diff --git a/log-analytics/office-activity-by-ip.md b/log-analytics/office-activity-by-ip.md
new file mode 100644
index 0000000..a041bf5
--- /dev/null
+++ b/log-analytics/office-activity-by-ip.md
@@ -0,0 +1,24 @@
+# Office 365 activity by ip
+#### #office365 #unified-audit-log #audit
+
+Return activity from the Office365 unified audit log by one or more ip addresses.
+
+```OQL
+OfficeActivity
+| where TimeGenerated >= ago(256d) 
+| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd HH:mm')
+| extend dtAU = format_datetime(TimeGenerated +11h,'yyyy-MM-dd HH:mm')
+| extend UserAgent = parse_json(ExtendedProperties)[0].Value
+| extend Cip = strcat(ClientIP,Client_IPAddress)
+| where Cip in ('0.0.0.0','0.0.0.1')
+| extend UAgent = strcat(UserAgent, ClientInfoString)
+| extend CreateItemSubject = parse_json(Item).Subject
+| extend CreateItemPath = parse_json(Item).ParentFolder.Path
+| extend InternetMessageID = parse_json(Item).InternetMessageId 
+| extend DeleteItemSubject = parse_json(AffectedItems)[0].Subject
+| extend DeleteItemPath = parse_json(AffectedItems)[0].ParentFolder.Path
+| extend DestinationFolderPath = parse_json(DestFolder).Path
+| extend MTDMessageID = parse_json(AffectedItems)[0].InternetMessageId
+| project TimeGenerated,dtUTC,dtAU,UserId,Operation,ResultStatus,Cip,UAgent,CreateItemSubject,CreateItemPath,InternetMessageID,DeleteItemSubject,DeleteItemPath,MTDMessageID,DestinationFolderPath,OfficeObjectId 
+| sort by dtUTC desc 
+```
\ No newline at end of file
diff --git a/log-analytics/office-activity-by-username.md b/log-analytics/office-activity-by-username.md
new file mode 100644
index 0000000..8f2ff95
--- /dev/null
+++ b/log-analytics/office-activity-by-username.md
@@ -0,0 +1,24 @@
+# Office 365 activity by username
+#### #office365 #unified-audit-log #audit
+
+Return activity from the Office365 unified audit log by username.
+
+```OQL
+OfficeActivity
+| where UserId == "" 
+| where TimeGenerated >= ago(256d) 
+| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd HH:mm')
+| extend dtAU = format_datetime(TimeGenerated +11h,'yyyy-MM-dd HH:mm')
+| extend UserAgent = parse_json(ExtendedProperties)[0].Value
+| extend Cip = strcat(ClientIP,Client_IPAddress)
+| extend UAgent = strcat(UserAgent, ClientInfoString)
+| extend CreateItemSubject = parse_json(Item).Subject
+| extend CreateItemPath = parse_json(Item).ParentFolder.Path
+| extend InternetMessageID = parse_json(Item).InternetMessageId 
+| extend DeleteItemSubject = parse_json(AffectedItems)[0].Subject
+| extend DeleteItemPath = parse_json(AffectedItems)[0].ParentFolder.Path
+| extend DestinationFolderPath = parse_json(DestFolder).Path
+| extend MTDMessageID = parse_json(AffectedItems)[0].InternetMessageId
+| project TimeGenerated,dtUTC,dtAU,UserId,Operation,ResultStatus,Cip,UAgent,CreateItemSubject,CreateItemPath,InternetMessageID,DeleteItemSubject,DeleteItemPath,MTDMessageID,DestinationFolderPath,OfficeObjectId 
+| sort by dtUTC desc 
+```
\ No newline at end of file
diff --git a/log-analytics/recent-security-alerts.md b/log-analytics/recent-security-alerts.md
new file mode 100644
index 0000000..cefe1a5
--- /dev/null
+++ b/log-analytics/recent-security-alerts.md
@@ -0,0 +1,14 @@
+# Recent security alerts
+#### #security #alert $user #location
+
+Return triggered security alerts in the last 24 hours.
+
+```OQL
+SecurityAlert
+| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd HH:mm')
+| extend dtAU = format_datetime(TimeGenerated +11h,'yyyy-MM-dd HH:mm')
+| extend IP = parse_json(ExtendedProperties)['Client IP Address']
+| extend Username = parse_json(ExtendedProperties)['User Name']
+| extend Location = parse_json(ExtendedProperties)['Client Location']
+| project TimeGenerated, dtUTC, dtAU, AlertType, AlertName, AlertSeverity , Description , Username , IP , Location
+```
\ No newline at end of file
diff --git a/log-analytics/signins-by-ip.md b/log-analytics/signins-by-ip.md
new file mode 100644
index 0000000..3e65976
--- /dev/null
+++ b/log-analytics/signins-by-ip.md
@@ -0,0 +1,16 @@
+# Signins by ip
+#### #signinlogs #ip
+
+Return signin activity by one or more ip address from the Azure SigninLogs table/log.
+
+```OQL
+SigninLogs
+| where TimeGenerated  >= ago(256d)
+| where IPAddress in ('0.0.0.0','0.0.0.1')
+| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd hh:mm')
+| extend dtAU = format_datetime(TimeGenerated +11h,'yyyy-MM-dd hh:mm')
+| extend City = parse_json(LocationDetails).city
+| project TimeGenerated , dtUTC , dtAU , UserPrincipalName , Type, Status, IPAddress  , Location , City , ResultType , ResultDescription, ClientAppUsed , DeviceDetail , AppDisplayName
+| sort by TimeGenerated desc
+//| summarize by IPAddress
+```
\ No newline at end of file
diff --git a/log-analytics/signins-by-username.md b/log-analytics/signins-by-username.md
new file mode 100644
index 0000000..a3bf8d8
--- /dev/null
+++ b/log-analytics/signins-by-username.md
@@ -0,0 +1,15 @@
+# Signins by username
+#### #signinlogs #username
+
+Return signin activity by username from the Azure SigninLogs table/log.
+
+```OQL
+SigninLogs
+| where TimeGenerated  >= ago(256d)
+| where UserPrincipalName == "" // provide userprincipal name
+| extend dtUTC = format_datetime(TimeGenerated,'yyyy-MM-dd hh:mm')
+| extend dtAU = format_datetime(TimeGenerated +10h,'yyyy-MM-dd hh:mm')
+| extend City = parse_json(LocationDetails).city
+| project TimeGenerated , dtUTC , dtAU , UserPrincipalName , Type, Status, IPAddress  , Location , City , ResultType , ResultDescription, ClientAppUsed , DeviceDetail , AppDisplayName   
+| sort by TimeGenerated desc
+```
\ No newline at end of file