Identify Mail Items Accessed By A Specific IP Address CISA

//Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf //Get sessions associated with suspicious IP address let bad_sessions = materialize ( AADSignInEventsBeta | where IPAddress == 'x.x.x.x’ //Replace with IP of interest | where isempty(SessionId) == false | distinct SessionId ); //Get any mail accessed during suspicious sessions CloudAppEvents | where ActionType == 'MailItemsAccessed' | where RawEventData.SessionId has_any (bad_sessions)

Explanation

This query is designed to identify suspicious activity related to a specific IP address and any mail accessed during those sessions. Here's a simplified breakdown:

Identify Suspicious Sessions:
- The query first looks at sign-in events (AADSignInEventsBeta) to find sessions associated with a specific IP address (x.x.x.x).
- It filters out any events where the SessionId is empty, ensuring only valid sessions are considered.
- It then creates a list of unique session IDs (SessionId) that are associated with this suspicious IP address. This list is stored in a temporary table called bad_sessions.
Find Mail Accessed in Those Sessions:
- The query then examines cloud application events (CloudAppEvents) to find instances where mail items were accessed.
- It specifically looks for actions labeled as 'MailItemsAccessed'.
- It checks if the session IDs from these mail access events match any of the session IDs in the bad_sessions list.
- The result is a list of mail access events that occurred during the suspicious sessions identified earlier.

In summary, this query helps track down any mail accessed during sessions that were initiated from a suspicious IP address, potentially indicating unauthorized or malicious activity.

KQL Search

Identify Mail Items Accessed By A Specific IP Address CISA

Query

Explanation

Details

Actions