## Core MSTICPy initialization for Notebooks

In [2]:
from msticpy.nbtools import nbinit
nbinit.init_notebook(namespace=globals())
qry_prov = QueryProvider("AzureSentinel")

Please wait. Loading Kqlmagic extension...


<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

In [3]:
qry_prov.connect(WorkspaceConfig())
tables = qry_prov.schema_tables

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

## Choose A Table To Analzye

In [4]:
import ipywidgets as widgets
from IPython.display import display

print('\nPlease select a table to analyze.\n')
tableDropdown = widgets.Dropdown(
    options=sorted(tables),
    value=sorted(tables)[0],
    description='Table:',
)
display(tableDropdown)


Please select a table to analyze.



Dropdown(description='Table:', options=('AACAudit', 'AACHttpRequest', 'AADDomainServicesAccountLogon', 'AADDom…

## Choose a Feature(s) and Timeframe to Analyze

In [8]:
df = qry_prov.exec_query(f'{tableDropdown.value} | take 1')
timestamp_col = 'TimeGenerated'

if df.empty:
    print("Table is empty, please select another table.")
else:
    print ("\nWhat kind of features/columns would you like to see be analyzed?\n")
    options = sorted(list(df))
    options.remove(timestamp_col)
    try:
        options.remove('Type')
    except TypeError:
        print('Type does not exist')
    selected_features = nbwidgets.SelectSubset(source_items=options)
    print('\n\nWhat time frame do you want to analyze?\n')
    timeFrame = nbwidgets.QueryTime(units='day', max_before=20, before=5, max_after=1)
    timeFrame.display()

<IPython.core.display.Javascript object>


What kind of features/columns would you like to see be analyzed?



VBox(children=(Text(value='', description='Filter:', style=DescriptionStyle(description_width='initial')), HBo…



What time frame do you want to analyze?



VBox(children=(HTML(value='<h4>Set query time boundaries</h4>'), HBox(children=(DatePicker(value=datetime.date…

## Generate Timeseries Anomalies

In [9]:
def mapAnomalousColors(cells):
    if cells.name in anomalousFeatures:
        return ['background-color: #ffcccb' for i in range(len(cells))]
    return ['background-color: #90EE90' for i in range(len(cells))]

In [10]:
from time_series_utils import check_kwargs, ts_anomalies_stl
from datetime import timedelta

start = (timeFrame.start)
end = (timeFrame.end)
features = selected_features.selected_values

featureDict = {}
anomalyDict = {}
timeframeDict = {}

if start == end:
    print("\nPlease make sure the start and end date are distinct\n")
elif len(features) == 0:
    print("\nPlease choose at least one feature\n")
else:
    for feature in features:
        raw_times_series_data = qry_prov.MultiDataSource.get_timeseries_data(
            start=start,
            end=end,
            table=f"{tableDropdown.value}",
            timestampcolumn=timestamp_col,
            aggregatecolumn=f"{feature}",
            aggregatefunction=f"dcount(tostring({feature}))",
            add_query_items=f'|mv-expand {timestamp_col} to typeof(datetime), {feature} to typeof(long)',
        )
        df_time_series = raw_times_series_data[[timestamp_col, f'{feature}']]
        df_time_series = df_time_series.set_index(timestamp_col)
        anomalies = ts_anomalies_stl(df_time_series)
        featureDict[f'{feature}'] = anomalies
        anomalous_timestamps = list(anomalies[anomalies['anomalies']==1][timestamp_col])
        for timestamp in anomalous_timestamps:
            if timestamp not in anomalyDict:
                anomalyDict[timestamp] = [f'{feature}']
            else:
                anomalyDict[timestamp].append(f'{feature}')
        print(f'Timeseries for {feature} generated')
    print('\nQuerying Raw Data For ')
    print('\nTimestamp for Anomalous Features\n')
    anomalyDf = pd.DataFrame(anomalyDict.items(), columns=[timestamp_col, 'Anomalous Features'])
    anomalyDf = anomalyDf.sort_values(by=[timestamp_col]).reset_index(drop=True)
    anomalyTimeStamps = list(anomalyDf[timestamp_col])
    for timestamp in anomalyTimeStamps:
        # Timerange at which the raw data is retrieved. Default 1 hour before and 2 hours (including the 1 hour time range)
        startRange = timestamp - timedelta(hours=1)
        endRange = timestamp + timedelta(hours=2)
        anomalousFeatures = list(anomalyDf.loc[anomalyDf[timestamp_col] == timestamp]['Anomalous Features'])[0]
        queryString = f"{tableDropdown.value} | where TimeGenerated between(datetime({startRange})..datetime({endRange}))"
        result = qry_prov.exec_query(queryString)
        result = result.style.apply(mapAnomalousColors)
        timeframeDict[timestamp] = result
    display(anomalyDf)

<IPython.core.display.Javascript object>

Timeseries for AADGroupId generated


<IPython.core.display.Javascript object>

Timeseries for AADTarget generated


<IPython.core.display.Javascript object>

Timeseries for Actor generated


<IPython.core.display.Javascript object>

Timeseries for ActorContextId generated


<IPython.core.display.Javascript object>

Timeseries for ActorIpAddress generated


<IPython.core.display.Javascript object>

Timeseries for AddOnGuid generated


<IPython.core.display.Javascript object>

Timeseries for AddOnType generated


<IPython.core.display.Javascript object>

Timeseries for AddonName generated


<IPython.core.display.Javascript object>

Timeseries for AffectedItems generated


<IPython.core.display.Javascript object>

Timeseries for AppDistributionMode generated


<IPython.core.display.Javascript object>

Timeseries for AppId generated


<IPython.core.display.Javascript object>

Timeseries for Application generated


<IPython.core.display.Javascript object>

Timeseries for AzureADAppId generated


<IPython.core.display.Javascript object>

Timeseries for AzureActiveDirectory_EventType generated


<IPython.core.display.Javascript object>

Timeseries for ChannelGuid generated


<IPython.core.display.Javascript object>

Timeseries for ChannelName generated


<IPython.core.display.Javascript object>

Timeseries for ChannelType generated


<IPython.core.display.Javascript object>

Timeseries for ChatName generated


<IPython.core.display.Javascript object>

Timeseries for ChatThreadId generated


<IPython.core.display.Javascript object>

Timeseries for Client generated


<IPython.core.display.Javascript object>

Timeseries for ClientAppId generated


<IPython.core.display.Javascript object>

Timeseries for ClientIP generated


<IPython.core.display.Javascript object>

Timeseries for ClientIP_ generated


<IPython.core.display.Javascript object>

Timeseries for ClientInfoString generated


<IPython.core.display.Javascript object>

Timeseries for ClientMachineName generated


<IPython.core.display.Javascript object>

Timeseries for ClientProcessName generated


<IPython.core.display.Javascript object>

Timeseries for ClientVersion generated


<IPython.core.display.Javascript object>

Timeseries for Client_IPAddress generated


<IPython.core.display.Javascript object>

Timeseries for CommunicationType generated


<IPython.core.display.Javascript object>

Timeseries for CrossMailboxOperations generated


<IPython.core.display.Javascript object>

Timeseries for CustomEvent generated


<IPython.core.display.Javascript object>

Timeseries for DataCenterSecurityEventType generated


<IPython.core.display.Javascript object>

Timeseries for DestFolder generated


<IPython.core.display.Javascript object>

Timeseries for DestMailboxId generated


<IPython.core.display.Javascript object>

Timeseries for DestMailboxOwnerMasterAccountSid generated


<IPython.core.display.Javascript object>

Timeseries for DestMailboxOwnerSid generated


<IPython.core.display.Javascript object>

Timeseries for DestMailboxOwnerUPN generated


<IPython.core.display.Javascript object>

Timeseries for DestinationFileExtension generated


<IPython.core.display.Javascript object>

Timeseries for DestinationFileName generated


<IPython.core.display.Javascript object>

Timeseries for DestinationRelativeUrl generated


<IPython.core.display.Javascript object>

Timeseries for EffectiveOrganization generated


<IPython.core.display.Javascript object>

Timeseries for ElevationApprovedTime generated


<IPython.core.display.Javascript object>

Timeseries for ElevationApprover generated


<IPython.core.display.Javascript object>

Timeseries for ElevationDuration generated


<IPython.core.display.Javascript object>

Timeseries for ElevationRequestId generated


<IPython.core.display.Javascript object>

Timeseries for ElevationRole generated


<IPython.core.display.Javascript object>

Timeseries for ElevationTime generated


<IPython.core.display.Javascript object>

Timeseries for EventSource generated


<IPython.core.display.Javascript object>

Timeseries for Event_Data generated


<IPython.core.display.Javascript object>

Timeseries for ExtendedProperties generated


<IPython.core.display.Javascript object>

Timeseries for ExternalAccess generated


<IPython.core.display.Javascript object>

Timeseries for ExtraProperties generated


<IPython.core.display.Javascript object>

Timeseries for Folder generated


<IPython.core.display.Javascript object>

Timeseries for Folders generated


<IPython.core.display.Javascript object>

Timeseries for GenericInfo generated


<IPython.core.display.Javascript object>

Timeseries for InterSystemsId generated


<IPython.core.display.Javascript object>

Timeseries for InternalLogonType generated


<IPython.core.display.Javascript object>

Timeseries for IntraSystemId generated


<IPython.core.display.Javascript object>

Timeseries for Item generated


<IPython.core.display.Javascript object>

Timeseries for ItemName generated


<IPython.core.display.Javascript object>

Timeseries for ItemType generated


<IPython.core.display.Javascript object>

Timeseries for LoginStatus generated


<IPython.core.display.Javascript object>

Timeseries for LogonUserDisplayName generated


<IPython.core.display.Javascript object>

Timeseries for LogonUserSid generated


<IPython.core.display.Javascript object>

Timeseries for Logon_Type generated


<IPython.core.display.Javascript object>

Timeseries for MachineDomainInfo generated


<IPython.core.display.Javascript object>

Timeseries for MachineId generated


<IPython.core.display.Javascript object>

Timeseries for MailboxGuid generated


<IPython.core.display.Javascript object>

Timeseries for MailboxOwnerMasterAccountSid generated


<IPython.core.display.Javascript object>

Timeseries for MailboxOwnerSid generated


<IPython.core.display.Javascript object>

Timeseries for MailboxOwnerUPN generated


<IPython.core.display.Javascript object>

Timeseries for Members generated


<IPython.core.display.Javascript object>

Timeseries for MessageId generated


<IPython.core.display.Javascript object>

Timeseries for ModifiedObjectResolvedName generated


<IPython.core.display.Javascript object>

Timeseries for ModifiedProperties generated


<IPython.core.display.Javascript object>

Timeseries for Name generated


<IPython.core.display.Javascript object>

Timeseries for NewValue generated


<IPython.core.display.Javascript object>

Timeseries for OfficeId generated


<IPython.core.display.Javascript object>

Timeseries for OfficeObjectId generated


<IPython.core.display.Javascript object>

Timeseries for OfficeTenantId generated


<IPython.core.display.Javascript object>

Timeseries for OfficeTenantId_ generated


<IPython.core.display.Javascript object>

Timeseries for OfficeWorkload generated


<IPython.core.display.Javascript object>

Timeseries for OldValue generated


<IPython.core.display.Javascript object>

Timeseries for Operation generated


<IPython.core.display.Javascript object>

Timeseries for OperationProperties generated


<IPython.core.display.Javascript object>

Timeseries for OperationScope generated


<IPython.core.display.Javascript object>

Timeseries for OrganizationId generated


<IPython.core.display.Javascript object>

Timeseries for OrganizationId_ generated


<IPython.core.display.Javascript object>

Timeseries for OrganizationName generated


<IPython.core.display.Javascript object>

Timeseries for OriginatingServer generated


<IPython.core.display.Javascript object>

Timeseries for Parameters generated


<IPython.core.display.Javascript object>

Timeseries for RecordType generated


<IPython.core.display.Javascript object>

Timeseries for ResultReasonType generated


<IPython.core.display.Javascript object>

Timeseries for ResultStatus generated


<IPython.core.display.Javascript object>

Timeseries for Scope generated


<IPython.core.display.Javascript object>

Timeseries for SendAsUserMailboxGuid generated


<IPython.core.display.Javascript object>

Timeseries for SendAsUserSmtp generated


<IPython.core.display.Javascript object>

Timeseries for SendOnBehalfOfUserSmtp generated


<IPython.core.display.Javascript object>

Timeseries for SendonBehalfOfUserMailboxGuid generated


<IPython.core.display.Javascript object>

Timeseries for SharingType generated


<IPython.core.display.Javascript object>

Timeseries for Site_ generated


<IPython.core.display.Javascript object>

Timeseries for Site_Url generated


<IPython.core.display.Javascript object>

Timeseries for Site_Url_ generated


<IPython.core.display.Javascript object>

Timeseries for SourceFileExtension generated


<IPython.core.display.Javascript object>

Timeseries for SourceFileName generated


<IPython.core.display.Javascript object>

Timeseries for SourceFileName_ generated


<IPython.core.display.Javascript object>

Timeseries for SourceRecordId generated


<IPython.core.display.Javascript object>

Timeseries for SourceRelativeUrl generated


<IPython.core.display.Javascript object>

Timeseries for SourceRelativeUrl_ generated


<IPython.core.display.Javascript object>

Timeseries for SourceSystem generated


<IPython.core.display.Javascript object>

Timeseries for Source_Name generated


<IPython.core.display.Javascript object>

Timeseries for Start_Time generated


<IPython.core.display.Javascript object>

Timeseries for SupportTicketId generated


<IPython.core.display.Javascript object>

Timeseries for TabType generated


<IPython.core.display.Javascript object>

Timeseries for TargetContextId generated


<IPython.core.display.Javascript object>

Timeseries for TargetUserId generated


<IPython.core.display.Javascript object>

Timeseries for TargetUserOrGroupName generated


<IPython.core.display.Javascript object>

Timeseries for TargetUserOrGroupType generated


<IPython.core.display.Javascript object>

Timeseries for TeamGuid generated


<IPython.core.display.Javascript object>

Timeseries for TeamName generated


<IPython.core.display.Javascript object>

Timeseries for TenantId generated


<IPython.core.display.Javascript object>

Timeseries for UserAgent generated


<IPython.core.display.Javascript object>

Timeseries for UserDomain generated


<IPython.core.display.Javascript object>

Timeseries for UserId generated


<IPython.core.display.Javascript object>

Timeseries for UserId_ generated


<IPython.core.display.Javascript object>

Timeseries for UserKey generated


<IPython.core.display.Javascript object>

Timeseries for UserSharedWith generated


<IPython.core.display.Javascript object>

Timeseries for UserType generated


<IPython.core.display.Javascript object>

Timeseries for _ResourceId generated

Querying Raw Data For 

Timestamp for Anomalous Features



<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

<IPython.core.display.Javascript object>

Unnamed: 0,TimeGenerated,Anomalous Features
0,2021-08-29 05:52:33.676366+00:00,"[OfficeId, Operation, Parameters, SourceRecordId]"
1,2021-08-30 05:52:33.676366+00:00,[ClientAppId]
2,2021-08-31 11:52:33.676366+00:00,"[ClientIP, ClientIP_, Site_]"
3,2021-08-31 15:52:33.676366+00:00,"[ItemType, Operation, SourceRelativeUrl, SourceRelativeUrl_]"
4,2021-08-31 18:52:33.676366+00:00,"[OfficeId, OfficeObjectId, RecordType, SourceFileExtension, SourceFileName, SourceFileName_, Sou..."
5,2021-09-01 03:52:33.676366+00:00,"[OfficeId, OfficeObjectId, Operation, Parameters, SourceRecordId]"
6,2021-09-01 07:52:33.676366+00:00,[Client_IPAddress]
7,2021-09-02 04:52:33.676366+00:00,"[LogonUserSid, MailboxGuid, MailboxOwnerSid, MailboxOwnerUPN]"
8,2021-09-03 00:52:33.676366+00:00,"[LogonUserSid, MailboxGuid, MailboxOwnerSid, MailboxOwnerUPN]"
9,2021-09-03 03:52:33.676366+00:00,"[OfficeId, OfficeObjectId, Operation, Parameters, SourceRecordId]"


## Select A Timestamp To Visualize

In [11]:
try:
    timestamp_dropdown = widgets.Dropdown(
        options=sorted(list(anomalyDf[timestamp_col])),
        description='TimeStamp:',
        disabled=False,
    )
    print('\nSelect a timestamp to visualize anomalous features ')
    display(timestamp_dropdown)
except NameError:
    print("Anomaly Dataframe not instantiated yet.")


Select a timestamp to visualize anomalous features 


Dropdown(description='TimeStamp:', options=(Timestamp('2021-08-29 05:52:33.676366+0000', tz='UTC'), Timestamp(…

## Visualize Anomalies

In [12]:
from msticpy.nbtools.timeseries import display_timeseries_anomolies
pd.set_option("display.max_rows", None, "display.max_columns", None)

try:
    anomalous_features = tuple(anomalyDf.loc[anomalyDf[timestamp_col] == timestamp_dropdown.value]['Anomalous Features'])[0]
    for feature in anomalous_features:
        print(f"\nTime Series for {feature}\n")
        display_timeseries_anomolies(data=featureDict[feature], y=feature)
    display(timeframeDict[timestamp_dropdown.value])
except NameError:
    print("Anomaly Dataframe not instantiated yet.")


Time Series for OfficeId




Time Series for Operation




Time Series for Parameters




Time Series for SourceRecordId



Unnamed: 0,TenantId,Application,UserDomain,UserAgent,RecordType,TimeGenerated,Operation,OrganizationId,OrganizationId_,UserType,UserKey,OfficeWorkload,ResultStatus,ResultReasonType,OfficeObjectId,UserId,UserId_,ClientIP,ClientIP_,Scope,Site_,ItemType,EventSource,Source_Name,MachineDomainInfo,MachineId,Site_Url,Site_Url_,SourceRelativeUrl,SourceRelativeUrl_,SourceFileName,SourceFileName_,SourceFileExtension,DestinationRelativeUrl,DestinationFileName,DestinationFileExtension,UserSharedWith,SharingType,CustomEvent,Event_Data,ModifiedObjectResolvedName,Parameters,ExternalAccess,OriginatingServer,OrganizationName,Logon_Type,InternalLogonType,MailboxGuid,MailboxOwnerUPN,MailboxOwnerSid,MailboxOwnerMasterAccountSid,LogonUserSid,LogonUserDisplayName,ClientInfoString,Client_IPAddress,ClientMachineName,ClientProcessName,ClientVersion,Folder,CrossMailboxOperations,DestMailboxId,DestMailboxOwnerUPN,DestMailboxOwnerSid,DestMailboxOwnerMasterAccountSid,DestFolder,Folders,AffectedItems,Item,ModifiedProperties,SendAsUserSmtp,SendAsUserMailboxGuid,SendOnBehalfOfUserSmtp,SendonBehalfOfUserMailboxGuid,ExtendedProperties,Client,LoginStatus,Actor,ActorContextId,ActorIpAddress,InterSystemsId,IntraSystemId,SupportTicketId,TargetContextId,DataCenterSecurityEventType,EffectiveOrganization,ElevationTime,ElevationApprover,ElevationApprovedTime,ElevationRequestId,ElevationRole,ElevationDuration,GenericInfo,SourceSystem,OfficeId,SourceRecordId,AzureActiveDirectory_EventType,AADTarget,Start_Time,OfficeTenantId,OfficeTenantId_,TargetUserOrGroupName,TargetUserOrGroupType,MessageId,Members,TeamName,TeamGuid,ChannelType,ChannelName,ChannelGuid,ExtraProperties,AddOnType,AddonName,TabType,Name,OldValue,NewValue,ItemName,ChatThreadId,ChatName,CommunicationType,AADGroupId,AddOnGuid,AppDistributionMode,TargetUserId,OperationScope,AzureADAppId,OperationProperties,AppId,ClientAppId,Type,_ResourceId
0,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 06:09:21+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,1003200152C92446,Exchange,Succeeded,Succeeded,,jbritt@contosohotels.com,jbritt@contosohotels.com,,,,,,,,,,,,,,,,,,,,,,,,,,False,CH0P221MB0533 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,fbd7a785-0cd3-43f2-be90-ee67a1bc6067,jbritt@contosohotels.com,S-1-5-21-1215315387-180893480-700816437-25652769,,S-1-5-21-1215315387-180893480-700816437-25652769,,Client=REST;Client=RESTSystem;;,2603:10b6:610:119:cafe::b9,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""<3846f57e-1392-40c4-8aab-ec846bcccd0d@az.northeurope.production.microsoft.com>""},{""InternetMessageId"":""<261eb14b-d039-4a75-b81d-18df9d0db2ef@az.northeurope.production.microsoft.com>""},{""InternetMessageId"":""""},{""InternetMessageId"":""<1b9712d1-265b-4c46-8e13-6baf0acb37f7@az.westeurope.production.microsoft.com>""}],""Id"":""LgAAAABRpoWaAjhRT43PPt/uu+I7AQBebxPskdBOT7hol9Y4y40PAAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 06:15:29+00:00,,NaT,,,,,OfficeActivityManager,6c6c7f51-920e-4230-9ff3-ab0e568301ab,6c6c7f51-920e-4230-9ff3-ab0e568301ab,,,2021-08-29 06:15:29+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",7a5fbd1c-3e6d-461a-9075-83049393b3a7,7a5fbd1c-3e6d-461a-9075-83049393b3a7,OfficeActivity,
1,8ecf8077-cf51-4820-aadd-14040956f35d,,,,ExchangeAdmin,2021-08-29 05:02:14+00:00,Set-User,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,DcAdmin,NT AUTHORITY\SYSTEM (Microsoft.Exchange.Management.ForwardSync),Exchange,True,True,NAMPR06A007.PROD.OUTLOOK.COM/Microsoft Exchange Hosted Organizations/seccxpninja.onmicrosoft.com/sewasong,NT AUTHORITY\SYSTEM (Microsoft.Exchange.Management.ForwardSync),NT AUTHORITY\SYSTEM (Microsoft.Exchange.Management.ForwardSync),,,,,,,,,,,,,,,,,,,,,,,,,"[{""Name"":""Identity"",""Value"":""4b2462a4-bbee-495a-a0e1-f23ae524cc9c\\25c40e13-1eb5-4849-9146-282c7427858d""},{""Name"":""SyncMailboxLocationGuids"",""Value"":""True""},{""Name"":""ErrorAction"",""Value"":""Stop""},{""Name"":""WarningAction"",""Value"":""SilentlyContinue""}]",True,CO6P221MB0742 (15.20.4457.024),seccxpninja.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,2021-08-29 05:10:24+00:00,,NaT,,,,,OfficeActivityManager,c98c3bff-7fcb-4e4a-cbe3-08d96aaa2b13,c98c3bff-7fcb-4e4a-cbe3-08d96aaa2b13,,,2021-08-29 05:10:24+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,OfficeActivity,
2,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 05:40:12+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,,,,,,,,,,,,,,,,,,False,BL3P221MB0436 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,2e8a8fda-0dfb-41a0-be85-8f3a8d1e18c5,MeganB@seccxp.ninja,S-1-5-21-1215315387-180893480-700816437-7820452,,S-1-5-21-1215315387-180893480-700816437-7820452,,Client=REST;;,3.90.106.17,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""<20210103080808.1.A26A06ED79BD546E@zapier.com>""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""}],""Id"":""LgAAAADO0fgRi7/cTqb2uxqz9Le/AQD9YCJ77WqGQ6RvZR8Wg/NtAAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 05:45:24+00:00,,NaT,,,,,OfficeActivityManager,2499271b-9eb3-4fd2-acb4-b7efc3378bd9,2499271b-9eb3-4fd2-acb4-b7efc3378bd9,,,2021-08-29 05:45:24+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
3,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 05:40:12+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,,,,,,,,,,,,,,,,,,False,BL3P221MB0436 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,2e8a8fda-0dfb-41a0-be85-8f3a8d1e18c5,MeganB@seccxp.ninja,S-1-5-21-1215315387-180893480-700816437-7820452,,S-1-5-21-1215315387-180893480-700816437-7820452,,Client=REST;;,3.90.106.17,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""<20210117091331.1.DF33753A7CC26F76@zapier.com>""},{""InternetMessageId"":""<20210110090728.1.1406661D1B51F713@zapier.com>""}],""Id"":""LgAAAADO0fgRi7/cTqb2uxqz9Le/AQD9YCJ77WqGQ6RvZR8Wg/NtAAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 05:45:24+00:00,,NaT,,,,,OfficeActivityManager,3cacba0f-ac96-4c93-8d60-eaa3d0c877e0,3cacba0f-ac96-4c93-8d60-eaa3d0c877e0,,,2021-08-29 05:45:24+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
4,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 05:40:12+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,,,,,,,,,,,,,,,,,,False,BL3P221MB0436 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,2e8a8fda-0dfb-41a0-be85-8f3a8d1e18c5,MeganB@seccxp.ninja,S-1-5-21-1215315387-180893480-700816437-7820452,,S-1-5-21-1215315387-180893480-700816437-7820452,,Client=REST;;,3.90.106.17,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""<8033172d34da68de70c89f3743e1b76a@oatp.me>""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""<6ac3b6385d9be0201735984f7d01f0d5@oatp.me>""},{""InternetMessageId"":""""}],""Id"":""LgAAAADO0fgRi7/cTqb2uxqz9Le/AQD9YCJ77WqGQ6RvZR8Wg/NtAAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 05:45:24+00:00,,NaT,,,,,OfficeActivityManager,f3ae8688-9e95-49ee-8c3a-a72d01add556,f3ae8688-9e95-49ee-8c3a-a72d01add556,,,2021-08-29 05:45:24+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
5,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 05:40:12+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,,,,,,,,,,,,,,,,,,False,BL3P221MB0436 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,2e8a8fda-0dfb-41a0-be85-8f3a8d1e18c5,MeganB@seccxp.ninja,S-1-5-21-1215315387-180893480-700816437-7820452,,S-1-5-21-1215315387-180893480-700816437-7820452,,Client=REST;;,3.90.106.17,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""}],""Id"":""LgAAAADO0fgRi7/cTqb2uxqz9Le/AQD9YCJ77WqGQ6RvZR8Wg/NtAAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 05:45:24+00:00,,NaT,,,,,OfficeActivityManager,1997393e-d65e-40b4-99c5-ea792cc73d59,1997393e-d65e-40b4-99c5-ea792cc73d59,,,2021-08-29 05:45:24+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
6,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 06:10:45+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320004C794C4C,Exchange,Succeeded,Succeeded,,gershon@seccxpninja.onmicrosoft.com,gershon@seccxpninja.onmicrosoft.com,,,,,,,,,,,,,,,,,,,,,,,,,,False,CH0P221MB0535 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,b8d4e5b8-7475-4afc-9caf-7c65e97b8519,gershon@seccxpninja.onmicrosoft.com,S-1-5-21-1215315387-180893480-700816437-9821937,,S-1-5-21-1215315387-180893480-700816437-9821937,,Client=REST;Client=RESTSystem;;,52.225.101.227,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""<5d8a9684-853d-41c8-8d0e-631bd592ba1a@az.westus2.production.microsoft.com>""}],""Id"":""LgAAAABN4HBJaip3S4guP91IMXosAQAH7J63JRigTZqB23umoIY8AAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 06:20:25+00:00,,NaT,,,,,OfficeActivityManager,065e142a-bbc7-4f56-a695-103ee395af27,065e142a-bbc7-4f56-a695-103ee395af27,,,2021-08-29 06:20:25+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",5a2ee4c5-13b8-465b-88d7-75ecf16830ad,3c8e478f-21ca-493a-b87c-c7366d664d54,OfficeActivity,
7,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 06:40:56+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,,,,,,,,,,,,,,,,,,False,BL3P221MB0436 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,2e8a8fda-0dfb-41a0-be85-8f3a8d1e18c5,MeganB@seccxp.ninja,S-1-5-21-1215315387-180893480-700816437-7820452,,S-1-5-21-1215315387-180893480-700816437-7820452,,Client=REST;;,54.88.190.16,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""<20210103080808.1.A26A06ED79BD546E@zapier.com>""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""}],""Id"":""LgAAAADO0fgRi7/cTqb2uxqz9Le/AQD9YCJ77WqGQ6RvZR8Wg/NtAAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 06:50:37+00:00,,NaT,,,,,OfficeActivityManager,c34146c6-b3ec-48bd-82aa-62e0002a14e4,c34146c6-b3ec-48bd-82aa-62e0002a14e4,,,2021-08-29 06:50:37+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
8,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 06:40:56+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,,,,,,,,,,,,,,,,,,False,BL3P221MB0436 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,2e8a8fda-0dfb-41a0-be85-8f3a8d1e18c5,MeganB@seccxp.ninja,S-1-5-21-1215315387-180893480-700816437-7820452,,S-1-5-21-1215315387-180893480-700816437-7820452,,Client=REST;;,54.88.190.16,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""<20210117091331.1.DF33753A7CC26F76@zapier.com>""},{""InternetMessageId"":""<20210110090728.1.1406661D1B51F713@zapier.com>""}],""Id"":""LgAAAADO0fgRi7/cTqb2uxqz9Le/AQD9YCJ77WqGQ6RvZR8Wg/NtAAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 06:50:37+00:00,,NaT,,,,,OfficeActivityManager,673a56e8-7c10-4cf6-b92c-08e3e4d23a3c,673a56e8-7c10-4cf6-b92c-08e3e4d23a3c,,,2021-08-29 06:50:37+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
9,8ecf8077-cf51-4820-aadd-14040956f35d,,,,50,2021-08-29 06:40:56+00:00,MailItemsAccessed,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,4b2462a4-bbee-495a-a0e1-f23ae524cc9c,Regular,100320003F8A6FC7,Exchange,Succeeded,Succeeded,,MeganB@seccxp.ninja,MeganB@seccxp.ninja,,,,,,,,,,,,,,,,,,,,,,,,,,False,BL3P221MB0436 (15.20.4200.000),seccxpninja.onmicrosoft.com,Owner,0.0,2e8a8fda-0dfb-41a0-be85-8f3a8d1e18c5,MeganB@seccxp.ninja,S-1-5-21-1215315387-180893480-700816437-7820452,,S-1-5-21-1215315387-180893480-700816437-7820452,,Client=REST;;,54.88.190.16,,,,,,,,,,,"[{""FolderItems"":[{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""<8033172d34da68de70c89f3743e1b76a@oatp.me>""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""""},{""InternetMessageId"":""<6ac3b6385d9be0201735984f7d01f0d5@oatp.me>""},{""InternetMessageId"":""""}],""Id"":""LgAAAADO0fgRi7/cTqb2uxqz9Le/AQD9YCJ77WqGQ6RvZR8Wg/NtAAAAAAEMAAAB"",""Path"":""\\Inbox""}]",,,,,,,,,,,,,,,,,,,,2021-08-29 06:50:37+00:00,,NaT,,,,,OfficeActivityManager,caded274-12fb-4dec-bd57-90d1c919fb23,caded274-12fb-4dec-bd57-90d1c919fb23,,,2021-08-29 06:50:37+00:00,$RestApiTenantId$,$RestApiTenantId$,,,,,,,,,,,,,,,,,,,,,,,,,,,"[{'Value': 'Bind', 'Name': 'MailAccessType'}, {'Value': 'False', 'Name': 'IsThrottled'}]",414a677a-e50f-46ea-b89c-aebb8a9efbe2,,OfficeActivity,
