syne0 / osprey

Powershell Based tool for gathering information related to O365 intrusions and potential Breaches
MIT License
6 stars 1 forks source link

Update or deprecate Get-OspreyUserAdminAudit #12

Closed syne0 closed 2 months ago

syne0 commented 3 months ago

This uses the deprecated admin audit log to check for user changes. There is not really an easy 1 to 1 migration to the UAL in this case. Same problem as in other places, where we'd need to search for very specific commands being ran, and also filter out potential system garbage.

I think the best way moving forward with this and a few other functions is to determine exactly what changes would be made on an account when it's compromised (such as adding an additional MFA method) and pulling those from the UAL.

syne0 commented 2 months ago

Decided to deprecate for now.