This script allows you to view events that occurred from suspicious email address. I generally use this script when investigating alerts regarding Password Spray Attacks, Anonymous IP Address or Atypical Travel. Changing the timestamp allows you to view a larger time frame.
let ip = “Insert IP ADDRESS”;
search in (IdentityLogonEvents,IdentityQueryEvents,IdentityDirectoryEvents,EmailEvents,UrlClickEvents,DeviceNetworkEvents,DeviceFileEvents,
DeviceLogonEvents,DeviceEvents,BehaviorEntities,CloudAppEvents,AADSpnSignInEventsBeta,AADSignInEventsBeta)
Timestamp between (ago(7d) .. now())
and (// Events initiated by this IP
LocalIP == ip
or FileOriginIP == ip
or RequestSourceIP == ip
or SenderIPv4 == ip
or SenderIPv6 == ip
or IPAddress == ip
// Events affecting this IP
or RemoteIP == ip
or DestinationIPAddress == ip)
| take 100
David Williams Technical 