Files
Anthropic-Cybersecurity-Skills/skills/analyzing-office365-audit-logs-for-compromise/references/api-reference.md
T
mukul975 915ea611e5 Add 10 new cybersecurity skills with full folder anatomy
Skills added:
- implementing-privileged-access-workstation (IAM, PAW hardening)
- detecting-suspicious-oauth-application-consent (cloud security, Graph API)
- performing-hardware-security-module-integration (cryptography, PKCS#11)
- analyzing-android-malware-with-apktool (malware analysis, androguard)
- hunting-for-unusual-service-installations (threat hunting, T1543.003)
- detecting-shadow-it-cloud-usage (cloud security, proxy/DNS log analysis)
- performing-active-directory-forest-trust-attack (red team, impacket)
- implementing-deception-based-detection-with-canarytoken (deception, Canary API)
- analyzing-office365-audit-logs-for-compromise (cloud security, BEC detection)
- hunting-for-startup-folder-persistence (threat hunting, T1547.001)

Each skill includes SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:47:03 +01:00

2.8 KiB

API Reference — Analyzing Office 365 Audit Logs for Compromise

Libraries Used

  • msal: Microsoft Authentication Library — client credentials flow for Graph API
  • requests: HTTP client for Graph API calls with pagination

CLI Interface

python agent.py --tenant-id T --client-id C --client-secret S audit-logs --days 7
python agent.py --tenant-id T --client-id C --client-secret S inbox-rules --user user@domain.com
python agent.py --tenant-id T --client-id C --client-secret S forwarding --user user@domain.com
python agent.py --tenant-id T --client-id C --client-secret S oauth
python agent.py --tenant-id T --client-id C --client-secret S full --users user1@d.com user2@d.com --days 7

Core Functions

get_access_token(tenant_id, client_id, client_secret) — MSAL auth

Uses ConfidentialClientApplication.acquire_token_for_client() with https://graph.microsoft.com/.default scope.

query_audit_logs(token, days) — Suspicious operation detection

Queries /auditLogs/directoryAudits for 11 suspicious operations: New-InboxRule, Set-InboxRule, Set-Mailbox, Add-MailboxPermission, UpdateInboxRules, New-TransportRule, etc.

check_inbox_rules(token, user_id) — Forwarding rule detection

GET /users/{id}/mailFolders/inbox/messageRules. Checks actions for forwardTo, forwardAsAttachmentTo, redirectTo. Flags external forwards and delete-after-forward patterns.

check_mailbox_forwarding(token, user_id) — SMTP forwarding check

GET /users/{id}/mailboxSettings. Checks auto-reply status and external audience.

GET /oauth2PermissionGrants. Flags grants with Mail.Read, Mail.ReadWrite, Mail.Send, Files.ReadWrite.All, MailboxSettings.ReadWrite.

full_audit(token, users, days) — Comprehensive compromise analysis

Microsoft Graph Endpoints

Endpoint Method Permission
/auditLogs/directoryAudits GET AuditLog.Read.All
/users/{id}/mailFolders/inbox/messageRules GET MailboxSettings.Read
/users/{id}/mailboxSettings GET MailboxSettings.Read
/oauth2PermissionGrants GET Directory.Read.All

Inbox Rule Risk Scoring

Factor Points
Forwarding rule present +40
Delete after forward +25
External forward address +20
Mark as read + forward +15

Suspicious Operations Monitored

New-InboxRule, Set-InboxRule, Set-Mailbox, Add-MailboxPermission, Set-MailboxJunkEmailConfiguration, Set-OwaMailboxPolicy, New-TransportRule, Add-RecipientPermission, Set-TransportRule, UpdateInboxRules, Set-MailboxAutoReplyConfiguration

Dependencies

  • msal >= 1.24.0
  • requests >= 2.28.0
  • Azure AD app with AuditLog.Read.All, MailboxSettings.Read, Mail.Read