Identify Mail Items Accessed By A Specific IP Address CISA
Query
//Query is from CISA Playbook https://www.cisa.gov/sites/default/files/2025-01/microsoft-expanded-cloud-logs-implementation-playbook-508c.pdf
//Get sessions associated with suspicious IP address
let bad_sessions = materialize (
AADSignInEventsBeta
| where IPAddress == 'x.x.x.x’ //Replace with IP of interest
| where isempty(SessionId) == false
| distinct SessionId
);
//Get any mail accessed during suspicious sessions
CloudAppEvents
| where ActionType == 'MailItemsAccessed'
| where RawEventData.SessionId has_any (bad_sessions)Explanation
This query is designed to identify suspicious activity related to a specific IP address and any mail accessed during those sessions. Here's a simplified breakdown:
-
Identify Suspicious Sessions:
- The query first looks at sign-in events (
AADSignInEventsBeta) to find sessions associated with a specific IP address (x.x.x.x). - It filters out any events where the
SessionIdis empty, ensuring only valid sessions are considered. - It then creates a list of unique session IDs (
SessionId) that are associated with this suspicious IP address. This list is stored in a temporary table calledbad_sessions.
- The query first looks at sign-in events (
-
Find Mail Accessed in Those Sessions:
- The query then examines cloud application events (
CloudAppEvents) to find instances where mail items were accessed. - It specifically looks for actions labeled as 'MailItemsAccessed'.
- It checks if the session IDs from these mail access events match any of the session IDs in the
bad_sessionslist. - The result is a list of mail access events that occurred during the suspicious sessions identified earlier.
- The query then examines cloud application events (
In summary, this query helps track down any mail accessed during sessions that were initiated from a suspicious IP address, potentially indicating unauthorized or malicious activity.
Details

Jay Kerai
Released: January 20, 2025
Tables
AADSignInEventsBetaCloudAppEvents
Keywords
AADSignInEventsBetaIPAddressSessionIdCloudAppEventsActionTypeRawEventData
Operators
letmaterializewhereisemptydistincthas_any