Sign In
In this section

M365 IR Toolkit

2-3 hours · Module 0 · Free

The IR analyst's toolkit

Every investigation in this course uses the same core set of tools. You query evidence with KQL in Sentinel and Defender XDR. You collect evidence programmatically with the Microsoft Graph API and PowerShell. You automate initial evidence collection with Hawk and the Microsoft Extractor Suite. You analyze timelines in Timeline Explorer or a spreadsheet.

Complete the setup below before moving to Module 1. The exercises throughout the course assume these tools are working.

PowerShell modules

Two PowerShell modules provide the foundation for M365 evidence collection.

Microsoft.Graph is the PowerShell SDK for the Microsoft Graph API. It replaces the deprecated AzureAD and MSOnline modules. You'll use it to query sign-in logs, audit logs, risky users, service principals, and app registrations.

# Install the Microsoft Graph PowerShell SDK
Install-Module Microsoft.Graph -Scope CurrentUser

# Verify installation
Get-Module Microsoft.Graph -ListAvailable | Select-Object Name, Version

# Connect with the scopes needed for IR evidence collection
Connect-MgGraph -Scopes "AuditLog.Read.All","Directory.Read.All","User.Read.All","Application.Read.All","SecurityEvents.Read.All"

The -Scopes parameter determines what data you can access. For incident response, you need at minimum: AuditLog.Read.All (sign-in and audit logs), Directory.Read.All (users, groups, service principals, app registrations), and SecurityEvents.Read.All (risk detections). The first time you connect, Entra ID prompts for admin consent. In a real incident, you need these permissions pre-configured. Module 3 covers this as part of IR readiness.

ExchangeOnlineManagement provides access to Exchange Online audit data and mailbox configuration. You'll use it to search the Unified Audit Log, inspect inbox rules, check forwarding, and run message traces.

# Install Exchange Online Management module
Install-Module ExchangeOnlineManagement -Scope CurrentUser

# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName your-admin@yourdomain.com

# Verify access with a test UAL query
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) -EndDate (Get-Date) -RecordType ExchangeAdmin -ResultSize 5

If Search-UnifiedAuditLog returns results, your connection and permissions are working. If it returns nothing, check that audit logging is enabled: Get-AdminAuditLogConfig shows the current state.

Graph API direct access

PowerShell modules wrap the Graph API, but some tasks are faster with direct API calls. When you need to export thousands of sign-in records or page through large result sets, direct queries with pagination give you more control.

# Direct Graph API call for sign-in logs (last 24 hours)
$uri = "https://graph.microsoft.com/v1.0/auditLogs/signIns?`$filter=createdDateTime ge $((Get-Date).AddDays(-1).ToString('yyyy-MM-ddTHH:mm:ssZ'))&`$top=100"
$response = Invoke-MgGraphRequest -Uri $uri -Method GET
$response.value | Select-Object userPrincipalName, ipAddress, location, status, createdDateTime

The $top parameter controls page size (maximum 1,000). The @odata.nextLink property provides the URL for the next page. Module 5 covers pagination handling in detail.

KQL

KQL (Kusto Query Language) is the query language for both Sentinel and Defender XDR Advanced Hunting. You'll write KQL queries throughout this course to investigate sign-in anomalies, trace email activity, identify file access patterns, and correlate evidence across sources.

If your organization runs Sentinel, navigate to Microsoft Sentinel > Logs to access the query editor. If your organization runs Defender XDR, navigate to Microsoft Defender > Hunting > Advanced hunting. If you have both, you have the complete investigation surface.

Hawk

Hawk is an open-source PowerShell module built for M365 incident response. It automates the initial evidence collection that you'd otherwise do manually: sign-in log export, inbox rule enumeration, mail forwarding check, UAL search, and app consent review.

# Install Hawk
Install-Module Hawk -Scope CurrentUser

# Run Hawk against a specific user
Start-HawkUserInvestigation -UserPrincipalName compromised-user@yourdomain.com

Hawk creates a structured output directory with collected evidence organized by category. It collects evidence. It doesn't analyze it. The analysis is your job.

Microsoft Extractor Suite

The Microsoft Extractor Suite (developed by Invictus IR) extracts M365 forensic data with specialized functions for MailItemsAccessed, sign-in log analysis, and OAuth application investigation.

# Install Microsoft Extractor Suite
Install-Module Microsoft-Extractor-Suite -Scope CurrentUser

# Extract sign-in logs for a specific user
Get-ADSignInLogsGraph -userIds "compromised-user@yourdomain.com" -OutputDir "C:\IR\Evidence"

# Extract UAL for a specific user
Get-UALGraph -searchName "user-UAL" -userIds "compromised-user@yourdomain.com" -OutputDir "C:\IR\Evidence"

Timeline analysis

After collecting evidence from multiple sources, you merge and analyze it. Timeline Explorer (by Eric Zimmerman) handles the large CSV datasets that Excel cannot. Any tool that can filter, sort, and search large CSV files works: Timeline Explorer, Excel with Power Query, or PowerShell.

Verify your setup

Before moving to Module 1, confirm you can connect to Microsoft Graph with Connect-MgGraph and the required scopes, connect to Exchange Online with Connect-ExchangeOnline, run Search-UnifiedAuditLog and get results, access the KQL query editor in Sentinel or Defender XDR, and import Hawk and the Microsoft Extractor Suite.

If any of these fail, the most common causes are insufficient admin permissions (you need at least Security Reader), audit logging disabled in the tenant, or module version conflicts (remove old AzureAD/MSOnline modules before installing Microsoft.Graph).

Module 1 begins the course content with the foundations of M365 incident response.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.
← Previous Next →