Docker-compose
KAPE / Zimmerman tools
Hayabusa events
index=* source="windows_evtx_hayabusa" | table _time,computer,level,ruletitle,details,extrafielnfo,eventid,recordid | sort -_time
M365 / Azure AD
Initial Access
Login
index=o365 Operation=UserLoggedIn "<email>" | table _time,ClientIP,UserId,Operation,ResultStatus,Workload,ApplicationId,DeviceProperties*
index="azure-sign-ins" "<email>"
| table _time, userPrincipalName, location.countryOrRegion, ipAddress | rename location.countryOrRegion as Region
| sort - _time
Exploitation
Activity from compromised user
index=* UserId="<email>"
Activity from malicious IPs
index=* ClientIP IN ("<IP1>","<IP2>")
Activity from malicious session ID / Correlation ID
index=* "<ID>"
Activity from User Agent
index=o365 "python-requests/*"
Mails accessed by the attacker
index=o365 <Session ID> Operation=MailItemsAccessed
| rename "Folders{}.FolderItems{}.Subject" as Subject
| rename "Folders{}.Path" as FolderPath
| mvexpand Subject
| eval FolderPath=mvjoin(mvmap(FolderPath, "\"" + FolderPath + "\""), " or ")
| table _time, AppAccessContext.AADSessionId, "OperationProperties{}.Value", FolderPath, Subject
Phishing | Email ciblés
index=o365 <filters> UserId="<email>"
| mvexpand Item.Recipients{}.Address
| search Item.Recipients{}.Address="*<filter>*"
| table _time, UserId, Item.Subject, Item.Recipients{}.Address | stats count by Item.Recipients{}.Address
Message sent from a user
index=* sourcetype="*messagetrace*" senderAddress="<user>"
index=o365 | spath "AppAccessContext.AADSessionId" | search "AppAccessContext.AADSessionId"="<Session-ID>" Operation=Send
Phishing |Internal users who received the phishing emails
index="exchange" status
messageId IN (
"<InternetMessageId>",
"<InternetMessageId>",
"<InternetMessageId>"
)
| table receivedDateTime,sender,subject,Address,recipientAddress,status,messageId
Delivered :
index="exchange" status=delivered senderAddress=<email>
messageId IN (
"<InternetMessageId>",
"<InternetMessageId>",
"<InternetMessageId>"
) | table receivedDateTime,subject,senderAddress,recipientAddress,status,messageId | stats count by recipientAddress
Phishing | Opened email
Opening an email happens in the client (Outlook, mobile, etc.), and:
- No server-side event is necessarily generated for “open”
- Privacy protections often block tracking
- Cached/offline reading = no trace
What you can use as approximations : 1. MailItemsAccessed (best available signal) From audit logs: This shows users who accessed the mailbox item ✔ closer to “opened” ❗ but not guaranteed (could be preview, sync, etc.)
index=your_index Operation=MailItemsAccessed | search InternetMessageId="<your_message_id>"
| stats values(UserId) as users by InternetMessageId
MessageBind (older / less reliable) Sometimes available: Indicates message was accessed in Outlook ❗not always enabled / deprecated in many tenants
index=your_index Operation=MessageBind | search InternetMessageId="<your_message_id>"
| stats values(UserId)
Persistence
Registered Devices
index="azure-ad" category=Device activityDisplayName="Register device" "<email>"
Mail forwarding (Inbox rules)
index=o365 (Operation=New-InboxRule OR Operation=Set-InboxRule) UserId="<email>"
(ForwardTo=* OR RedirectTo=* OR DeleteMessage=true OR MoveToFolder=*) | table ClientIP,UserId,AppAccessContext.AADSessionId,Operation,Workload,Parameters*
Delegation mailbox
index=o365 (Operation=Add-MailboxPermission OR Operation=Add-RecipientPermission) UserId="<email>"
| search AccessRights IN ("FullAccess","SendAs","SendOnBehalf") | table _time,ClientIP,UserId,AppAccessContext.AADSessionId,Operation,Workload,Parameters*
OAuth App
index IN ("o365","azure-ad") Operation IN ("Add OAuth2PermissionGrant*", "Add service principal*","Add credentials*","Update application*") UserId="<email>" | table _time,UserId,Operation,Actor*
External file sharing (OneDrive / Sharepoint)
index=o365( Operation=FileShared OR Operation=SharingSet) UserId="<email>"
| search SharingType="External"