A modern web-based analyzer for Microsoft Purview audit logs and Entra sign-ins. Upload, filter, and investigate SharePoint, OneDrive, and Exchange activity with an intuitive interface—no CLI required.
Note: purrrr is a detached fork of the original purviewer project. This version focuses exclusively on the web UI experience with Docker deployment and real-time filtering capabilities.
# Clone and start the web app
git clone <repo-url>
cd purrrr
docker compose up --build
# Access the interface at http://localhost:5000Upload your CSV audit log, explore data with interactive filters, and export results—all in your browser.
- Real-Time Filtering: Filter by workload, user, operation, IP address (with wildcard support), and date range
- Pattern Detection: Automatically identify repetitive audit patterns across users, IPs, and operations
- Multiple IP Support: Filter by single or multiple IPs with wildcard patterns (e.g.,
192.168.1.*) - CSV Import: Upload audit logs and optional user mapping files
- Session Management: Analyze multiple logs in separate sessions with persistent state
- File Operations: Track SharePoint/OneDrive file access, downloads, uploads, deletions
- User Activity: Map user emails to display names, analyze activity by user
- Exchange Activity: Monitor email operations, mailbox access, client applications
- IP Analysis: Track source IPs with optional geolocation lookup (manual trigger)
- User Agent Detection: Identify suspicious or unusual client applications
- CSV Export: Export filtered Exchange activity with all relevant fields
- JSON API: Access filtered results programmatically
- Multi-File Analysis: Combine results from multiple audit log uploads
- Batch Operations: Detect suspicious bulk deletions or downloads
- File Activity Tracking: Analyze downloads, uploads, deletions, and other file operations
- Path Analysis: Track access patterns across SharePoint sites and OneDrive folders
- Bulk Operations Detection: Identify suspicious mass downloads or deletions
- File Timeline: Generate chronological timelines of file access events
- URL Export: Export full SharePoint/OneDrive URLs for accessed files
- User Mapping: Map user emails to display names via CSV import
- Activity Filtering: Filter analysis by specific users or user groups
- Top Users: Identify most active users by operation type
- User Statistics: Detailed breakdown of user activity patterns
- IP Address Analysis: Track and analyze source IP addresses with optional geolocation lookup
- User Agent Detection: Identify unusual or suspicious client applications
- Suspicious Pattern Detection: Flag bulk operations, unusual access patterns, and after-hours activity
- Network Filtering: Filter by specific IP addresses or exclude known good IPs with wildcard support
- Email Operations: Track email sends, moves, deletions, and rule changes
- Mailbox Access: Monitor folder access and email reading patterns
- Client Application Tracking: Identify which applications accessed Exchange
- Detailed Email Analysis: Extract subjects, senders, recipients, and attachments
- CSV Export: Export complete Exchange activity to CSV for further analysis
- Date Range: Filter analysis to specific time periods
- Action Types: Focus on specific operations (downloads, uploads, etc.)
- File Keywords: Search for files containing specific keywords
- IP Filtering: Include or exclude specific IP addresses with wildcard support (e.g.,
172.16.*,10.0.0.50)
- Authentication Tracking: Analyze user sign-ins from Microsoft Entra audit logs
- Failure Detection: Identify failed sign-ins and authentication errors
- Device Analysis: Track device types, operating systems, and client applications
- Location Monitoring: Analyze sign-in locations and IP addresses
- Security Insights: Detect unusual sign-in patterns and potential security issues
- Docker and Docker Compose installed
- Microsoft Purview audit log CSV exports
cd purrrr
docker compose up --build
# Access at http://localhost:5000The Docker setup includes:
- Flask Web App (Port 5000): Interactive audit log analysis interface
- Redis 7 (Alpine, Port 6379): Session and cache management
Edit docker-compose.yml before deployment:
environment:
- FLASK_ENV=production # Set to 'development' for debug mode
- REDIS_URL=redis://redis:6379/0 # Redis connection
- UPLOAD_FOLDER=/tmp/purrrr # Temporary upload directory
- MAX_FILE_SIZE=500 # Max file size in MB
- SECRET_KEY=your-secure-key # CHANGE FOR PRODUCTION# Install dependencies
pip install -r requirements.txt
# Run Flask app (requires Redis or uses filesystem fallback)
python run_web.py --host 0.0.0.0 --port 5000 --debug- Change SECRET_KEY: Generate a random, secure key in
docker-compose.yml - Configure Redis: Use external Redis for scaling (set
REDIS_URLenv var) - Volume Mounting: Persist uploads and logs:
-v /secure/path/uploads:/tmp/purrrr -v /secure/path/logs:/app/logs
- Reverse Proxy: Use Nginx/Traefik in front for SSL/TLS termination
- Health Checks: Endpoints checked every 30s; adjust in
docker-compose.ymlas needed
For command-line usage or automation scripts:
# Local installation
pip install purrrr
# Analyze from CLI
purrrr audit_log.csv --textNote: The web UI is the primary interface. CLI mode is available for backwards compatibility.
- Python 3.13+
- Docker & Docker Compose (for web UI)
- Microsoft Purview audit log CSV export (SharePoint/OneDrive/Exchange analysis)
- Microsoft Entra sign-in CSV export (sign-in analysis, optional)
The tool automatically detects SharePoint domains and email domains from your audit data, ensuring seamless integration with any Microsoft 365 tenant.
- Upload: Select your Purview audit log CSV (and optional user mapping CSV)
- Analyze: System processes and displays all records with pattern detection
- Filter: Use dropdowns and text fields to narrow results:
- Workload (Exchange, SharePoint, etc.)
- User (exact or dropdown selection)
- Operation (SendAs, FileDownloaded, etc.)
- IP Address (exact, multiple comma-separated, or wildcard patterns)
- Date/Time range
- Explore: View timeline, export filtered data, analyze patterns
- Export: Download Exchange activity or access results via JSON API
┌──────────────────────────────────────────────────────────┐
│ Docker Environment │
├──────────────────────────────────────────────────────────┤
│ │
│ ┌───────────────────┐ ┌────────────────────┐ │
│ │ Flask Web App │◄───────►│ Redis Session │ │
│ │ (Port 5000) │ │ Cache │ │
│ │ - File Upload │ │ (Port 6379) │ │
│ │ - Analysis API │ │ - Sessions │ │
│ │ - JSON API │ │ - File Metadata │ │
│ │ - HTML UI │ │ - Filters │ │
│ └───────────────────┘ └────────────────────┘ │
│ ▲ │
│ │ HTTP/WebSocket │
└───────────┼────────────────────────────────────────────────┘
│
Browser UI
(localhost:5000)
- User uploads CSV file → Flask stores in Redis session
- DataFrame parsed and indexed for filtering
- Frontend applies filters in real-time (client-side)
- Pattern detection runs on filtered subset
- Results cached for multi-session access
purrrr is a detached fork of purviewer, refactored to focus exclusively on the web UI experience. Original features (CLI analysis, JSON output) are maintained for backwards compatibility, but all development prioritizes the interactive web interface.
Key improvements over purviewer:
- Modern web UI with real-time filtering
- Pattern detection and anomaly highlighting
- Wildcard IP filtering support
- Session-based multi-file analysis
- Docker-ready deployment
- Interactive pattern visualization
purrrr is released under the MIT License. See the LICENSE file for details.