Audit log analyzer for Microsoft Purview

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for dannystewart from gravatar.com dannystewart

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Danny Stewart
  • Requires: Python >=3.13
Classifiers
Report project as malware

Project description

Purviewer

A powerful command-line tool for analyzing Microsoft Purview audit logs and Entra sign-ins. Extract insights from SharePoint, OneDrive, Exchange activity, and user authentication with comprehensive filtering, security analysis, and detailed reporting.

Features

File Operations Analysis

  • File Activity Tracking: Analyze downloads, uploads, deletions, and other file operations
  • Path Analysis: Track access patterns across SharePoint sites and OneDrive folders
  • Bulk Operations Detection: Identify suspicious mass downloads or deletions
  • File Timeline: Generate chronological timelines of file access events
  • URL Export: Export full SharePoint/OneDrive URLs for accessed files

User Activity Insights

  • User Mapping: Map user emails to display names via CSV import
  • Activity Filtering: Filter analysis by specific users or user groups
  • Top Users: Identify most active users by operation type
  • User Statistics: Detailed breakdown of user activity patterns

Security Analysis

  • IP Address Analysis: Track and analyze source IP addresses with optional geolocation lookup
  • User Agent Detection: Identify unusual or suspicious client applications
  • Suspicious Pattern Detection: Flag bulk operations, unusual access patterns, and after-hours activity
  • Network Filtering: Filter by specific IP addresses or exclude known good IPs

Exchange Activity

  • Email Operations: Track email sends, moves, deletions, and rule changes
  • Mailbox Access: Monitor folder access and email reading patterns
  • Client Application Tracking: Identify which applications accessed Exchange
  • Detailed Email Analysis: Extract subjects, senders, recipients, and attachments
  • CSV Export: Export complete Exchange activity to CSV for further analysis

Advanced Filtering

  • Date Range: Filter analysis to specific time periods
  • Action Types: Focus on specific operations (downloads, uploads, etc.)
  • File Keywords: Search for files containing specific keywords
  • IP Filtering: Include or exclude specific IP addresses with wildcard support

Sign-in Analysis (from Entra ID sign-in logs)

  • Authentication Tracking: Analyze user sign-ins from Microsoft Entra audit logs
  • Failure Detection: Identify failed sign-ins and authentication errors
  • Device Analysis: Track device types, operating systems, and client applications
  • Location Monitoring: Analyze sign-in locations and IP addresses
  • Security Insights: Detect unusual sign-in patterns and potential security issues

Usage

# Basic analysis
purviewer audit_log.csv

# Filter by specific actions
purviewer audit_log.csv --actions "FileDownloaded,FileUploaded"

# Analyze specific user
purviewer audit_log.csv --user "john.doe@company.com"

# Filter by date range
purviewer audit_log.csv --start-date "2025-01-01" --end-date "2025-01-31"

# Search for files containing keyword
purviewer audit_log.csv --file "confidential"

# Export Exchange activity to CSV
purviewer audit_log.csv --exchange-csv exchange_activity.csv

# Generate timeline view
purviewer audit_log.csv --timeline

# Export file URLs
purviewer audit_log.csv --urls

# IP analysis with geolocation lookup
purviewer audit_log.csv --with-lookups

# Filter by IP addresses
purviewer audit_log.csv --ips "192.168.1.*,10.0.0.0/8"

# Exclude specific IPs
purviewer audit_log.csv --exclude-ips "192.168.1.100"

# Use user mapping file
purviewer audit_log.csv --users-list users.csv

# Show detailed analysis
purviewer audit_log.csv --details

# Analyze sign-in data
purviewer signin_data.csv --entra

# Filter sign-ins by user or text
purviewer signin_data.csv --entra --signin-filter "admin"

# Exclude certain sign-ins and limit results
purviewer signin_data.csv --entra --signin-exclude "success" --signin-limit 10

Installation

pip install purviewer

Requirements

  • Python 3.13+
  • Microsoft Purview audit log CSV export (for SharePoint/Exchange analysis)
  • Microsoft Entra sign-ins CSV export (for sign-in analysis)

Important Note: The sign-in analysis feature uses a different data source than the main Purview analysis. While most features analyze data from Microsoft Purview audit logs (SharePoint, OneDrive, Exchange), the --entra feature specifically requires a CSV export from Microsoft Entra ID's sign-in logs. These are two separate data sources with different formats and column structures.

The tool automatically detects SharePoint domains and email domains from your audit data, making it work seamlessly with any Microsoft 365 tenant.

License

Purviewer is released under the MIT License. See the LICENSE file for details.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for dannystewart from gravatar.com dannystewart

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Danny Stewart
  • Requires: Python >=3.13
Classifiers

Release history Release notifications | RSS feed

0.3.3

0.3.2

0.3.1

0.3.0

0.2.1

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

purviewer-0.2.0.tar.gz (31.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

purviewer-0.2.0-py3-none-any.whl (38.8 kB view details)

Uploaded Python 3

File details

Details for the file purviewer-0.2.0.tar.gz.

File metadata

  • Download URL: purviewer-0.2.0.tar.gz
  • Upload date:
  • Size: 31.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for purviewer-0.2.0.tar.gz
Algorithm Hash digest
SHA256 aad538f9e35151a7f7859410d6c3bfd72758aeb11c1c0094be2d2a091fa9baa1
MD5 ae1316b5a790cc27f83020ede3a04089
BLAKE2b-256 838d8ad1c6e22a138b7556032d81653d9fb48cf99fd47d4b598771b52893ff38

See more details on using hashes here.

Provenance

The following attestation bundles were made for purviewer-0.2.0.tar.gz:

Publisher: python-publish.yml on dannystewart/purviewer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file purviewer-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: purviewer-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 38.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for purviewer-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 92ac51521e3a5a7cb682d4d4d03a17adbfe09cf1a246eeb547185502a694a475
MD5 862ee20315c0f2fe2002d499d8435a90
BLAKE2b-256 99147ea9b9f8fd8e9e06c04f86090599fc26d88ba5ccd421968687a01b9d4994

See more details on using hashes here.

Provenance

The following attestation bundles were made for purviewer-0.2.0-py3-none-any.whl:

Publisher: python-publish.yml on dannystewart/purviewer

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page