Microsoft Cloud App Security: The Hunt in a multi-stage incident

Published 03-09-2021 12:55 AM 3,925 Views

Welcome to our first post in the “Microsoft Cloud App Security: The Hunt blog series!  
Using Microsoft 365 Defender, our integrated solution, we will address common alerts customers receive in Microsoft Cloud App Security (called “MCAS” by users and enthusiasts) to determine the full scope and impact of a threat. We will show case how Microsoft 365 Defender assists security engineers by providing critical details such as how the threat entered the environment, what it has affected and how it is currently impacting the enterprise.

 

We will do this by taking the details we are given from an alert from Cloud App Security, using Kusto Query Language or KQL to query logs from various products across the Microsoft security stack that are available in Microsoft 365 defender Advanced hunting today.
Additionally, we will use the mapping of the MITRE ATT&CK Framework tactics and techniques available in 
Cloud App Security to assist our investigation on where or how an adversary may move next.

 

Throughout this blog series, we will address the alerts and scenarios we have seen most frequently from customers and apply simple but effective queries that can be used in everyday investigations. 

To begin this exciting journey, our first use case will walk you through a possible investigation path you could follow once receiving a multi-stage incidents from Cloud App Security. 

 

Use case 

Contoso implemented Microsoft 365 and is monitoring users at risk using Microsoft’s security solutions. 
While reviewing the new incidents, our security analyst notices a new multi-staged incident for a user named Megan Bowens. 

Multi-stage incidentMulti-stage incident

 

 

By opening the incident, our analyst can immediately identify the incident alerts and the mapped MITRE tactics. Based on those, it looks like the user account might have been compromised. Let’s confirm this using M365 Defender!  

94387B51-CB01-4EC3-B750-208FBFA8CF74.png

 

Investigation

Step 1: review the alerts to understand the incident context 

By looking at the timeline, it seems that the user connected from a location she did not use in the last six months (Activity from infrequent country:( Romania.

444E74F8-1386-48A4-B22A-0A30FD07BBB8.png

 

Microsoft Cloud App Security then triggered an out-of-the-box alert regarding activities from distant locations (Impossible travel activity). Using the information from this alert, admins can review activities from anywhere in the world: Belgium, Romania but also Belarus! 

 

0A863139-45F3-4A83-940F-64CE5F4A6115.png

 

Finally, it appears that during this session, the user created an inbox rule forwarding emails to hackerz007@gmail.com, which is considered as suspicious by Microsoft Cloud App Security. 

 

B05AA8FA-3DE0-40C8-B77B-119DE7966C8A.png

 

Now that we understand the context, let’s investigate to understand the scope of the breach. 

 

 

Step 2: understand user’s specific context 

Before spending time in logs, we must understand the user’s context. The easiest way is to open her user page and review the provided information: 

B01A4548-8BE9-4212-9347-D30B4BDDF39E.png

 

 

 

On the user page, we are immediately provided information confirming that something happened with this user account: Megan’s account is considered a high risk by Azure Active Directory and her Investigation priority score suddenly increased in the last few days, plus her score is higher than 90% of the organization. We can also see from this page that she’s located in the United States. 

C76EBA09-2C33-47C4-BCD4-AD82E05BBA11.png

 

To understand her habits, let’s open the Locations details: 

 

345F053E-000C-48DF-874F-43EDBAA00D3F.png

This shows us the different locations used by the user in the last 30 days and the percentage of activities performed from those locations. 
It immediately appears that she is usually working from the US and Belgium, so activities performed from those countries are normal:

3C571F81-C246-4226-8C5E-6DD27CAE7CB6.png

 If we go further, we can also see that some activities have been performed from other locations: Romania and Belarus: 

7E3B54C1-2AAB-4820-8AC9-1CB6A8442374.pngE52CC868-FF08-4E76-B9C5-57D7887FC459.png

 

 

Now that we understand what is anomalous behavior for Megan (bases on the information above and her tracked "Locations" in her user profile), let’s hunt! 

 

Step 3: review the suspicious activities to understand the scope of the breach 

Our investigation will go through in different phases (list non-exhaustive). 

 

Action 

Why ? 

Summarize all the performed actions from the suspicious IP/location for that account 

Understand the risk based on performed activities (ex: reading an email = low risk, downloading/sharing files = medium risk, creating inbox rule/admin activities = high risk).  
If low risk activities, from mobile device for example, no further investigation might be required as this could be the user using a VPN client on her phone. 

Provide details on all accessed emails and their path in the mailbox 

Understand if access was targeted to sensitive information (finance, secrets, …). 
If the information seems sensitive and the device type seems suspicious, further investigation required. 

Also review the user agent to identify suspicious access. 

If emails were sent, review the recipients and message details. 

Identify potential phishing attempts or identify other compromised accounts. 
We will also use the user agent to identify potential tools using Graph API or SMTP. 

Review the accessed files 

Understand if access was targeted to sensitive information (finance, secrets, …). 

Review the created inbox rules 

Inbox rules can be used to exfiltrate data or hide conversations between the attacker and other recipients. 

Review other users using this IP address 

Identify potential compromised users or identify new potential corporate IP address used by a new office. 

 

  1. Obtain the user’s account object Id. 
    The Azure AD Account object ID is the unique identifier of a user account. Therefore, we will use this identifier for hunting scenarios as it is exposed in the different tables. You can get the user’s account object ID from the user entity page (screenshot below), or by querying the IdentityInfo table:

    contact.png

     Querying the table: 

    IdentityInfo | where AccountUpn =~ 'meganb@seccxp.ninja' 

    query.png

  2. Review our user’s signings to identify other potential suspicious locations or IP addresses.
    Using this query, you can get an overview of the users signing activity and identify potential anomalies. Note that if the user is using an AAD joined device and passing through a conditional access policy, the details of the managed device are exposed:

    let timeToSearch = startofday(datetime('2020-11-14')); 
    AADSignInEventsBeta  
    | where AccountObjectId == 'eababd92-9dc7-40e3-9359-6c106522db19' and Timestamp >= timeToSearch  
    | distinct Application, ResourceDisplayName, Country, City, IPAddress, DeviceName, DeviceTrustType, OSPlatform, IsManaged, IsCompliant, AuthenticationRequirement, RiskState, UserAgent, ClientAppUsed

    devices.png

     

     

  3. Summarize all the performed actions from the suspicious IP/location for that account. 
    Using this Advanced hunting query scoped to the alerts date, we can easily identify the performed actions: 

    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where AccountObjectId == accountId and CountryCode in (locations) and Timestamp >= timeToSearch  
    | summarize by ActionType, CountryCode, AccountObjectId  
    | sort by ActionType asc 

     
    We can see that the malicious actor accessed and deleted emails, opened files, created and deleted inbox rules. 
    That’s a great start! We know now what we are looking for. 

    6E2142E0-5376-44F5-ACA5-2742AACFFEF5.png

  4. Review the accessed emails. 
    To understand what the actor was looking for, we can use the following query. It’s using events available with advanced auditing and the EmailEvents table to enrich emails details (subject, sender, recipients, …) when possible.

    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where ActionType == 'MailItemsAccessed' and CountryCode in (locations) and AccountObjectId == accountId and Timestamp >= timeToSearch 
        | mv-expand todynamic(RawEventData.Folders)  
        | extend Path = todynamic(RawEventData_Folders.Path), SessionId = tostring(RawEventData.SessionId) 
        | mv-expand todynamic(RawEventData_Folders.FolderItems) 
        | project SessionId, Timestamp, AccountObjectId, DeviceType, CountryCode, City, IPAddress, UserAgent, Path, Message = tostring(RawEventData_Folders_FolderItems.InternetMessageId) 
        | join kind=leftouter ( 
            EmailEvents  
            | where RecipientObjectId == accountId  
            | project Subject, RecipientEmailAddress , SenderMailFromAddress , DeliveryLocation , ThreatTypes, AttachmentCount , UrlCount , InternetMessageId  
            ) on $left.Message == $right.InternetMessageId  
    | sort by Timestamp desc


    Note the clients used: a browser and REST, indicating potential script accessing the emails:
    766F6521-7063-4624-9C62-8748484FA4CB.png

     emails.png

     

  5. Review the accessed folders and files:
    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where ActionType == 'FilePreviewed' and CountryCode in (locations) and AccountObjectId == accountId and Timestamp >= timeToSearch 
        | project Timestamp, CountryCode , IPAddress , ISP, UserAgent , Application, ActivityObjects, AccountObjectId 
        | mv-expand ActivityObjects 
        | where ActivityObjects['Type'] in ('File', 'Folder')  
        | evaluate bag_unpack(ActivityObjects) 

    7F23CA13-92CF-4EF7-BE77-C848DEE982B3.png

     

     


  6. Review the deleted emails. This might indicate that the actor tried to remove traces of discussions with other users or deletion of alerting emails: 
    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where ActionType in~ ('MoveToDeletedItems', 'SoftDelete') and CountryCode in (locations) and AccountObjectId == accountId and Timestamp >= timeToSearch 
        | mv-expand ActivityObjects 
        | where ActivityObjects['Type'] in ('Email', 'Folder') 
        | evaluate bag_unpack(ActivityObjects) 
        | distinct Timestamp, AccountObjectId, ActionType, CountryCode, IPAddress, Type, Name, Id 
    | sort by Timestamp desc 

  7. Review the created/enabled/modified inbox rules. You can see here that the rule if looking for specific keywords, like “Credit Card” or “Password”: 
    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    CloudAppEvents 
        | where ActionType contains_cs 'InboxRule' and CountryCode in (locations) 
        | extend RuleParameters = RawEventData.Parameters 
    | project Timestamp, CountryCode , IPAddress , ISP, ActionType , ObjectName , RuleParameters  
    | sort by Timestamp desc 
    299DB357-91E0-419E-9029-63AE9B538722.png

     



  8. Now is time for our latest query that will identify scope of the breach. We hunted to get more information on Megan, our impacted user we got alerted from the incident. But there might be additional compromised users, we’ll use the IP addresses from the initial breach and search for other users having activities from those IP addresses:
    let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; 
    let locations = pack_array('RO', 'BY'); 
    let timeToSearch = startofday(datetime('2020-11-14')); 
    let ips = (CloudAppEvents 
            | where CountryCode in (locations )  
            | distinct IPAddress , AccountObjectId  
    ); 
    ips  
    | join (CloudAppEvents | project ActivityIP = IPAddress, UserId = AccountObjectId ) on $left.IPAddress == $right.ActivityIP  
    | distinct UserId  
    | join IdentityInfo on $left.UserId == $right.AccountObjectId 
    | distinct AccountDisplayName , AccountUpn , Department , Country , City, AccountObjectId  
    
      

    B318F20C-D2E2-4555-8278-3C26F1B68A8E.png

     

Step 4: time to remediate! 

Now that we have confirmed that Megan’s account had been compromised and we confirmed she was the only impacted user, it’s time to take action. 

The required actions will of course depend on your specific procedures, but a good start is confirming the user as compromised by clicking on “Take actions” or by going back to the user page and apply actions like suspending the user or requesting the user to sign-in again. 

 

take actions.png

confirm compromised.png

 

If you are syncing your accounts from Active Directory, you must perform the remediation steps on-premises. 
Also, note that integrating non-Microsoft apps to Microsoft Cloud App Security allows you to apply remediation to those apps too. 

 

124A9DE9-97CD-44A9-B758-F06C7E179562.png

 

 

A huge Thanks to @Tali Ash for the review!

 

 

 

For more information about the features discussed in this article, read: 

Learn more 

For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below: 

Join the conversation on Tech Community 

Stay up to date—subscribe to our blog.  

Upload a log file from your network firewall or enable logging via Microsoft Defender for Endpoint to discover Shadow IT in your network. 

Learn more—download Top 20 use cases for CASB. 

Connect your cloud apps to detect suspicious user activity and exposed sensitive data. 

Search documentation on Microsoft Cloud App Security 

Enable out-of-the-box anomaly detection policies and start detecting cloud threats in your environment. 

Understand your licensing options​.  

Continue with more advanced use cases across information protection, compliance, and more. 

Follow the Microsoft Cloud App Security Ninja blog and learn about Ninja Training 

Go deeper these interactive guides: 

 

 

To experience the benefits of full-featured CASB, sign up for a free trial—Microsoft Cloud App Security. 

Follow us on LinkedIn as #CloudAppSecurity. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity on Twitter, and Microsoft Security on LinkedIn for the latest news and updates on cybersecurity. 

1 Comment
New Contributor

Hello @Sebastien Molendijk  in a word excellent.

%3CLINGO-SUB%20id%3D%22lingo-sub-2193484%22%20slang%3D%22en-US%22%3EMicrosoft%20Cloud%20App%20Security%3A%20The%20Hunt%20in%20a%20multi-stage%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193484%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EWelcome%20to%20our%20first%20post%20in%20the%20%E2%80%9C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EMicrosoft%20Cloud%20App%20Security%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%3A%20The%20Hunt%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%E2%80%9D%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eblog%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eseries!%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW225966553%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW225966553%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW225966553%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EUsing%20M%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eicrosoft%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E365%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3ED%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eefender%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eour%20integrated%20solution%2C%20we%20will%20address%20common%20alerts%20customers%20receive%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EMicrosoft%20Cloud%20App%20Security%20(%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Ecalled%20%E2%80%9C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EMCAS%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%E2%80%9D%20by%20users%20and%20enthusiasts%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E)%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20determine%20the%20full%20scope%20and%20impact%20of%20a%20threat.%20We%20will%20show%20case%20how%20M%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eicrosoft%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E365%20Defender%20assists%20security%20engineers%20by%20providing%20critical%20details%20such%20as%20how%20the%20threat%20entered%20the%20environment%2C%20what%20it%20has%20affected%20and%20how%20it%20is%20currently%20impacting%20the%20enterprise.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20will%20do%20this%20by%20taking%20the%20details%20we%20are%20given%20from%20an%20alert%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bfrom%20Cloud%20App%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3ESecurity%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eusing%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3BKusto%20Query%20Language%20or%20KQL%20to%20query%20logs%20from%20various%20products%20across%20the%20Microsoft%20security%20stack%20that%20are%20available%20in%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EM%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eicrosoft%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E365%20defender%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EA%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edvanced%20hunting%20today.%20%3CBR%20%2F%3EAdditionally%2C%20we%20will%20use%20the%20mapping%20of%20the%20MITRE%20ATT%26amp%3BCK%20Framework%20tactics%20and%20techniques%20available%20in%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECloud%20App%20Security%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eto%20assist%20our%20investigation%20on%20where%20or%20how%20an%20adversary%20may%20move%20next.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThroughout%20this%20blog%20series%2C%20we%20will%20address%20the%20alerts%20and%20scenarios%20we%20have%20seen%20most%20frequently%20from%20customers%20and%20apply%20simple%20but%20effective%20queries%20that%20can%20be%20used%20in%20everyday%20investigations.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ETo%20begin%20this%20exciting%20journey%2C%20our%20first%20use%20case%20will%20walk%20you%20through%20a%20possible%20investigation%20path%20you%20could%20follow%20once%20receiving%20a%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bmulti-stage%20incidents%26nbsp%3Bfrom%20Cloud%20App%20Security%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20aria-level%3D%222%22%20id%3D%22toc-hId--520498212%22%20id%3D%22toc-hId--520498920%22%20id%3D%22toc-hId--520557545%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EUse%26nbsp%3Bcase%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECo%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Entoso%20implemented%20Microsoft%20365%20and%20is%20monitoring%20users%20at%20risk%20using%20Microsoft%E2%80%99s%20security%20solutions.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhile%20reviewing%20the%20new%20incidents%2C%20our%20security%20analyst%20notices%20a%20new%20multi-staged%20incident%20for%20a%20user%20named%20Megan%20Bowens.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22D06A0719-5542-48E0-9084-08B1F8DEC430.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261659i413953C77A622C64%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22D06A0719-5542-48E0-9084-08B1F8DEC430.png%22%20alt%3D%22Multi-stage%20incident%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EMulti-stage%20incident%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW115270281%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115270281%20BCX8%22%3EBy%20opening%20the%20incident%2C%20our%20analyst%20can%20immediately%20identify%20the%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115270281%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115270281%20BCX8%22%3Eincident%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115270281%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115270281%20BCX8%22%3Ealerts%20and%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115270281%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115270281%20BCX8%22%3Ethe%20mapped%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115270281%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115270281%20BCX8%22%3EMITRE%20tactics.%20Based%20on%20those%2C%20it%20looks%20like%20the%20user%20account%20might%20have%20been%20compromised.%20Let%E2%80%99s%20confirm%20this%20using%20M365%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115270281%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115270281%20BCX8%22%3EDefender!%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW115270281%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW115270281%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW115270281%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1967014621%22%20id%3D%22toc-hId-1967013913%22%20id%3D%22toc-hId-1966955288%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%2294387B51-CB01-4EC3-B750-208FBFA8CF74.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261661i463AB9B816942D87%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%2294387B51-CB01-4EC3-B750-208FBFA8CF74.png%22%20alt%3D%2294387B51-CB01-4EC3-B750-208FBFA8CF74.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-159560158%22%20id%3D%22toc-hId-159559450%22%20id%3D%22toc-hId-159500825%22%3EInvestigation%3C%2FH2%3E%0A%3CH3%20aria-level%3D%223%22%20id%3D%22toc-hId-850121632%22%20id%3D%22toc-hId-850120924%22%20id%3D%22toc-hId-850062299%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EStep%201%3A%20review%20the%20alerts%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bto%20understand%20the%20incident%26nbsp%3Bcontext%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EBy%20looking%20at%20the%20timeline%2C%20it%20seems%20that%20the%20user%20connected%20from%20a%20location%20she%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Edid%20not%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Buse%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ein%20the%20last%20six%20months%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B(%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Faka.ms%2Fmcasinvestigationguide%23activity-from-infrequent-country%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EActivity%20from%20infrequent%20country%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A(%3C%2Fimg%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3ERomania%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22444E74F8-1386-48A4-B22A-0A30FD07BBB8.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261667iD4B20369E62A27D9%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22444E74F8-1386-48A4-B22A-0A30FD07BBB8.png%22%20alt%3D%22444E74F8-1386-48A4-B22A-0A30FD07BBB8.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3EMicrosoft%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW247222429%20BCX8%22%3ECloud%20App%20Security%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3Ethen%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3Etriggered%20an%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3Eout-of-the-box%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3Ealert%20regarding%20activities%20from%20distant%20locations%20(%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW247222429%20BCX8%22%20href%3D%22http%3A%2F%2Faka.ms%2Fmcasinvestigationguide%23impossible-travel%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW247222429%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EImpossible%20travel%20activity%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3E).%20Using%20the%20information%20from%20this%20alert%2C%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3Eadmins%20can%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3Ereview%20activities%20from%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3Eanywhere%20in%20the%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW247222429%20BCX8%22%3Eworld%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247222429%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247222429%20BCX8%22%3EBelgium%2C%20Romania%20but%20also%20Belarus!%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%220A863139-45F3-4A83-940F-64CE5F4A6115.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261668i3493706D82F52A86%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%220A863139-45F3-4A83-940F-64CE5F4A6115.png%22%20alt%3D%220A863139-45F3-4A83-940F-64CE5F4A6115.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW65422398%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65422398%20BCX8%22%3EFinally%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65422398%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65422398%20BCX8%22%3E%2C%20it%20appears%20that%20during%20this%20session%2C%20the%20user%20created%20an%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW65422398%20BCX8%22%20href%3D%22http%3A%2F%2Faka.ms%2Fmcasinvestigationguide%23suspicious-inbox-manipulation-rule%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW65422398%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65422398%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Einbox%20rule%20forwarding%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW65422398%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65422398%20BCX8%22%3E%26nbsp%3Bemails%20to%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW65422398%20BCX8%22%20href%3D%22mailto%3Ahackerz007%40gmail.com%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%20nofollow%22%3E%3CSPAN%20class%3D%22FieldRange%20SCXW65422398%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW65422398%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW65422398%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Ehackerz007%40gmail.com%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW65422398%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65422398%20BCX8%22%3E%2C%20which%20is%20considered%20as%20suspicious%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65422398%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW65422398%20BCX8%22%3Eby%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65422398%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65422398%20BCX8%22%3EMicrosoft%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65422398%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65422398%20BCX8%22%3ECloud%20App%20Security%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65422398%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65422398%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22B05AA8FA-3DE0-40C8-B77B-119DE7966C8A.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261669i4E51E1DB1C292857%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22B05AA8FA-3DE0-40C8-B77B-119DE7966C8A.png%22%20alt%3D%22B05AA8FA-3DE0-40C8-B77B-119DE7966C8A.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW51200506%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW51200506%20BCX8%22%3ENow%20that%20we%20understand%20the%20context%2C%20let%E2%80%99s%20investigate%20to%20understand%20the%20scope%20of%20the%20breach.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--957332831%22%20id%3D%22toc-hId--957333539%22%20id%3D%22toc-hId--957392164%22%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW226722517%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW226722517%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3EStep%202%3A%20understand%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW226722517%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW226722517%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3Ea%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW226722517%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW226722517%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3Euser%E2%80%99s%20specific%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20GrammarErrorHighlight%20SCXW226722517%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3Econtext%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW247088623%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247088623%20BCX8%22%3EBefore%20spending%20time%20in%20logs%2C%20we%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247088623%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247088623%20BCX8%22%3Emust%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247088623%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247088623%20BCX8%22%3E%26nbsp%3Bunderstand%20the%20user%E2%80%99s%20context.%20The%20easiest%20way%20is%20to%20open%20her%20user%20page%20and%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247088623%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247088623%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW247088623%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW247088623%20BCX8%22%3Ereview%20the%20provided%20information%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW247088623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247088623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22B01A4548-8BE9-4212-9347-D30B4BDDF39E.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261670i50CEAA588C81D932%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22B01A4548-8BE9-4212-9347-D30B4BDDF39E.png%22%20alt%3D%22B01A4548-8BE9-4212-9347-D30B4BDDF39E.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247088623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3EOn%20the%20user%20page%2C%20we%20are%20immediately%20provided%20information%20confirming%20that%20something%20happened%20with%20this%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Euser%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Eaccount%3A%20Megan%E2%80%99s%20account%20is%20considered%20a%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Eh%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Eigh%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Er%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Eisk%20by%20Azure%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3EActive%20Directory%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3E%26nbsp%3Band%20her%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20SCXW159473491%20BCX8%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Ftutorial-ueba%2522%2520%2Fl%2520%2522understand-the-investigation-priority-score%2522%2520%2F%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22FieldRange%20SCXW159473491%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20SCXW159473491%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW159473491%20BCX8%22%20data-ccp-charstyle%3D%22Hyperlink%22%3EInvestigation%20priority%20score%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3E%26nbsp%3Bsuddenly%20increased%20in%20the%20last%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Efew%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Edays%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3E%2C%20plus%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Eher%20score%20is%20higher%20th%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW159473491%20BCX8%22%3Ean%2090%25%20o%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Ef%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3E%26nbsp%3Bthe%20organization%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3E.%20We%20can%20also%20see%20from%20this%20page%20that%20she%E2%80%99s%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3Elocated%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW159473491%20BCX8%22%3Ein%20the%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3EUnited%20States%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW159473491%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW159473491%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW159473491%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247088623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW159473491%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22C76EBA09-2C33-47C4-BCD4-AD82E05BBA11.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261671i4713A524D426EFA5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22C76EBA09-2C33-47C4-BCD4-AD82E05BBA11.png%22%20alt%3D%22C76EBA09-2C33-47C4-BCD4-AD82E05BBA11.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW148699043%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW148699043%20BCX8%22%3ETo%20understand%20her%20habits%2C%20let%E2%80%99s%20open%20the%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW148699043%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW148699043%20BCX8%22%3ELocations%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW148699043%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW148699043%20BCX8%22%3E%26nbsp%3Bdetails%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW148699043%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247088623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW159473491%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW148699043%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22345F053E-000C-48DF-874F-43EDBAA00D3F.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261672iBDF87DC105781C89%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22345F053E-000C-48DF-874F-43EDBAA00D3F.png%22%20alt%3D%22345F053E-000C-48DF-874F-43EDBAA00D3F.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247088623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW159473491%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW148699043%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW267172131%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267172131%20BCX8%22%3EThis%20shows%20us%20the%20different%20locations%20used%20by%20the%20user%20in%20the%20last%2030%20days%20and%20the%20percentage%20of%20activities%20performed%20from%20those%20locations.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW267172131%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW267172131%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW267172131%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267172131%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267172131%20BCX8%22%3EIt%20immediately%20appears%20that%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267172131%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267172131%20BCX8%22%3Eshe%20is%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267172131%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267172131%20BCX8%22%3E%26nbsp%3Busually%20working%20from%20the%20US%20and%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267172131%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267172131%20BCX8%22%3EBelgium%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW267172131%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW267172131%20BCX8%22%3E%26nbsp%3Bso%20activities%20performed%20from%20those%20countries%20are%20normal%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247088623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW159473491%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW148699043%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW267172131%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%223C571F81-C246-4226-8C5E-6DD27CAE7CB6.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261674iC442F28410D67F39%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%223C571F81-C246-4226-8C5E-6DD27CAE7CB6.png%22%20alt%3D%223C571F81-C246-4226-8C5E-6DD27CAE7CB6.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22TextRun%20SCXW183277500%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW183277500%20BCX8%22%3EIf%20we%20go%20further%2C%20we%20can%20also%20see%20that%20some%20activities%20have%20been%20performed%20from%20other%20locations%3A%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW183277500%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW183277500%20BCX8%22%3ERomania%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW183277500%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW183277500%20BCX8%22%3E%26nbsp%3Band%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW183277500%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW183277500%20BCX8%22%3EBelarus%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW183277500%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW183277500%20BCX8%22%3E%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW183277500%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247222429%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW65422398%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW51200506%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW226722517%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW247088623%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW159473491%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22EOP%20SCXW148699043%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW267172131%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%227E3B54C1-2AAB-4820-8AC9-1CB6A8442374.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261675iB760BEF1F229BFC3%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%227E3B54C1-2AAB-4820-8AC9-1CB6A8442374.png%22%20alt%3D%227E3B54C1-2AAB-4820-8AC9-1CB6A8442374.png%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22E52CC868-FF08-4E76-B9C5-57D7887FC459.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261677iF38F827A0EA2758D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22E52CC868-FF08-4E76-B9C5-57D7887FC459.png%22%20alt%3D%22E52CC868-FF08-4E76-B9C5-57D7887FC459.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW114597466%20BCX8%22%3ENow%20that%20we%20understand%20what%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW114597466%20BCX8%22%3Eis%20anomalous%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW114597466%20BCX8%22%3Ebehavior%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW114597466%20BCX8%22%3Efor%20Megan%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114597466%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E(bases%20on%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114597466%20BCX8%22%3Ethe%20information%20above%20and%20her%20tracked%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114597466%20BCX8%22%3E%22Locations%22%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114597466%20BCX8%22%3Eher%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114597466%20BCX8%22%3Euser%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackChangeTextInsertion%20TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114597466%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eprofile)%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TrackedChange%20SCXW114597466%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW114597466%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW114597466%20BCX8%22%3E%2C%20let%E2%80%99s%20hunt!%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20TrackedChange%20SCXW114597466%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1530180002%22%20id%3D%22toc-hId-1530179294%22%20id%3D%22toc-hId-1530120669%22%3E%3CSPAN%20class%3D%22EOP%20TrackedChange%20SCXW114597466%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW71788708%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW71788708%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3EStep%203%3A%20review%20the%20suspicious%20activities%20to%20understand%20the%20scope%20of%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22NormalTextRun%20ContextualSpellingAndGrammarErrorV2%20SCXW71788708%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3Ebreach%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW71788708%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW143383638%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW143383638%20BCX8%22%3EOur%20investigation%20will%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW143383638%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW143383638%20BCX8%22%3Ego%20through%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW143383638%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW143383638%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Ein%20different%20phases%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW143383638%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW143383638%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E(list%20non-exhaustive)%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW143383638%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW143383638%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW143383638%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CTABLE%20data-tablestyle%3D%22MsoTableGrid%22%20data-tablelook%3D%221184%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAction%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWhy%20%3F%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ESummarize%20all%20the%20performed%20actions%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efrom%20th%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ee%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bsuspicious%20IP%2Flocation%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efo%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Er%20that%26nbsp%3Baccount%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUnderstand%20the%20risk%20ba%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esed%20on%20performed%20activities%20(ex%3A%20reading%20an%20email%20%3D%20low%20risk%2C%20downloading%2Fsharing%20files%20%3D%20medium%20risk%2C%20creating%20inbox%20rule%2Fadmin%20activities%20%3D%20high%20risk)%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20low%20risk%20activities%2C%20from%20mobile%20device%20for%20example%2C%20no%20further%20investigation%20might%20be%20required%20as%20this%20could%20be%20the%20user%20using%20a%20VPN%20client%20on%20her%20phone.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EProvide%20details%20on%20all%20a%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eccessed%20emails%20and%20their%20path%20in%20the%26nbsp%3Bmailbox%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUnderstand%20if%20access%20was%20t%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eargeted%20to%20sensitive%20information%20(finance%2C%20secrets%2C%20%E2%80%A6).%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20the%20information%20seems%20sensitive%20and%20the%20device%20type%20seems%20suspicious%2C%20further%20investigation%20required.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlso%20review%20the%20user%20agent%20to%20identify%20suspicious%20access.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIf%20emails%20were%20sent%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20review%20the%20recipients%20and%20message%20details.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIdentify%20potential%20phishing%20attempts%20or%20identify%20other%20compromised%20accounts.%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EWe%20will%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Balso%20use%20the%20user%20agent%20to%20identify%20potential%20tools%20using%20Graph%20API%20or%20SMTP.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EReview%20the%20accessed%26nbsp%3Bfiles%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUnderstand%20if%20access%20was%20t%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eargeted%20to%20sensitive%20information%20(finance%2C%20secrets%2C%20%E2%80%A6).%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EReview%20the%20created%20inbox%26nbsp%3Brules%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EInbox%20rules%20can%20be%20used%20to%20exfiltrate%20data%20or%20hide%20conversations%20between%20the%20attacker%20and%20other%20recipients.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EReview%20other%20users%20using%20t%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ehis%20IP%26nbsp%3Baddress%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%220%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIdentify%20potential%20compromised%20users%20or%20identify%20new%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Epotential%20corporate%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIP%20address%20used%20by%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ea%20new%20office.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EObtain%20the%20user%E2%80%99s%20account%20object%20Id.%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3EThe%20Azure%20AD%20Account%20object%20ID%20is%20the%26nbsp%3B%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3Eunique%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3Eidentifier%20of%20a%20user%20account.%20Therefore%2C%20we%20will%20use%20this%20identifier%20for%20hunting%20scenarios%20as%20it%20is%20exposed%20in%20the%20different%20tables.%20You%20can%20get%20the%20user%E2%80%99s%20account%20object%20ID%20from%20the%20user%20entity%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3Epage%20(%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3Escreenshot%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3E%26nbsp%3Bbelow%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3E)%2C%20or%20by%20querying%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3E%26nbsp%3Bthe%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%20style%3D%22font-family%3A%20inherit%3B%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3EIdentityInfo%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%20data-contrast%3D%22auto%22%3Etable%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22contact.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261725i46D61C42C5C3F388%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22contact.png%22%20alt%3D%22contact.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22TextRun%20SCXW243774692%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW243774692%20BCX8%22%3EQuerying%20the%20table%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW243774692%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3EIdentityInfo%20%7C%20where%20AccountUpn%20%3D~%20'meganb%40seccxp.ninja'%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22query.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261728i716B1CC352753E44%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22query.png%22%20alt%3D%22query.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EReview%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eour%20user%E2%80%99s%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esignings%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bto%20identify%20other%20potential%20suspicious%20locations%20or%20IP%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eaddresses.%3CBR%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EUsing%20this%20query%2C%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eyou%20can%20get%20an%20overview%20of%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20users%20signin%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eg%20activity%20and%20identify%20potential%20anomalies.%20Note%20that%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eif%20the%20user%20is%20using%20an%20AAD%20joined%20device%20and%20passing%20through%20a%20conditional%20access%20policy%2C%20the%20details%20of%20the%20managed%20device%20are%20exposed%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%E2%80%AFtimeToSearch%E2%80%AF%3D%E2%80%AFstartofday(datetime('2020-11-14'))%3B%20%0AAADSignInEventsBeta%E2%80%AF%20%0A%7C%E2%80%AFwhere%E2%80%AFAccountObjectId%E2%80%AF%3D%3D%E2%80%AF'eababd92-9dc7-40e3-9359-6c106522db19'%E2%80%AFand%E2%80%AFTimestamp%E2%80%AF%26gt%3B%3D%E2%80%AFtimeToSearch%E2%80%AF%20%0A%7C%20distinct%E2%80%AFApplication%2C%E2%80%AFResourceDisplayName%2C%E2%80%AFCountry%2C%E2%80%AFCity%2C%E2%80%AFIPAddress%2C%E2%80%AFDeviceName%2C%E2%80%AFDeviceTrustType%2C%E2%80%AFOSPlatform%2C%E2%80%AFIsManaged%2C%E2%80%AFIsCompliant%2C%E2%80%AFAuthenticationRequirement%2C%E2%80%AFRiskState%2C%E2%80%AFUserAgent%2C%E2%80%AFClientAppUsed%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22devices.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261931i6A1CAB3EFBEC3440%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%22devices.png%22%20alt%3D%22devices.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW65410550%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW65410550%20BCX8%22%3ESummarize%20all%20the%20performed%20actions%20from%20the%20suspicious%20IP%2Flocation%20for%20that%20account%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65410550%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65410550%20BCX8%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW65410550%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW65410550%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW65410550%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65410550%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65410550%20BCX8%22%3EUsing%20this%20Advanced%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65410550%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65410550%20BCX8%22%3Eh%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65410550%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65410550%20BCX8%22%3Eunting%20query%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65410550%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65410550%20BCX8%22%3E%26nbsp%3Bscoped%20to%20the%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65410550%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65410550%20BCX8%22%3Ealerts%20date%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW65410550%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW65410550%20BCX8%22%3E%2C%20we%20can%20easily%20identify%20the%20performed%20actions%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW65410550%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%20accountId%20%3D%20'eababd92-9dc7-40e3-9359-6c106522db19'%3B%20%0Alet%20locations%20%3D%20pack_array('RO'%2C%20'BY')%3B%20%0Alet%20timeToSearch%20%3D%20startofday(datetime('2020-11-14'))%3B%20%0ACloudAppEvents%20%0A%20%20%20%20%7C%20where%20AccountObjectId%20%3D%3D%20accountId%20and%20CountryCode%20in%20(locations)%20and%20Timestamp%20%26gt%3B%3D%20timeToSearch%20%20%0A%7C%20summarize%20by%20ActionType%2C%20CountryCode%2C%20AccountObjectId%20%20%0A%7C%20sort%20by%20ActionType%20asc%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22TextRun%20SCXW91936820%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW91936820%20BCX8%22%3EWe%20can%20see%20that%20the%20malicious%20actor%20accessed%20and%20deleted%20emails%2C%20opened%20files%2C%20created%20and%20deleted%20inbox%20rules.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW91936820%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW91936820%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW91936820%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW91936820%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW91936820%20BCX8%22%3EThat%E2%80%99s%20a%20great%20start!%20We%20know%20now%20what%20we%20are%20looking%20for.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW91936820%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%226E2142E0-5376-44F5-ACA5-2742AACFFEF5.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261754i4112D8464F658607%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%226E2142E0-5376-44F5-ACA5-2742AACFFEF5.png%22%20alt%3D%226E2142E0-5376-44F5-ACA5-2742AACFFEF5.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20style%3D%22font-family%3A%20inherit%3B%22%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW207540222%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW207540222%22%3EReview%20the%20accessed%20emails%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW207540222%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW207540222%22%3E.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20%20BCX8%20SCXW207540222%22%3E%3CSPAN%20class%3D%22BCX8%20SCXW207540222%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22BCX8%20SCXW207540222%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW207540222%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW207540222%22%3ETo%20understand%20what%20the%20actor%20was%20looking%20for%2C%20we%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW207540222%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW207540222%22%3Ecan%20use%20the%20following%20query.%20It%E2%80%99s%20using%20events%20available%20with%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CA%20class%3D%22Hyperlink%20%20BCX8%20SCXW207540222%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fadvanced-audit%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noreferrer%20noopener%22%3E%3CSPAN%20class%3D%22TextRun%20Underlined%20%20BCX8%20SCXW207540222%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW207540222%22%20data-ccp-charstyle%3D%22Hyperlink%22%3Eadvanced%20auditing%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW207540222%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW207540222%22%3E%26nbsp%3Band%20the%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW207540222%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SpellingErrorV2%20%20BCX8%20SCXW207540222%22%3EEmailEvents%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW207540222%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW207540222%22%3E%26nbsp%3Btable%20to%20enrich%20emails%20details%20(subject%2C%20sender%2C%20recipients%2C%20%E2%80%A6)%20when%20possible.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%20accountId%20%3D%20'eababd92-9dc7-40e3-9359-6c106522db19'%3B%20%0Alet%20locations%20%3D%20pack_array('RO'%2C%20'BY')%3B%20%0Alet%20timeToSearch%20%3D%20startofday(datetime('2020-11-14'))%3B%20%0ACloudAppEvents%20%0A%20%20%20%20%7C%20where%20ActionType%20%3D%3D%20'MailItemsAccessed'%20and%20CountryCode%20in%20(locations)%20and%20AccountObjectId%20%3D%3D%20accountId%20and%20Timestamp%20%26gt%3B%3D%20timeToSearch%20%0A%20%20%20%20%7C%20mv-expand%20todynamic(RawEventData.Folders)%20%20%0A%20%20%20%20%7C%20extend%20Path%20%3D%20todynamic(RawEventData_Folders.Path)%2C%20SessionId%20%3D%20tostring(RawEventData.SessionId)%20%0A%20%20%20%20%7C%20mv-expand%20todynamic(RawEventData_Folders.FolderItems)%20%0A%20%20%20%20%7C%20project%20SessionId%2C%20Timestamp%2C%20AccountObjectId%2C%20DeviceType%2C%20CountryCode%2C%20City%2C%20IPAddress%2C%20UserAgent%2C%20Path%2C%20Message%20%3D%20tostring(RawEventData_Folders_FolderItems.InternetMessageId)%20%0A%20%20%20%20%7C%20join%20kind%3Dleftouter%20(%20%0A%20%20%20%20%20%20%20%20EmailEvents%20%20%0A%20%20%20%20%20%20%20%20%7C%20where%20RecipientObjectId%20%3D%3D%20accountId%20%20%0A%20%20%20%20%20%20%20%20%7C%20project%20Subject%2C%20RecipientEmailAddress%20%2C%20SenderMailFromAddress%20%2C%20DeliveryLocation%20%2C%20ThreatTypes%2C%20AttachmentCount%20%2C%20UrlCount%20%2C%20InternetMessageId%20%20%0A%20%20%20%20%20%20%20%20)%20on%20%24left.Message%20%3D%3D%20%24right.InternetMessageId%20%20%0A%7C%20sort%20by%20Timestamp%20desc%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22TextRun%20%20BCX8%20SCXW104214897%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20%20BCX8%20SCXW104214897%22%3ENote%20the%20clients%20used%3A%20a%20browser%20and%20REST%2C%20indicating%20potential%20script%20accessing%20the%20emails%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22766F6521-7063-4624-9C62-8748484FA4CB.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261755iCB55803B7C5623C1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22766F6521-7063-4624-9C62-8748484FA4CB.png%22%20alt%3D%22766F6521-7063-4624-9C62-8748484FA4CB.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22emails.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261758iFCC6F410F47EE05A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22emails.png%22%20alt%3D%22emails.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW202953813%20BCX8%22%3EReview%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3Ethe%20accessed%20folders%20and%20files%3A%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%20accountId%20%3D%20'eababd92-9dc7-40e3-9359-6c106522db19'%3B%20%0Alet%20locations%20%3D%20pack_array('RO'%2C%20'BY')%3B%20%0Alet%20timeToSearch%20%3D%20startofday(datetime('2020-11-14'))%3B%20%0ACloudAppEvents%20%0A%20%20%20%20%7C%20where%20ActionType%20%3D%3D%20'FilePreviewed'%20and%20CountryCode%20in%20(locations)%20and%20AccountObjectId%20%3D%3D%20accountId%20and%20Timestamp%20%26gt%3B%3D%20timeToSearch%20%0A%20%20%20%20%7C%20project%20Timestamp%2C%20CountryCode%20%2C%20IPAddress%20%2C%20ISP%2C%20UserAgent%20%2C%20Application%2C%20ActivityObjects%2C%20AccountObjectId%20%0A%20%20%20%20%7C%20mv-expand%20ActivityObjects%20%0A%20%20%20%20%7C%20where%20ActivityObjects%5B'Type'%5D%20in%20('File'%2C%20'Folder')%20%20%0A%20%20%20%20%7C%20evaluate%20bag_unpack(ActivityObjects)%20%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%227F23CA13-92CF-4EF7-BE77-C848DEE982B3.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261765i95BD238CBBCC59C4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%227F23CA13-92CF-4EF7-BE77-C848DEE982B3.png%22%20alt%3D%227F23CA13-92CF-4EF7-BE77-C848DEE982B3.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW147789973%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW147789973%20BCX8%22%3EReview%20the%20deleted%20emails.%20This%20might%20indicate%20that%20the%20actor%20tried%20to%20remove%20traces%20of%20discussions%20with%20other%20users%20or%20deletion%20of%20alerting%20emails%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW147789973%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%20accountId%20%3D%20'eababd92-9dc7-40e3-9359-6c106522db19'%3B%20%0Alet%20locations%20%3D%20pack_array('RO'%2C%20'BY')%3B%20%0Alet%20timeToSearch%20%3D%20startofday(datetime('2020-11-14'))%3B%20%0ACloudAppEvents%20%0A%20%20%20%20%7C%20where%20ActionType%20in~%20('MoveToDeletedItems'%2C%20'SoftDelete')%20and%20CountryCode%20in%20(locations)%20and%20AccountObjectId%20%3D%3D%20accountId%20and%20Timestamp%20%26gt%3B%3D%20timeToSearch%20%0A%20%20%20%20%7C%20mv-expand%20ActivityObjects%20%0A%20%20%20%20%7C%20where%20ActivityObjects%5B'Type'%5D%20in%20('Email'%2C%20'Folder')%20%0A%20%20%20%20%7C%20evaluate%20bag_unpack(ActivityObjects)%20%0A%20%20%20%20%7C%20distinct%20Timestamp%2C%20AccountObjectId%2C%20ActionType%2C%20CountryCode%2C%20IPAddress%2C%20Type%2C%20Name%2C%20Id%20%0A%7C%20sort%20by%20Timestamp%20desc%20%3C%2FCODE%3E%3C%2FPRE%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW130092342%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW130092342%20BCX8%22%3EReview%20the%20created%2Fenabled%2Fmodified%20inbox%20rules%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW130092342%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW130092342%20BCX8%22%3E.%20You%20can%20see%20here%20that%20the%20rule%20if%20looking%20for%20specific%20keywords%2C%20like%20%E2%80%9C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW130092342%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW130092342%20BCX8%22%3ECredit%20Card%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW130092342%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW130092342%20BCX8%22%3E%E2%80%9D%20or%20%E2%80%9C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW130092342%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW130092342%20BCX8%22%3EPassword%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW130092342%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW130092342%20BCX8%22%3E%E2%80%9D%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW130092342%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%20accountId%20%3D%20'eababd92-9dc7-40e3-9359-6c106522db19'%3B%20%0Alet%20locations%20%3D%20pack_array('RO'%2C%20'BY')%3B%20%0Alet%20timeToSearch%20%3D%20startofday(datetime('2020-11-14'))%3B%20%0ACloudAppEvents%20%0A%20%20%20%20%7C%20where%20ActionType%20contains_cs%20'InboxRule'%20and%20CountryCode%20in%20(locations)%20%0A%20%20%20%20%7C%20extend%20RuleParameters%20%3D%20RawEventData.Parameters%20%0A%7C%20project%20Timestamp%2C%20CountryCode%20%2C%20IPAddress%20%2C%20ISP%2C%20ActionType%20%2C%20ObjectName%20%2C%20RuleParameters%20%20%0A%7C%20sort%20by%20Timestamp%20desc%20%3C%2FCODE%3E%3C%2FPRE%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CSPAN%20class%3D%22EOP%20SCXW130092342%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22299DB357-91E0-419E-9029-63AE9B538722.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261766iCE1B51D723CDCE73%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22299DB357-91E0-419E-9029-63AE9B538722.png%22%20alt%3D%22299DB357-91E0-419E-9029-63AE9B538722.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CSPAN%20class%3D%22EOP%20SCXW130092342%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%251.%22%20data-font%3D%22Calibri%2C%20Calibri_MSFontService%2C%20sans-serif%22%20data-listid%3D%222%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CSPAN%20class%3D%22EOP%20SCXW130092342%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW184123750%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW184123750%20BCX8%22%3ENow%20is%20time%20for%20our%20latest%20query%20that%20will%20identify%20scope%20of%20the%20breach.%20We%20hunted%20to%20get%20more%20information%20on%20Megan%2C%20our%20impacted%20user%20we%20got%20alerted%20from%20the%20incident.%20But%20there%20might%20be%20additional%20compromised%20users%2C%20we%E2%80%99ll%20use%20the%20IP%20addresses%20from%20the%20initial%20breach%20and%20search%20for%20other%20users%20having%20activities%20from%20those%20IP%20addresses%3A%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3Elet%20accountId%20%3D%20'eababd92-9dc7-40e3-9359-6c106522db19'%3B%20%0Alet%20locations%20%3D%20pack_array('RO'%2C%20'BY')%3B%20%0Alet%20timeToSearch%20%3D%20startofday(datetime('2020-11-14'))%3B%20%0Alet%20ips%20%3D%20(CloudAppEvents%20%0A%20%20%20%20%20%20%20%20%7C%20where%20CountryCode%20in%20(locations%20)%20%20%0A%20%20%20%20%20%20%20%20%7C%20distinct%20IPAddress%20%2C%20AccountObjectId%20%20%0A)%3B%20%0Aips%20%20%0A%7C%20join%20(CloudAppEvents%20%7C%20project%20ActivityIP%20%3D%20IPAddress%2C%20UserId%20%3D%20AccountObjectId%20)%20on%20%24left.IPAddress%20%3D%3D%20%24right.ActivityIP%20%20%0A%7C%20distinct%20UserId%20%20%0A%7C%20join%20IdentityInfo%20on%20%24left.UserId%20%3D%3D%20%24right.AccountObjectId%20%0A%7C%20distinct%20AccountDisplayName%20%2C%20AccountUpn%20%2C%20Department%20%2C%20Country%20%2C%20City%2C%20AccountObjectId%20%20%0A%0A%20%20%3C%2FCODE%3E%3C%2FPRE%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CSPAN%20class%3D%22EOP%20SCXW130092342%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22B318F20C-D2E2-4555-8278-3C26F1B68A8E.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261769i9CA719F00EE2AE96%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22B318F20C-D2E2-4555-8278-3C26F1B68A8E.png%22%20alt%3D%22B318F20C-D2E2-4555-8278-3C26F1B68A8E.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH3%20id%3D%22toc-hId--277274461%22%20id%3D%22toc-hId--277275169%22%20id%3D%22toc-hId--277333794%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW202953813%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW202953813%20BCX8%22%3E%3CSPAN%20class%3D%22EOP%20SCXW130092342%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A285%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW244648245%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW244648245%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3EStep%204%3A%20time%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW244648245%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW244648245%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3Eremediate%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW244648245%20BCX8%22%20data-contrast%3D%22none%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW244648245%20BCX8%22%20data-ccp-parastyle%3D%22heading%203%22%3E!%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW244648245%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENow%20that%20we%20have%20confirmed%20that%20Megan%E2%80%99s%20account%20had%20been%20compromised%20and%20we%20confirmed%20she%20was%20the%20only%20impacted%20user%2C%20it%E2%80%99s%20time%20to%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etake%20action%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20required%20actions%20will%20of%20course%20depend%20o%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3En%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Byour%20specific%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eprocedures%2C%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bbut%20a%20good%20start%20is%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Econfirming%20the%20user%20as%20compromised%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eby%20clicking%20on%20%E2%80%9CTake%20act%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eions%E2%80%9D%20or%20by%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Egoing%20back%20to%20the%20user%20page%20and%20apply%20actions%20like%20suspending%20the%20user%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Bor%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3Brequesting%20the%20user%20to%20sign-in%20again.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22take%20actions.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261773i593F11F8F531011A%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22take%20actions.png%22%20alt%3D%22take%20actions.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22confirm%20compromised.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261789iD8F09A6747B8A31B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22confirm%20compromised.png%22%20alt%3D%22confirm%20compromised.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%3CSPAN%20class%3D%22TextRun%20SCXW207138028%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207138028%20BCX8%22%3EIf%20you%20are%20syncing%20your%20accounts%20from%20Active%20Directory%2C%20you%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207138028%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207138028%20BCX8%22%3E%26nbsp%3Bmust%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207138028%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207138028%20BCX8%22%3Eperform%20the%20remediation%20steps%20on-premises.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW207138028%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW207138028%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW207138028%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207138028%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20CommentStart%20SCXW207138028%20BCX8%22%3EAlso%2C%20note%20that%20integrating%20non-Microsoft%20apps%20to%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207138028%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207138028%20BCX8%22%3EMicrosoft%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW207138028%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW207138028%20BCX8%22%3ECloud%20App%20Security%20allows%20you%20to%20apply%20remediation%20to%20those%20apps%20too.%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22EOP%20SCXW207138028%20BCX8%22%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22124A9DE9-97CD-44A9-B758-F06C7E179562.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261786iD1493CB8DF72B2AA%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22124A9DE9-97CD-44A9-B758-F06C7E179562.png%22%20alt%3D%22124A9DE9-97CD-44A9-B758-F06C7E179562.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EA%20huge%20Thanks%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F104809%22%20target%3D%22_blank%22%3E%40Tali%20Ash%3C%2FA%3E%26nbsp%3Bfor%20the%20review!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EFor%20more%20information%20about%20the%20features%20discussed%20in%20this%20article%2C%20read%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%C2%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-overview%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdvanced%20hunting%20overview%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%C2%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Fadvanced-hunting-best-practices%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EAdvanced%20hunting%20best%20practices%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%C2%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%223%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Finvestigate-anomaly-alerts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ECloud%20App%20Security%20anomaly%20detection%20alerts%20investigation%20guide%26nbsp%3B%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%C2%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%223%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%224%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fsecurity%2Fmtp%2Finvestigate-incidents%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EInvestigate%20incidents%20in%20Microsoft%20365%20Defender%26nbsp%3B%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20aria-level%3D%223%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ELearn%26nbsp%3Bmore%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559738%26quot%3B%3A40%2C%26quot%3B335559739%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EFor%20further%20information%20on%20how%20your%20organization%20can%20benefit%20from%20Microsoft%20Cloud%20App%20Security%2C%20connect%20with%20us%20at%20the%20links%20below%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CTABLE%20data-tablestyle%3D%22MsoTableGrid%22%20data-tablelook%3D%221184%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%224369%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EJoin%20the%20conversation%20on%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-cloud-app-security%2Fbd-p%2FMicrosoftCloudAppSecurity%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ETech%20Community%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EStay%20up%20to%20date%E2%80%94subscribe%20to%26nbsp%3Bour%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.sharepoint.com%2Fteams%2FSecurityBlogTeam%2FShared%2520Documents%2FGeneral%2FNeed%2520to%2520review%2Faka.ms%2Fmcasblog%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eblog%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%E2%80%AF%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%224369%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EUpload%20a%20log%20file%20from%20your%20network%20firewall%20or%20enable%20logging%20via%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam11.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fcloud-app-security%252Fwdatp-integration%26amp%3Bdata%3D04%257C01%257Ctconnolly%2540bridge.partners%257Cc8a60aa2376c4e8d739908d8b65ee5c3%257C93872b6253c2442f81f442f369142f76%257C0%257C0%257C637459866029392922%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3DTWaYUts36kog8GmRQZUI8ctEc2gUTpdKsLr1SV1YQoY%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20Defender%20for%20Endpoint%E2%80%AF%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3Eto%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam11.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fcloud-app-security%252Fset-up-cloud-discovery%26amp%3Bdata%3D04%257C01%257Ctconnolly%2540bridge.partners%257Cc8a60aa2376c4e8d739908d8b65ee5c3%257C93872b6253c2442f81f442f369142f76%257C0%257C0%257C637459866029392922%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3Dz49U5O1byXhbTFrlIvd7D5gKdUDC9tSAfhQeqUw%252FVYQ%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ediscover%20Shadow%20IT%E2%80%AF%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3Ein%20your%20network.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%224369%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EL%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eearn%20more%E2%80%94download%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fquery.prod.cms.rt.microsoft.com%2Fcms%2Fapi%2Fam%2Fbinary%2FRE3nibJ%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ETop%2020%20use%20cases%20for%20CASB%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%224369%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fnam11.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fcloud-app-security%252Fenable-instant-visibility-protection-and-governance-actions-for-your-apps%26amp%3Bdata%3D04%257C01%257Ctconnolly%2540bridge.partners%257Cc8a60aa2376c4e8d739908d8b65ee5c3%257C93872b6253c2442f81f442f369142f76%257C0%257C0%257C637459866029402923%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3D15VqoYljYhpBAjOd4OasdfZBUQhH7onA4XNDOhk96Fw%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EConnect%20your%20cloud%20apps%E2%80%AF%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3Eto%20detect%20suspicious%20user%20activity%20and%20exposed%20sensitive%20data.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%224369%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESearch%20documentation%20on%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fwhat-is-cloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20Cloud%20App%20Security%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%224369%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EEnable%20out-of-the-box%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam11.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fcloud-app-security%252Fanomaly-detection-policy%26amp%3Bdata%3D04%257C01%257Ctconnolly%2540bridge.partners%257Cc8a60aa2376c4e8d739908d8b65ee5c3%257C93872b6253c2442f81f442f369142f76%257C0%257C0%257C637459866029402923%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3D3D4MdeEGKR%252F8nAqZbAhani46Bg3j32PudkIkeKLecu4%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eanomaly%20detection%20policies%E2%80%AF%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3Eand%20start%20detecting%20cloud%20threats%20in%20your%20environment.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20data-celllook%3D%224369%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EUnderstand%20your%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fquery.prod.cms.rt.microsoft.com%2Fcms%2Fapi%2Fam%2Fbinary%2FRE2NXYO%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Elicensing%20options%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20data-celllook%3D%224369%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EContinue%20with%20more%20advanced%20use%20cases%20across%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fnam11.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fcloud-app-security%252Fsession-policy-aad%26amp%3Bdata%3D04%257C01%257Ctconnolly%2540bridge.partners%257Cc8a60aa2376c4e8d739908d8b65ee5c3%257C93872b6253c2442f81f442f369142f76%257C0%257C0%257C637459866029412910%257CUnknown%257CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%253D%257C1000%26amp%3Bsdata%3D9bxtVv4GCAJ6b7jHgvVO8UdtTQF%252FyX4lyXpkU432Y78%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Einformation%20protection%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20compliance%2C%20and%20more.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20colspan%3D%222%22%20data-celllook%3D%224369%22%3E%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EFollow%20the%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-and%2Fwelcome-to-the-mcas-ninja-blog-series%2Fba-p%2F1775379%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20Cloud%20App%20Security%20Ninja%20blog%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Band%20learn%20about%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-and%2Fthe-microsoft-cloud-app-security-mcas-ninja-training-is-here%2Fba-p%2F1877343%22%20target%3D%22_blank%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ENinja%20Training%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EGo%20deeper%20these%20interactive%20guides%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fmslearn.cloudguides.com%2Fen-us%2Fguides%2FDiscover%2C%2520protect%2C%2520and%2520control%2520your%2520apps%2520with%2520Microsoft%2520Cloud%2520App%2520Security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDiscover%2C%20protect%2C%20and%20control%20your%20apps%20with%20Microsoft%20Cloud%20App%20Security%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%20data-leveltext%3D%22%EF%82%B7%22%20data-font%3D%22Symbol%22%20data-listid%3D%224%22%20aria-setsize%3D%22-1%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CA%20href%3D%22https%3A%2F%2Fmslearn.cloudguides.com%2Fen-us%2Fguides%2FDetect%2520threats%2520and%2520manage%2520alerts%2520with%2520Microsoft%2520Cloud%2520App%2520Security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EDetect%20threats%20and%20manage%20alerts%20with%20Microsoft%20Cloud%20App%20Security%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A120%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3ETo%20experience%20the%20benefits%20of%20full-featured%20CASB%2C%20sign%20up%20for%20a%26nbsp%3B%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fenterprise-mobility-security%2Fcloud-app-security%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3Efree%20trial%E2%80%94%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20Cloud%20App%20Security%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FA%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3EFollow%20us%20on%20LinkedIn%20as%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Ffeed%2Fupdate%2Furn%3Ali%3Aactivity%3A6757823818808594432%2F%3FupdateEntityUrn%3Durn%253Ali%253Afs_feedUpdate%253A%2528V2%252Curn%253Ali%253Aactivity%253A6757823818808594432%2529%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%23CloudAppSecurity%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E.%20To%20learn%20more%20about%20Microsoft%20Security%20solutions%20visit%26nbsp%3Bour%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fsecurity%2Fbusiness%2Fsolutions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Ewebsite.%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFBookmark%20the%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fsecurity%2Fblog%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESecurity%20blog%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%E2%80%AFto%20keep%20up%20with%20our%20expert%20coverage%20on%20security%20matters.%20Also%2C%20follow%20us%20at%E2%80%AF%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftwitter.com%2F%40MSFTSecurity%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%40MSFTSecurity%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bon%20Twitter%2C%20and%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fwww.linkedin.com%2Fshowcase%2Fmicrosoft-security%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3EMicrosoft%20Security%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3Bon%20LinkedIn%20for%20the%20latest%20news%20and%20updates%20on%20cybersecurity.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2193484%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22home.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F261929i1E35C3B79B9B7AFD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22home.png%22%20alt%3D%22home.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EWelcome%20to%20our%20first%20post%20in%20the%20%E2%80%9C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EMicrosoft%20Cloud%20App%20Security%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%3A%20The%20Hunt%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%E2%80%9D%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eblog%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eseries!%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22LineBreakBlob%20BlobObject%20DragDrop%20SCXW225966553%20BCX8%22%3E%3CSPAN%20class%3D%22SCXW225966553%20BCX8%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CBR%20class%3D%22SCXW225966553%20BCX8%22%20%2F%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EUsing%20M%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eicrosoft%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E365%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3ED%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eefender%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%2C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eour%20integrated%20solution%2C%20we%20will%20address%20common%20alerts%20customers%20receive%20in%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EMicrosoft%20Cloud%20App%20Security%20(%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Ecalled%20%E2%80%9C%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3EMCAS%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%E2%80%9D%20by%20users%20and%20enthusiasts%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E)%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eto%20determine%20the%20full%20scope%20and%20impact%20of%20a%20threat.%20We%20will%20show%20case%20how%20M%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3Eicrosoft%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22TextRun%20SCXW225966553%20BCX8%22%20data-contrast%3D%22auto%22%3E%3CSPAN%20class%3D%22NormalTextRun%20SCXW225966553%20BCX8%22%3E365%20Defender%20assists%20security%20engineers%20by%20providing%20critical%20details%20such%20as%20how%20the%20threat%20entered%20the%20environment%2C%20what%20it%20has%20affected%20and%20how%20it%20is%20currently%20impacting%20the%20enterprise.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2196662%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20Cloud%20App%20Security%3A%20The%20Hunt%20in%20a%20multi-stage%20incident%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2196662%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F143984%22%20target%3D%22_blank%22%3E%40Sebastien%20Molendijk%3C%2FA%3E%26nbsp%3B%20in%20a%20word%20excellent.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Mar 09 2021 01:11 AM
Updated by: