Reportly - keep your head in the clouds. A new Azure visualization tool for analyzing user activities.

Reportly is a tool with the main goal of providing a “big picture” view for Azure user activities. Nowadays, in order to investigate Azure attacks, researchers need to collect and analyze information from various data sources. This can be done by inefficient ways, such as using PowerShell modules, exporting different logs into an XML file and scrolling each of them or manually exploring Azure logs. Reportly allows a researcher to generate a report containing the following information: 1. Activities initiated by the user in a given time range. 2. Activities targeting the user in a given time range. 3. User sign-in logs in a given time range. 4. Additional information such as: • Synchronization information (if exists) • User group memberships • User assigned roles • Seen IP address • Suspicious failed logins Reporly enables a far more efficient approach when researching Azure user information. By gathering multiple data sources into a single visualization, Reportly saves valuable time, especially in IR cases.

During the talk I will present a number of attacks that all occur in Azure AD and use the tool to show how a defender can investigate and identify these attacks.