Monte Carlo processes the Office 365 Unified audit logs for incident response investigations.
Place the files exported for each user in the same folder and provide the directory into the script. The output will be an Excel spreadsheet for each username parsed, sorted on the CreationTime field for timeline investigation.
python3 montecarlo.py directory_of_logsFor legacy reasons, the old scripts provide a (not-so fast) investigation by breaking the processing tasks in 3 stages (sectors):
- Parse Office 365 unified audit log based on specfic operations
- Geolocate operations for user accounts
- Import the processed csv files into one Excel spreadsheet with unique tabs for each user account
Named after the famous turns on the 3 sectors of Monte Carlo Grand Prix track
By default 3 properties are extracted: CreationTime, UserID, ClientIP, but properties can be extended according to the investigation needs. A detailed list can be found on Microsoft documentation.
PS >.\sainte-devote.ps1 -path 'directory_of_Audit Logs' -output 'directory_of_parsed_logs'The geolocation feature uses the python-geoip library. To install:
pip install python-geoip-geolite2
Make sure you have downloaded locally the geolocation database from MaxMind to import it into mirabeau.py
python3 mirabeau.py directory_of_parsed_logs output_directory
PS >.\piscine.ps1 input_directory- Integrate Sainte Devote and Mirabeau into one script
- Add binaries
GPLv3