In this module

IR1.6 Cloud Investigation Tools — KQL, Purview, Defender XDR

90-120 minutes · Module 1 · Free

Operational Objective

The Cloud Evidence Problem: the attacker's cloud activity — sign-ins from stolen credentials, mailbox access via replayed tokens, inbox rule creation for persistent email forwarding, SharePoint file downloads for data exfiltration, service principal manipulation for long-term persistence — is all logged by Microsoft. But the logs are scattered across multiple portals, retained for different durations, and queryable through different interfaces. If you do not know where each type of evidence lives, how to query it, and how long it is retained before it ages out, the cloud half of the investigation is invisible — even though the evidence exists and Microsoft is recording it.

Deliverable: Access configured and validated to the three primary M365 investigation interfaces: KQL in Defender XDR Advanced Hunting, Microsoft Purview Audit, and Microsoft Sentinel. M365 Developer Tenant deployed for the course lab. Investigation-ready KQL queries saved and tested. Log retention windows understood for evidence preservation planning.

⏱ Estimated completion: 25 minutes

Cloud Investigation Tools

No installation required — but you need to know which portal answers which question

Endpoint forensics requires downloading, installing, and configuring tools before you can analyze anything. Cloud investigation is different — the tools are already there. KQL queries run in the Defender XDR portal. Audit logs live in Purview. Sign-in analysis happens in Entra ID. The challenge is not installation — it is knowing which of the three investigation interfaces to use for each question, and how to write the queries that extract the evidence you need.

Unlike endpoint forensics, where you install tools on your forensic workstation and analyze collected artifacts, cloud investigation uses browser-based portals and query interfaces that are already part of your M365 environment. Nothing to install. Nothing to deploy. The tools are available right now — you just need to know which portal to open, which table to query, and how long the data is retained.

# M365 Developer Tenant Setup
# 1. Navigate to https://developer.microsoft.com/en-us/microsoft-365/dev-program
# 2. Sign in with a Microsoft account (create one if needed)
# 3. Join the Developer Program (free)
# 4. Choose "Instant sandbox" — pre-configured tenant
#    with 16 sample users and sample data
# 5. Record your credentials:
#    Admin: admin@<yourname>.onmicrosoft.com
#    Password: (set during setup)
#
# The instant sandbox includes:
#   16 users with mailboxes, OneDrive, and Teams
#   Sample emails and documents pre-populated
#   Simulated sign-in activity and audit log entries
#   E5 licensing: Defender XDR, Purview Audit (premium),
#   Entra ID P2, Defender for Endpoint, Cloud Apps, Identity
#
# Post-creation configuration:
# 1. Navigate to https://security.microsoft.com
#    Verify Advanced Hunting is accessible
# 2. Navigate to https://purview.microsoft.com → Audit
#    Verify audit log search returns data
# 3. Enable E5 audit events (may auto-enable):
Connect-ExchangeOnline -UserPrincipalName admin@yourtenant.onmicrosoft.com
Set-OrganizationConfig -AuditDisabled $false
Get-Mailbox -ResultSize Unlimited | Set-Mailbox -AuditEnabled $true
Disconnect-ExchangeOnline -Confirm:$false

// Validation: confirm your Advanced Hunting access works
// Run each query and verify it returns data

// 1. Sign-in activity
SigninLogs
| where TimeGenerated > ago(7d)
| summarize Count = count() by UserPrincipalName, ResultType
| sort by Count desc
| take 10
// ResultType 0 = success. Anything else = failure/interruption.
// If this returns data, identity investigation is operational.

// 2. Email telemetry
EmailEvents
| where Timestamp > ago(7d)
| summarize Count = count() by SenderFromAddress
| sort by Count desc
| take 10
// If this returns data, email investigation is operational.

// 3. Device telemetry (if endpoints are onboarded)
DeviceProcessEvents
| where Timestamp > ago(7d)
| summarize Count = count() by DeviceName
| sort by Count desc
| take 5
// If this returns data, endpoint investigation via KQL is operational.

// IDENTITY COMPROMISE: Sign-ins from unfamiliar locations
// Use after a phishing report to determine if credentials were used
// Adapt: change UPN and time window to match the incident
SigninLogs
| where TimeGenerated > ago(24h)
| where UserPrincipalName == "jmorrison@northgateeng.com"
| where ResultType == 0  // Successful sign-ins only
| project TimeGenerated, UserPrincipalName, IPAddress,
    Location, DeviceDetail, UserAgent,
    ConditionalAccessStatus, RiskLevelDuringSignIn,
    AuthenticationRequirement, MfaDetail
| sort by TimeGenerated desc
// INTERPRETATION:
// Look for: unfamiliar IPs, unexpected countries, new device details,
// risk level "high" or "medium", MFA not satisfied (token replay),
// UserAgent strings that don't match the user's known browser/OS

// EMAIL SCOPE: What did the compromised mailbox receive?
// Use after confirming identity compromise to determine email exposure
EmailEvents
| where Timestamp > ago(7d)
| where RecipientEmailAddress == "jmorrison@northgateeng.com"
| where DeliveryAction == "Delivered"
| project Timestamp, SenderFromAddress, Subject,
    DeliveryAction, AttachmentCount, UrlCount, ThreatTypes
| sort by Timestamp desc
// Cross-reference with Purview MailItemsAccessed to determine
// which delivered emails the attacker actually read

// SCOPE DETERMINATION: All accounts that clicked the phishing URL
// Use when you have identified the specific phishing URL
EmailUrlInfo
| where Timestamp > ago(7d)
| where Url contains "malicious-phishing-domain.com"
| join kind=inner (
    EmailEvents
    | where DeliveryAction == "Delivered"
) on NetworkMessageId
| distinct RecipientEmailAddress
// EACH RESULT = a potentially compromised account
// Run the identity compromise query for EACH of these accounts
// This is how one phishing email becomes a 12-account investigation

// INBOX RULE DETECTION: Find attacker-created forwarding rules
// Use after identity compromise to check for persistent email access
// Inbox rules survive password reset — the attacker maintains access
// via forwarding even after credentials are changed
CloudAppEvents
| where Timestamp > ago(30d)
| where ActionType == "New-InboxRule"
| where AccountObjectId == "<compromised user object ID>"
| project Timestamp, AccountDisplayName,
    RawEventData.Parameters
| sort by Timestamp desc
// Look for: rules that forward to external addresses,
// rules that delete emails matching specific criteria,
// rules with suspicious names (".", "Update", " ")

# Validate Purview Audit access
Connect-ExchangeOnline -UserPrincipalName admin@yourtenant.onmicrosoft.com

# Search for MailItemsAccessed events for the compromised user
$results = Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -UserIds "jmorrison@northgateeng.com" -Operations MailItemsAccessed -ResultSize 100

# Examine the results
$results | ForEach-Object {
    $auditData = $_.AuditData | ConvertFrom-Json
    [PSCustomObject]@{
        Timestamp    = $auditData.CreationTime
        User         = $auditData.UserId
        Operation    = $auditData.Operation
        ClientIP     = $auditData.ClientIPAddress
        MailboxOwner = $auditData.MailboxOwnerUPN
        ItemCount    = ($auditData.Folders | ForEach-Object { $_.FolderItems.Count } | Measure-Object -Sum).Sum
    }
}

Disconnect-ExchangeOnline -Confirm:$false

# Sentinel setup checklist (portal-based configuration):
#
# 1. Create a Log Analytics workspace (if not already existing)
#    Azure Portal → Create a resource → Log Analytics workspace
#    Region: same as your M365 tenant for lowest latency
#
# 2. Add Microsoft Sentinel to the workspace
#    Azure Portal → Microsoft Sentinel → Add → select your workspace
#
# 3. Enable data connectors (Sentinel → Data connectors):
#    Microsoft 365 (Exchange, SharePoint, Teams activity)
#      → Provides: OfficeActivity table
#    Microsoft Entra ID (sign-in logs, audit logs, provisioning)
#      → Provides: SigninLogs, AuditLogs tables
#    Microsoft Defender XDR (incidents, alerts, device events)
#      → Provides: SecurityIncident, SecurityAlert, Device* tables
#    Azure Activity (Azure management operations)
#      → Provides: AzureActivity table
#
# 4. Verify data flow

// Sentinel validation: check which tables have data
search *
| where TimeGenerated > ago(24h)
| distinct $table
| sort by $table asc
// Expected for a well-configured Sentinel:
// AuditLogs, AzureActivity, OfficeActivity, SecurityAlert,
// SecurityIncident, SigninLogs, and Device* tables if
// Defender XDR connector is enabled

// Verify sign-in data is flowing
SigninLogs
| where TimeGenerated > ago(24h)
| summarize Count = count()
// Any count > 0 confirms Entra ID data is reaching Sentinel

# Evidence preservation: export audit logs to case folder
# Run this IMMEDIATELY when an incident is detected

$caseId = "INC-NE-2026-0315-001"
$outputPath = "C:\IR\Cases\$caseId\Evidence\AuditLogs"
New-Item -ItemType Directory -Path $outputPath -Force

Connect-ExchangeOnline -UserPrincipalName admin@yourtenant.onmicrosoft.com

# Export all audit events for the compromised user
# Adjust date range to cover the full compromise window
$startDate = "2026-03-01"
$endDate = "2026-03-16"
$userId = "jmorrison@northgateeng.com"

$allResults = @()
$sessionId = "AuditExport_$(Get-Date -Format 'yyyyMMddHHmm')"

do {
    $batch = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate -UserIds $userId -SessionId $sessionId -SessionCommand ReturnLargeSet -ResultSize 5000
    $allResults += $batch
    Write-Host "Retrieved $($allResults.Count) records..." -ForegroundColor Cyan
} while ($batch.Count -eq 5000)

$allResults | Export-Csv "$outputPath\audit_export_$($userId.Replace('@','_')).csv" -NoTypeInformation

Write-Host "Exported $($allResults.Count) audit records to $outputPath" -ForegroundColor Green
Disconnect-ExchangeOnline -Confirm:$false

# Live Response capabilities (commands available in the session):
#
# File operations:
#   fileinfo <path>     — file metadata (size, hash, timestamps)
#   getfile <path>      — download a file from the endpoint
#   putfile <filename>  — upload a file TO the endpoint
#   findfile <name>     — search for files by name
#
# Process operations:
#   processes           — list running processes
#   connections         — list network connections
#
# Script execution:
#   run <script.ps1>    — execute a pre-uploaded PowerShell script
#   library             — list available scripts in the library
#
# Evidence collection:
#   remediate file <path> — quarantine a malicious file
#   collect <file>       — collect a file for analysis
#
# Analysis:
#   analyze file <path>  — submit file for cloud analysis
#   trace <pid>          — start/stop ETW trace on a process

// WORKED EXAMPLE: Build the complete picture of a compromised account
// This query joins identity, email, and cloud tables to show
// everything the attacker did after authentication

// Step 1: Find the suspicious sign-in
let compromisedUser = "jmorrison@northgateeng.com";
let attackStartTime = datetime(2026-03-15T14:29:00Z);
let attackEndTime = datetime(2026-03-15T16:00:00Z);
// Step 2: What emails arrived during the attack window?
EmailEvents
| where Timestamp between (attackStartTime .. attackEndTime)
| where RecipientEmailAddress == compromisedUser
| where DeliveryAction == "Delivered"
| project Timestamp, SenderFromAddress, Subject, AttachmentCount
| sort by Timestamp asc
// Step 3: What cloud app activity occurred?
// Run separately — joins across domains can be complex
CloudAppEvents
| where Timestamp between (attackStartTime .. attackEndTime)
| where AccountObjectId == "<user object ID>"
| project Timestamp, ActionType, Application, ActivityObjects
| sort by Timestamp asc
// These two queries together show: what the attacker received
// in email AND what they accessed in cloud apps. Combine with
// SigninLogs from the identity query to build the full timeline.

Expand for Deeper Context

Microsoft provides three primary interfaces for investigation, each with different data access, query capability, and retention:

Defender XDR Advanced Hunting (security.microsoft.com → Hunting → Advanced Hunting). KQL queries against 30+ normalized tables spanning email events, device events, identity events, cloud app events, and security alerts. Retention: 30 days standard, up to 180 days for some tables with E5 licensing. This is the primary investigation interface for active incidents — fast queries, rich schema, and access to cross-domain data. Used in every cloud investigation module (IR8-IR12) and every Phase 4 scenario.

Microsoft Purview Audit (purview.microsoft.com → Audit). The comprehensive M365 activity trail. Records every user and admin action across Exchange, SharePoint, OneDrive, Teams, Entra ID, Power Platform, and more. Retention: 180 days (E3) or 365 days (E5). The critical E5-only capability: MailItemsAccessed — the audit event that records exactly which email messages were accessed (read) by a user or application. Without this event, you can determine that an attacker had mailbox access; with it, you can determine exactly which emails they read, which is the difference between "possible data exposure" and "confirmed exposure of 47 invoices containing banking details" in the IR report.

Microsoft Sentinel (portal.azure.com → Sentinel workspace). The SIEM layer that aggregates data from all Microsoft sources (and third-party sources via data connectors) into a single Log Analytics workspace queryable with KQL. Retention: configurable from 90 days to 12 years. Sentinel provides long-term log retention that outlasts the other interfaces, cross-source correlation (join sign-in logs with email events with device events in a single query), custom analytics rules for detection, and automation playbooks for containment. If Purview audit logs have aged out (90 days past for E3), Sentinel may still have the data.

Figure IR1.6a: The three M365 investigation interfaces. Defender XDR Advanced Hunting is fastest for active incident queries. Purview Audit provides the deepest email forensics (MailItemsAccessed). Sentinel provides the longest retention and cross-source correlation. A complete cloud investigation may use all three.

---

Setting up the M365 Developer Tenant

If you do not have access to a production M365 environment with E5 licensing, set up a free M365 Developer Tenant for the course lab. The Developer Program provides an E5 subscription with 25 user licenses, valid for 90 days and automatically renewable as long as you are actively using it for development/testing.

If you can't get a developer tenant: Microsoft has restricted the Developer Program since early 2024. It now requires a Visual Studio Professional/Enterprise subscription or Partner Program membership. If you don't qualify: try Visual Studio Dev Essentials (free) at visualstudio.microsoft.com first, then retry. Otherwise, purchase a single M365 E5 license ($57/user/month) or start with a Business Premium trial ($22/user/month after trial). Business Premium covers Defender for Office 365 and basic investigation but not Defender for Endpoint P2 or advanced audit — some IR modules will be limited. See MSA0.6 — Alternative Lab Options for detailed instructions.

---

KQL in Defender XDR Advanced Hunting

Advanced Hunting is the primary investigation interface for active incidents. It provides KQL access to 30+ tables organized by data domain. The query editor is at security.microsoft.com → Hunting → Advanced Hunting.

The key investigation tables:

Identity tables: SigninLogs and AADNonInteractiveUserSignInLogs — every authentication to the tenant. User, IP address, device, location (city/country derived from IP), conditional access evaluation results, MFA status, risk level, user agent string. This is the first table you query when investigating a compromised identity. IdentityLogonEvents — a unified view of logon events across Entra ID and on-premises Active Directory.

Email tables: EmailEvents — every email sent, received, and acted upon. Sender, recipient, subject, delivery action, threat detection results. EmailAttachmentInfo — file name, size, SHA256 hash for every email attachment. EmailUrlInfo — every URL in every email. EmailPostDeliveryEvents — post-delivery actions (ZAP, user-reported, admin-removed). These tables power IR9 (Email Forensics).

Device tables: DeviceProcessEvents — every process execution on Defender-managed endpoints. DeviceFileEvents — file creation, modification, deletion. DeviceNetworkEvents — network connections with process attribution. DeviceRegistryEvents — registry modifications. These provide the same evidence as KAPE + EZTools but from Defender's telemetry rather than forensic artifact parsing.

Cloud tables: CloudAppEvents — cloud application activity from Defender for Cloud Apps. SharePoint file access, OneDrive operations, Teams messaging, Power Platform actions. AuditLogs (Sentinel) — Entra ID administrative changes.

---

Investigation-ready KQL queries

Save these queries in your Advanced Hunting library under a folder named "IR Toolkit." They are the starting points for the investigation patterns taught in Phase 3 and used in Phase 4 scenarios.

---

Microsoft Purview Audit

Purview provides the audit trail that Advanced Hunting does not fully cover. The critical capability is MailItemsAccessed — the E5-only audit event that records each individual email item accessed in a mailbox. This event is the evidence that transforms "the attacker had mailbox access" into "the attacker read 47 emails containing invoice data from the Finance folder between 14:29 and 14:58 UTC."

Purview Audit records operations across the entire M365 ecosystem. The key operations for IR:

Exchange operations (IR9): MailItemsAccessed (email read — E5 only), Send (email sent from the mailbox), MoveToDeletedItems (email deleted to cover tracks), New-InboxRule (attacker creates forwarding), Set-Mailbox (mailbox settings modified including forwarding address), UpdateInboxRules (existing rules modified), SearchCreated (attacker runs content search within the mailbox).

SharePoint/OneDrive operations (IR10): FileAccessed (file viewed or downloaded), FileDownloaded (file explicitly downloaded), FileMoved (file relocated — data staging for exfiltration), FileDeleted (file deleted), SharingSet (sharing permissions changed — data exfiltration via external sharing), SyncDownloadedFileFromTenant (file synced to a device — local data exfiltration).

Entra ID operations (IR11): Add member to role (privilege escalation), Add application (attacker registers malicious OAuth app), Add service principal credential (attacker adds secret for persistence), Update application (attacker modifies app permissions), Consent to application (user or admin grants permissions to malicious app).

Interpreting MailItemsAccessed. The audit record contains: the ClientIPAddress (was it the legitimate user's IP or the attacker's?), the UserAgent (was it Outlook or a script?), the Folders array (which mailbox folders were accessed — Inbox, Sent Items, specific subfolders), and within each folder, the FolderItems array (the InternetMessageId of each email accessed). The InternetMessageId is the unique identifier for the specific email — this is what proves the attacker read a particular message. Cross-reference the InternetMessageId with the EmailEvents table in Advanced Hunting to identify the sender, subject, and content of the accessed email. This cross-referencing workflow is the core of email forensics in IR9.

---

Microsoft Sentinel setup

For investigators who have Sentinel available (it requires an Azure subscription), enabling the key data connectors ensures that investigation-relevant logs flow into the SIEM for long-term retention and cross-source KQL queries.

Sentinel's value for IR is retention depth and cross-source correlation. A single KQL query in Sentinel can join sign-in events (SigninLogs) with email activity (OfficeActivity) with file access (OfficeActivity SharePoint operations) — correlating the attacker's authentication, mailbox access, and data exfiltration in one query spanning all three data sources. This is significantly more powerful than querying each source independently through separate portals.

---

Defender XDR Live Response

Live Response is the remote investigation capability built into Defender for Endpoint. It provides a command-line session on any managed endpoint through the Defender portal — no VPN, no agent deployment, no physical access required. Navigate to security.microsoft.com → Endpoints → Device inventory → select a device → Initiate Live Response session.

Available commands include: getfile (download a specific file from the endpoint to the portal for analysis), putfile (upload a file — for example, a KAPE binary — to the endpoint), run (execute a pre-uploaded script on the endpoint), processes (list running processes), connections (list network connections), scheduledtasks (list scheduled tasks), registry (query registry keys), and trace (capture a network trace). Advanced commands (enabled per-session) include remediate (remove files, stop processes, clean registry) and library manage (manage the script library for reuse).

Live Response is the enterprise alternative to Velociraptor for Defender-managed endpoints. It requires Defender for Endpoint Plan 2 licensing. The endpoint must be onboarded to Defender and connected (not isolated from the network or powered off). The capability is available for Windows, macOS, and Linux endpoints enrolled in Defender.

For environments where both Velociraptor and Defender XDR are available, Live Response provides quick evidence pulls from the portal (faster than setting up a Velociraptor collection for a single file), while Velociraptor provides deeper forensic collection and enterprise-wide hunting that Live Response cannot match.

---

Evidence export and preservation

When an incident is detected, immediately export the relevant audit logs to the case folder. This is not optional — it is evidence preservation. If the investigation extends beyond the retention window, the unexported data is permanently lost.

This export creates a local copy of the audit data that is independent of the retention window. Even if the data ages out of Purview or Sentinel, the exported CSV remains in the case folder. Hash the export file immediately after creation and record the hash in the chain of custody log. IR2 covers the complete evidence preservation methodology.

---

Splunk as enterprise SIEM alternative

If your organization uses Splunk instead of Sentinel, the investigation approach is identical — the data sources are the same, the evidence is the same, the investigation questions are the same. The query language differs: SPL (Search Processing Language) instead of KQL. The Splunk Add-on for Microsoft 365 ingests the same sign-in logs, audit logs, email events, and cloud app events.

This course teaches investigation in KQL because it is native to the Microsoft ecosystem and available in every M365 tenant without additional licensing. Where investigation queries are complex enough to warrant a Splunk equivalent, the course provides both. The investigation reasoning — what to look for, how to interpret it, what it proves — transfers directly between platforms.

---

Defender XDR Live Response

Live Response is the remote investigation capability built into Defender for Endpoint. It provides a command-line session on any managed endpoint through the Defender portal — no VPN, no Velociraptor agent, no physical access required. The session runs with SYSTEM privileges on the endpoint.

Navigate to security.microsoft.com → Endpoints → Device inventory → select a device → Initiate Live Response Session. The session provides a restricted command set designed for IR:

Live Response requires Defender for Endpoint P2 licensing, and the endpoint must be onboarded to Defender. The session has a timeout (default 30 minutes, extendable to 3 hours). Scripts must be pre-uploaded to the Live Response library before they can be executed — you cannot type arbitrary PowerShell commands in the session (this is a security control to prevent misuse).

When to use Live Response vs Velociraptor: Use Live Response when the endpoint has Defender for Endpoint but does not have the Velociraptor agent. Use Velociraptor when you need full forensic collection (KAPE-equivalent), enterprise-wide hunting, or capabilities beyond the Live Response command set. In environments where both are available, Velociraptor provides deeper forensic capability while Live Response provides quick evidence pulls without additional agent deployment.

---

Advanced Hunting schema: the complete investigation table reference

The Defender XDR Advanced Hunting schema contains 30+ tables. Knowing which table answers which investigation question prevents wasted time querying the wrong data source. This reference maps the most investigation-relevant tables to the modules where they are used.

Identity investigation (IR8): SigninLogs — interactive user sign-ins. Contains: UserPrincipalName, IPAddress, Location (city/country), DeviceDetail, UserAgent, ConditionalAccessStatus, RiskLevelDuringSignIn, AuthenticationRequirement, MfaDetail, ResultType. This is the primary table for identity compromise investigation. AADNonInteractiveUserSignInLogs — background token refreshes, service-to-service auth. Less visible to the user but critical for detecting token replay attacks where the attacker uses a stolen refresh token. AADServicePrincipalSignInLogs — service principal authentication. If the attacker compromised or created a service principal (application identity), this table shows the authentication events.

Email investigation (IR9): EmailEvents — the master email table. Every email with sender, recipient, subject, delivery action, threat detection. EmailAttachmentInfo — attachment name, size, SHA256 hash. Join with EmailEvents on NetworkMessageId. EmailUrlInfo — every URL in every email. Join with EmailEvents on NetworkMessageId to find which recipients received emails containing a specific URL. EmailPostDeliveryEvents — what happened after delivery: ZAP removal, user reporting, admin purge.

Endpoint investigation (IR3-IR7, via Defender telemetry): DeviceProcessEvents — process creation with full command line, parent process, user, timestamp. The Defender equivalent of Prefetch + Event ID 4688. DeviceFileEvents — file creation, modification, rename, delete with full path and SHA256. DeviceNetworkEvents — outbound connections with process attribution, remote IP, port. DeviceRegistryEvents — registry key creation, modification, deletion. DeviceLogonEvents — logon events on managed endpoints.

Cloud application investigation (IR10-IR11): CloudAppEvents — all cloud app activity monitored by Defender for Cloud Apps. SharePoint file access, OneDrive operations, Teams activity, Power Platform actions. IdentityDirectoryEvents — Entra ID administrative changes: role assignments, group membership, app registrations.

Alert and incident correlation: AlertInfo + AlertEvidence — Defender alerts with their associated evidence (processes, files, IPs, users). Join these with investigation tables to build the full context around each alert.

Worked investigation finding — cloud evidence discovery:

Finding: Defender XDR Advanced Hunting query against SigninLogs identified 3 successful sign-ins for jmorrison@northgateeng.com from IP 185.220.101.47 (Tor exit node, Germany) between 14:29 and 14:47 UTC on March 15. ConditionalAccessStatus: "success" (no CA policy blocked the sign-in). RiskLevelDuringSignIn: "high". AuthenticationRequirement: "singleFactorAuthentication" — MFA was not required, indicating a session token replay that bypassed MFA. The user's normal sign-in pattern shows connections exclusively from UK IP ranges.

Proves: The compromised account was accessed from an unauthorized location using a replayed session token that bypassed MFA. Three separate authentication events confirm sustained access over an 18-minute window. Does not prove: What the attacker accessed during these sessions. How the session token was obtained (phishing, AiTM proxy, malware). Whether the attacker accessed other accounts using the same method. Next step: Query Purview Audit for MailItemsAccessed events during the 14:29-14:47 window to determine which emails were read. Check for inbox rule creation (New-InboxRule events). Run the scope determination query against EmailUrlInfo to identify all recipients of the phishing URL that likely harvested this token.

Compliance Myth

"We use Splunk, so the KQL-based investigation content does not apply to us."

Production reality: The investigation methodology is platform-independent. "Find all successful sign-ins for the compromised account in the 24 hours following the phishing email delivery" is the same investigation step whether expressed in KQL (SigninLogs | where UserPrincipalName == "...") or SPL (index=azure_ad sourcetype=azure:aad:signin user="..."). The data is identical — Microsoft generates it. The query language is the delivery mechanism. If you can follow the investigation reasoning, you can translate the queries to any SIEM. IR12 includes a cross-reference table for the most common IR queries in both KQL and SPL.

Build it: Validate all three cloud investigation interfaces

Run the three validation queries in Defender XDR Advanced Hunting

Run the three validation queries in Defender XDR Advanced Hunting. Confirm SigninLogs and EmailEvents return data. Connect to Exchange Online via PowerShell and run a Purview Audit search. If Sentinel is configured, verify data flow. Save the investigation-ready KQL queries to your Advanced Hunting library. Each successful validation confirms one cloud evidence source for the investigation modules in Phase 3. If any interface fails, troubleshoot before proceeding — Phase 3 depends on these being operational.

Beyond this investigation

The techniques taught in this subsection apply beyond the specific scenario presented here. The same evidence sources, tools, and analytical methods are used across ransomware, BEC, insider threat, and APT investigations — the context changes but the methodology is consistent.

Artifact Output

Cloud tools operational at depth: You understand the three M365 investigation interfaces and their different data access, query capability, and retention windows. KQL Advanced Hunting returns data from identity, email, and device tables. Purview Audit search is accessible via both the portal and PowerShell. Sentinel (if configured) shows data flowing. Investigation-ready KQL queries are saved in the Advanced Hunting library. Log retention windows are understood for evidence preservation planning. The M365 Developer Tenant provides a lab environment for all course exercises. Cloud investigation tools are ready for IR8-IR12 and every investigation scenario in Phase 4.

Next objective → IR1.7 PowerShell for Incident Response

Decision point

The investigation reveals the attacker accessed the compromised user's email for 5 days. The user's mailbox contains emails with supplier pricing, employee salaries, and a board presentation. The CISO asks: 'What did the attacker read?' Can you answer definitively?

Only if MailItemsAccessed auditing is enabled (requires E5 + advanced auditing). If enabled: query OfficeActivity for MailItemsAccessed (Bind) events from the attacker's IP — this shows exactly which emails were opened. If NOT enabled: you can only confirm the attacker had ACCESS to the mailbox for 5 days, not which specific emails they read. The IR report must distinguish between 'accessed' (confirmed) and 'read' (confirmed only with MailItemsAccessed). Overstating the finding ('the attacker read all emails') when the evidence shows only 'the attacker had mailbox access' is a forensic accuracy failure.

← Previous Next →