EntraSignInLogs‐Analyzer
EntraSignInLogs-Analyzer.ps1 (formerly ADSignInLogsGraph-Analyzer.ps1) is a PowerShell script utilized to simplify the analysis of the Microsoft Entra ID Sign-In Logs extracted via Microsoft-Extractor-Suite by Invictus-IR.
Features:
- Beautified Excel Output Files w/ Conditional Formatting
- Data Enrichment w/ IP Intelligence (e.g. adding the missing 'OrgName')
- (Enterprise) Application Blacklist
- ASN Blacklist (VPN-Services)
- Country Blacklist
- Multiple Statistics and Line Charts
- GeoIP Mapping (for all steps of Authentication and Conditional Access)
- Analytics (e.g. Adversary-in-the-Middle (AiTM) detection, Device Code authentication, Brute Force, Very Risky Authentication, Compliant Device Bypass aka Intune Bypass detection, etc.)
Dependencies:
-
Create your free IPinfo account (Access Token required)
https://ipinfo.io/signup?ref=cli -
ImportExcel (PowerShell Module)
https://github.com/dfinke/ImportExcel -
IPinfo CLI (Standalone Binary)
https://github.com/ipinfo/cli -
xsv (Standalone Binary)
https://github.com/BurntSushi/xsv
Fig 1: Select your 'SignInLogs-Combined.json' file
Fig 2: ADSignInLogsGraph-Analyzer
Fig 3: GeoIP-Mapping w/ IPinfo CLI → Sign up for free
Fig 4: Check 'Summary.txt' to spot new VPN-Services
Fig 5: Hunt.xlsx - Filter column 'ASN' by Color → Filter by Cell Color 'Red'
Fig 6: Woody and Buzz Lightyear: Stats Everywhere!
Fig 7: ASN (Stats)
Fig 8: IpAddress (Stats)
Fig 9: ClientAppUsed (Stats)
Fig 10: Compliant Device Bypass via Microsoft Intune Company Portal
Fig 11: MessageBox → Wake up!
Note
You must have a Microsoft Entra ID P1 or P2 license to download sign-in logs using the Microsoft Graph API.