Analyzing Office365 Audit Logs For Compromise
Investigate suspected Microsoft 365 tenant compromise by querying and interpreting Unified Audit Log signals with an agent-guided workflow.
Overview
Analyzing Office365 Audit Logs For Compromise is an agent skill for the Operate phase that guides structured Microsoft 365 audit-log review to detect and scope tenant compromise.
Install
npx skills add https://github.com/mukul975/anthropic-cybersecurity-skills --skill analyzing-office365-audit-logs-for-compromiseWhat is this skill?
- Structured approach to Office 365 / Microsoft 365 Unified Audit Log review for breach indicators
- Maps common compromise TTPs to observable sign-in, mailbox, and admin-action events
- Supports incident scoping and timeline reconstruction from cloud audit exports
- Oriented to security operators and solo builders defending their own Microsoft tenant
- Pairs with broader cybersecurity skill packs from the same repository family
Adoption & trust: 1 installs on skills.sh; 14.9k GitHub stars; 3/3 security scanners passed (skills.sh audits); trending (+100% hot-view momentum).
What problem does it solve?
You suspect or confirmed activity in Microsoft 365 but the Unified Audit Log is huge and you do not know which events prove compromise versus normal admin noise.
Who is it for?
Solo founders or indie operators who administer their own Microsoft 365 tenant and need guided log interpretation after an alert or account takeover worry.
Skip if: Teams without Microsoft audit-log access, pure app-level OWASP reviews, or organizations that already run a mature SOC with standardized playbooks and do not need agent-assisted triage.
When should I use this skill?
When Microsoft 365 audit activity suggests account takeover, suspicious admin actions, or you need structured compromise analysis on Unified Audit Log data.
What do I get? / Deliverables
After the skill runs you have a prioritized timeline of suspicious audit events, likely attack paths, and concrete next checks to contain and remediate the tenant.
- Prioritized list of suspicious audit events with rationale
- Incident timeline draft and recommended containment checks
Recommended Skills
Journey fit
Post-incident and steady-state tenant defense live in Operate—where audit telemetry is reviewed, not during initial product build. Monitoring is the canonical shelf because the skill centers on continuous audit-log analysis for compromise indicators rather than one-off pen testing.
How it compares
Use for cloud identity audit triage instead of generic “debug my API” or frontend-focused agent skills.
Common Questions / FAQ
Who is analyzing-office365-audit-logs-for-compromise for?
Microsoft 365 administrators, indie SaaS operators, and security-conscious solo builders who must investigate tenant audit data without a full-time analyst.
When should I use analyzing-office365-audit-logs-for-compromise?
Use it in Operate when monitoring surfaces odd sign-ins, inbox rules, or admin changes; also after ship-phase security incidents when you pivot to production identity forensics.
Is analyzing-office365-audit-logs-for-compromise safe to install?
Treat it like any third-party security skill: review the Security Audits panel on this Prism page, confirm the repo source, and avoid pasting production secrets into the agent beyond what your investigation requires.
SKILL.md
READMESKILL.md - Analyzing Office365 Audit Logs For Compromise
Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to the Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by the Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of