/invitations | |
Invoke-InviteGuest | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/organization | |
Invoke-InviteGuest | Entra ID Audit Log | Invite external user | |
Invoke-InviteGuest | Entra ID Audit Log | Add user | |
Invoke-AddGroupMember | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{ID}/members/$ref | |
Invoke-AddGroupMember | Entra ID Audit Log | Add member to group | |
Invoke-AddGroupMember | Unified Audit Log | Add member to group. | |
Invoke-SearchSharePointAndOneDrive | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/search/query | |
Invoke-SearchSharePointAndOneDrive | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/drives/{ID}/items/{ID} | |
Invoke-SearchSharePointAndOneDrive | Unified Audit Log | SearchQueryInitiatedSharePoint | |
Invoke-SearchSharePointAndOneDrive | Unified Audit Log | FileDownloaded | |
Invoke-ImmersiveFileReader | Unified Audit Log | FileDownloaded | |
Invoke-SearchMailbox | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/search/query | |
Invoke-SearchMailbox | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/me/messages/{ID} | |
Invoke-SearchMailbox | Unified Audit Log | MailItemsAccessed | |
Invoke-SearchMailbox | Unified Audit Log | SearchQueryInititiatedExchange | |
Invoke-SearchTeams | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/me/messages/{ID} | |
Invoke-SearchUserAttributes | MicrosoftGraphActivityLogs | select=accountEnabled,ageGroup,assignedLicenses,businessPhones,city,companyName,consentProvidedForMinor,country,createdDateTime,creationType,department,displayName,mail,employeeId,employeeHireDate,employeeOrgData,employeeType,onPremisesExtensionAttributes,externalUserStateChangeDateTime,faxNumber,givenName,imAddresses,identities,externalUserState,jobTitle,surname,lastPasswordChangeDateTime,legalAgeGroupClassification,mailNickname,mobilePhone,id,officeLocation,onPremisesSamAccountName,onPremisesDistinguishedName,onPremisesDomainName,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesProvisioningErrors,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,otherMails,passwordPolicies,passwordProfile,preferredDataLocation,preferredLanguage,proxyAddresses,Comment,Info,Password,Information,Description,login,signin,credential,cred,credentials,data,signInSessionsValidFromDateTime,sponsors,state,streetAddress,usageLocation,userPrincipalName,userType,postalCode&$expand=manager | |
Get-Inbox | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/{Email}/mailFolders/Inbox/messages?$top=25 | |
Get-TeamsChat | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/me/chats?$expand=members,lastMessagePreview&orderby=lastMessagePreview/createdDateTime%20desc | |
Get-TeamsChat | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/chats/{ID}/messages | |
Invoke-DeleteOAuthApp | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/applications/ | |
Invoke-DeleteOAuthApp | Entra ID Audit Log | Delete application | |
Invoke-DeleteOAuthApp | Entra ID Audit Log | Remove service principal | |
Invoke-DeleteOAuthApp | Unified Audit Log | Delete application. | |
Invoke-DeleteOAuthApp | Unified Audit Log | Remove service principal. | |
Invoke-DeleteGroup | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/ | |
Invoke-DeleteGroup | Entra ID Audit Log | Delete group | |
Invoke-DeleteGroup | Unified Audit Log | Delete group. | |
Invoke-RemoveGroupMember | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/groups/{GroupID}/members/[USER}/$ref | |
Invoke-RemoveGroupMember | Entra ID Audit Log | Remove member from group | |
Invoke-RemoveGroupMember | Unified Audit Log | Remove member from group. | |
Invoke-DriveFileDownload | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/drives/b!{DRIVEID}//items/{ITEMID}/content | |
Invoke-DriveFileDownload | Unified Audit Log | FileDownloaded | |
Invoke-CheckAccess | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/me | |
Get-UserObjectID | MicrosoftGraphActivityLogs | https://graph.microsoft.com/v1.0/users/{UPN} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment