Investigating CloudAppEvents: The User Passed MFA. The Attacker Still Got In.
The sign-in looked legitimate.
The user passed MFA.
No malware was detected. No suspicious PowerShell executed. No endpoint alert triggered.
Yet within minutes, mailbox access changed, files were downloaded and an OAuth application appeared inside the tenant.
The evidence was not hiding in endpoint telemetry.
It was hiding inside CloudAppEvents.
Lesson overview
Learn how CloudAppEvents helps defenders investigate what happened after access was granted inside Microsoft 365 and connected cloud applications.
Why CloudAppEvents matters
Investigation scenario
Step 1 — Review recent cloud activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
CloudAppEvents | where Timestamp > ago(7d) | project Timestamp, AccountDisplayName, AccountId, Application, ActionType, IPAddress, CountryCode, UserAgent | order by Timestamp desc
Step 2 — Investigate one user
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
let User = "user@company.com"; CloudAppEvents | where AccountDisplayName == User or AccountId == User | project Timestamp, Application, ActionType, IPAddress, CountryCode, ObjectName, ObjectType, UserAgent | order by Timestamp asc
Step 3 — Hunt OAuth consent activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
CloudAppEvents | where Timestamp > ago(30d) | where ActionType has_any ("Consent", "Grant consent", "Add service principal", "Add app role assignment") | project Timestamp, AccountDisplayName, Application, ActionType, IPAddress, ObjectName, ObjectType, RawEventData | order by Timestamp desc
Step 4 — Investigate SharePoint activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
CloudAppEvents | where Timestamp > ago(14d) | where Application contains "SharePoint" | project Timestamp, AccountDisplayName, ActionType, IPAddress, CountryCode, ObjectName, ObjectType, UserAgent | order by Timestamp desc
Step 5 — Investigate OneDrive activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
CloudAppEvents | where Timestamp > ago(14d) | where Application contains "OneDrive" | project Timestamp, AccountDisplayName, ActionType, IPAddress, CountryCode, ObjectName, ObjectType, UserAgent | order by Timestamp desc
Step 6 — Build the cloud attack timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
let User = "user@company.com"; CloudAppEvents | where Timestamp between (ago(24h) .. now()) | where AccountDisplayName == User or AccountId == User | project Timestamp, Application, ActionType, IPAddress, ObjectName, ObjectType, CountryCode | order by Timestamp asc
