Reportly – An AzureAD User Activity Report Tool

ab50616484ba29c4422ea0c269c05a123281e6b2105d8b43117cac73e0fa02a6


Reportly is an AzureAD user activity report tool.

About the tool

This is a tool that will help blue teams during a cloud incident. When running the tool, the researcher will enter as input a suspicious user and a time frame and will receive a report detailing the following:

  1. Information about the user
  2. Actions taken by the user
  3. Actions taken on the user
  4. User login and failure logs

Usage

When running the tool, a link to authentication and a device code will show, follow the link and enter the code to authenticate. f16c057c5d6fae808f6c8df206dab0e961c3871cee06cf6796ba65e2ce2e2367

Insert User principal name of a suspicious user.
Insert start and end times in the following format: 2022-11-16
I recommend a range of no longer then a week.

After authentication, in order to create a full report choose the option “5” 37079c02f83f788e0ad85650432dd724c59c6d4f425f7247332f50b5f11db186

When the report will be ready the tool will print “Your report is ready!”. The reports are created in the executable’s directory.

Installation

In order to use the tool you will need an AzureAD application with the following delegated microsoft graph api permissions:

  • AuditLog.Read.All
  • GroupMember.Read.All
  • RoleManagement.Read.Directory
  • User.Read
  • User.Read.All

    dont forget to grant admin consent 9a636db8f91c5f9069632e43b49d6e4cfd4468b4408a54dfa294cc8291693c52

To create an application go to “App registration” tab and select “New registration” option.

917c9d46ff3d05dd9295fc83faccba313bcdfa9101327660e14747d063d8fa60


Also, when creating the application, make sure you mark the following option as “yes”: 46bfbf3aa96a3e70148bcf5473477db5248e13c6281081028ebab1f0aba6c31d

  • you can find this property under the application’s “Authentication” tab.


Add a secret to the application. cebd90a1ecd6728c94e9de09bb9719cafb6d995143a2e9d0260e2e24b834151a

  • Go to “Certificates & secrets”
  • Add a secret
  • Immediately copy the secret to the config file (after you watch it once, it disappears)

After you created the application you need to fill the config.cfg file:
clientId = application id
clientSecret = application secret
tenantId = tenant id




Original Source


 


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn