Incident response is a critical component of any organization’s cybersecurity strategy. With the increasing use of cloud-based services, it’s essential to have the right tools in place to quickly and effectively respond to security incidents.

In this post, I propose some of my favorite tools that can assist in investigation against Azure AD and Microsoft 365, useful to detect, investigate, and respond to security incidents.

Mandiant Azure AD Investigator


PowerShell module for detecting artifacts that may be indicators of UNC2452 and other threat actor activity.


The goal of the Hawk tool is to be a community lead tool and provides security support professionals with the tools they need to quickly and easily gather data from O365 and Azure.

Azure AD Investigator PowerShell module

The Azure Active Directory Incident Response PowerShell module provides a number of tools, developed by the Azure Active Directory Product Group in conjunction with the Microsoft Detection and Response Team (DART), to assist in compromise response.


Tooling to assist in Azure AD incident response.

AzureAD Security Assessment

Tools for assessing an Azure AD tenant state and configuration


PowerShell module containing tools for administering and hacking Azure AD and Office 365.

CISA Sparrow

Powershell tool created by CISA’s Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. The tool is intended for use by incident responders, and focuses on the narrow scope of user and application activity endemic to identity and authentication based attacks seen recently in multiple sectors.

CrowdStrike Reporting Tool for Azure (CRT)


CRT is a free community tool that will help organizations quickly and easily review excessive permissions in their Azure AD environments to help determine configuration weaknesses and provide advice to mitigate this risk.

Azure Sentinel Detections

GitHub repository containing detections based on different types of data sources that you can leverage in order to create alerts and respond to threats in your environment. These detections are termed as Analytics Rule templates in Microsoft Sentinel.


A script, developed by PwC analysts, that makes possible to extract log data out of an Office365 environment.

Azure Hound

BloodHound data collector for Microsoft Azure