rukmandfir/Purview-Audit-Log-Parser

GitHub: rukmandfir/Purview-Audit-Log-Parser

Stars: 0 | Forks: 0

![Version](https://img.shields.io/badge/version-v1.0.0-blue) ![Python](https://img.shields.io/badge/python-3.x-blue) ![License](https://img.shields.io/badge/license-MIT-green) # Purview Audit Log Parser The tool automatically parses the complex JSON contained within the Purview AuditData field and transforms it into investigation-focused Excel worksheets, reducing manual data preparation and enabling analysts to spend more time investigating and less time cleaning data. ## Features ### Exchange Investigation - Exchange investigation worksheet - MailItemsAccessed (Bind) parsing - MailItemsAccessed (Sync) parsing - Multi-message subject extraction - Multi-message Internet Message ID extraction ### Inbox Rule Analysis - New-InboxRule - Set-InboxRule - Enable-InboxRule - Disable-InboxRule - Remove-InboxRule - UpdateInboxRules ### SharePoint / OneDrive Investigation - File access activity - File download activity - Sharing activity - User and device information ### IP Address Analysis - IP normalisation - IP source identification - Deduplicated IP analysis worksheet ### General Features - Workload identification - Investigation-focused worksheets - Parser statistics - Workload summary - Parser error reporting ## Output Worksheets The parser generates the following worksheets: - Parser Statistics - Workload Summary - IP-Analysis - All Events - Parser Errors - Exchange-Investigation - InboxRules - MailItemsAccessed-Bind - MailItemsAccessed-Sync - SPOD-Investigation - AzureAD-Investigation - Teams ## Example Output ### Workload Summary ![Workload Summary](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/9ab53cfc2c181558.png) ### IP Analysis ![IP Analysis](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/58b677cc86181608.png) ### Exchange Investigation ![Exchange Investigation](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/136b39ba17181615.png) ### SharePoint/OneDrive Investigation ![SharePoint](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/59002ae00c181622.png) ## Installation Clone the repository: git clone https://github.com/rukmandfir/Purview-Audit-Log-Parser.git Install requirements: pip install -r requirements.txt ## Usage Place the Purview audit log CSV export into the input folder and run: python main.py The parsed workbook will be created in the output folder. ## Typical Use Cases - Business Email Compromise (BEC) investigations - Microsoft 365 incident response - Insider threat investigations - Microsoft Purview audit log review - eDiscovery support - Rapid investigation triage - Timeline development ## Roadmap ### Planned Features - IP geolocation enrichment - Investigation timeline worksheet - BEC summary worksheet - Suspicious activity worksheet - Teams investigation worksheet - Additional Microsoft 365 workload support ## Disclaimer This project is intended to assist investigators by reducing manual data preparation effort. Results should always be validated and reviewed by the investigator. Do not upload real client data to public repositories. ## License This project is licensed under the MIT License.