Querying MailItemsAccessed with Sentinel

This is a quick one today, but wanted to get the information out there.

When investigating compromised user accounts, it is important to understand what items were accessed by the attacker. This capability can also be useful when a phishing email comes in and you need to identify whether the user accessed the email or not.

Luckily, thanks to some new changes to the unified audit log for M365 E5, G5, and A5 customers, we now have greater ability to audit compromised accounts. Here is the information on auditing activity, but it is based around using Powershell.

If you are auditing and are able to query these events (this blog isn't about enabling this auditing), then that information is stored in the O365 audit log.

To get this data into Sentinel, set up the O365 connector. This is very easy, assuming you have the correct permissions in your tenant.

Once the O365 connector is set up, you are able to query the OfficeActivity table. To query a sampling of MailItemsAccessed run this query:

OfficeActivity
| where OfficeWorkload == "Exchange"
| where Operation == "MailItemsAccessed"
| take 10

This shows a sampling of Exchange events with the MailItemsAccessed.

There is a lot more of this we can get into but I'm going to leave this here for now.

Thanks for reading, I'll update this post as I have time to develop these capabilities more.