Title: Office 365 Explorer

Notebook Version: 1.0
Python Version: Python 3.6 (including Python 3.6 - AzureML)
Required Packages: kqlmagic, msticpy, pandas, numpy, matplotlib, seaborn, networkx, ipywidgets, ipython, scikit_learn, folium, maxminddb_geolite2, holoviews
Platforms Supported:

  • Azure Notebooks Free Compute
  • Azure Notebooks DSVM
  • OS Independent

Data Sources Required:

  • Log Analytics - OfficeActivity, IPLocation, Azure Network Analytics

Description:

Brings together a series of queries and visualizations to help you investigate the security status of Office 365 subscription and individual user activities.

  • The first section focuses on Tenant-Wide data queries and analysis
  • The second section allows you to focus on individial accounts and examine them for any suspicious activity.

This notebook is intended to be illustrative of the types of data available in Office 365 Activity data and how to query and use them. It is not meant to be used as a prescriptive guide to how to navigate through the data. Feel free to experiment and submit anything interesting you find to the community.

Warning: Example Notebook - Not for production use!

 This notebooks is meant to be illustrative of specific scenarios and is not actively maintained. 
</font>  It is unlikely to be runnable directly in your environment. Instead, please use the notebooks in the root of this repo. 

Contents

Setup

Make sure that you have installed packages specified in the setup (uncomment the lines to execute)

Install Packages

The first time this cell runs for a new Azure Notebooks project or local Python environment it will take several minutes to download and install the packages. In subsequent runs it should run quickly and confirm that package dependencies are already installed. Unless you want to upgrade the packages you can feel free to skip execution of the next cell.

If you see any import failures (ImportError) in the notebook, please re-run this cell and answer 'y', then re-run the cell where the failure occurred.

Note you may see some warnings about package incompatibility with certain packages. This does not affect the functionality of this notebook but you may need to upgrade the packages producing the warnings to a more recent version.

In [ ]:
import sys
import warnings

warnings.filterwarnings("ignore",category=DeprecationWarning)

MIN_REQ_PYTHON = (3,6)
if sys.version_info < MIN_REQ_PYTHON:
    print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')
    print('or later is selected as the active kernel.')
    sys.exit("Python %s.%s or later is required.\n" % MIN_REQ_PYTHON)

# Package Installs - try to avoid if they are already installed
try:
    import msticpy.sectools as sectools
    import Kqlmagic
    from dns import reversename, resolver
    from ipwhois import IPWhois
    import folium
    
    print('If you answer "n" this cell will exit with an error in order to avoid the pip install calls,')
    print('This error can safely be ignored.')
    resp = input('msticpy and Kqlmagic packages are already loaded. Do you want to re-install? (y/n)')
    if resp.strip().lower() != 'y':
        sys.exit('pip install aborted - you may skip this error and continue.')
    else:
        print('After installation has completed, restart the current kernel and run '
              'the notebook again skipping this cell.')
except ImportError:
    pass

print('\nPlease wait. Installing required packages. This may take a few minutes...')
!pip install git+https://github.com/microsoft/msticpy --upgrade --user
!pip install Kqlmagic --no-cache-dir --upgrade --user
!pip install holoviews
!pip install dnspython --upgrade 
!pip install ipwhois --upgrade 
!pip install folium --upgrade

# Uncomment to refresh the maxminddb database
# !pip install maxminddb-geolite2 --upgrade 

print('To ensure that the latest versions of the installed libraries '
      'are used, please restart the current kernel and run '
      'the notebook again skipping this cell.')
In [2]:
# Imports
import sys
import warnings

MIN_REQ_PYTHON = (3,6)
if sys.version_info < MIN_REQ_PYTHON:
    print('Check the Kernel->Change Kernel menu and ensure that Python 3.6')
    print('or later is selected as the active kernel.')
    sys.exit("Python %s.%s or later is required.\n" % MIN_REQ_PYTHON)

import numpy as np
from IPython import get_ipython
from IPython.display import display, HTML, Markdown
import ipywidgets as widgets

import matplotlib.pyplot as plt
import seaborn as sns
sns.set()
import networkx as nx

import pandas as pd
pd.set_option('display.max_rows', 100)
pd.set_option('display.max_columns', 50)
pd.set_option('display.max_colwidth', 100)

import msticpy.sectools as sectools
import msticpy.nbtools as mas
import msticpy.nbtools.kql as qry
import msticpy.nbtools.nbdisplay as nbdisp

# Some of our dependencies (networkx) still use deprecated Matplotlib
# APIs - we can't do anything about it so suppress them from view
from matplotlib import MatplotlibDeprecationWarning
warnings.simplefilter("ignore", category=MatplotlibDeprecationWarning)

WIDGET_DEFAULTS = {'layout': widgets.Layout(width='95%'),
                   'style': {'description_width': 'initial'}}
display(HTML(mas.util._TOGGLE_CODE_PREPARE_STR))
HTML('''
    <script type="text/javascript">
        IPython.notebook.kernel.execute("nb_query_string='".concat(window.location.search).concat("'"));
    </script>
    ''');

Get WorkspaceId

To find your Workspace Id go to Log Analytics. Look at the workspace properties to find the ID.

In [3]:
import os
from msticpy.nbtools.wsconfig import WorkspaceConfig
ws_config_file = 'config.json'

WORKSPACE_ID = None
TENANT_ID = None
try:
    ws_config = WorkspaceConfig(ws_config_file)
    display(Markdown(f'Read Workspace configuration from local config.json for workspace **{ws_config["workspace_name"]}**'))
    for cf_item in ['tenant_id', 'subscription_id', 'resource_group', 'workspace_id', 'workspace_name']:
        display(Markdown(f'**{cf_item.upper()}**: {ws_config[cf_item]}'))
                     
    if ('cookiecutter' not in ws_config['workspace_id'] or
            'cookiecutter' not in ws_config['tenant_id']):
        WORKSPACE_ID = ws_config['workspace_id']
        TENANT_ID = ws_config['tenant_id']
except:
    pass

if not WORKSPACE_ID or not TENANT_ID:
    display(Markdown('**Workspace configuration not found.**\n\n'
                     'Please go to your Log Analytics workspace, copy the workspace ID'
                     ' and/or tenant Id and paste here.<br> '
                     'Or read the workspace_id from the config.json in your Azure Notebooks project.'))
    ws_config = None
    ws_id = mas.GetEnvironmentKey(env_var='WORKSPACE_ID',
                              prompt='Please enter your Log Analytics Workspace Id:', auto_display=True)
    ten_id = mas.GetEnvironmentKey(env_var='TENANT_ID',
                              prompt='Please enter your Log Analytics Tenant Id:', auto_display=True)

Read Workspace configuration from local config.json for workspace ASIHuntOMSWorkspaceV4

TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47

SUBSCRIPTION_ID: 40dcc8bf-0478-4f3b-b275-ed0a94f2c013

RESOURCE_GROUP: ASIHuntOMSWorkspaceRG

WORKSPACE_ID: 52b1ab41-869e-4138-9e40-2a4457f09bf0

WORKSPACE_NAME: ASIHuntOMSWorkspaceV4

Authenticate to Log Analytics

If you are using user/device authentication, run the following cell.

  • Click the 'Copy code to clipboard and authenticate' button.
  • This will pop up an Azure Active Directory authentication dialog (in a new tab or browser window). The device code will have been copied to the clipboard.
  • Select the text box and paste (Ctrl-V/Cmd-V) the copied value.
  • You should then be redirected to a user authentication page where you should authenticate with a user account that has permission to query your Log Analytics workspace.

Use the following syntax if you are authenticating using an Azure Active Directory AppId and Secret:

%kql loganalytics://tenant(aad_tenant).workspace(WORKSPACE_ID).clientid(client_id).clientsecret(client_secret)

instead of

%kql loganalytics://code().workspace(WORKSPACE_ID)

Note: you may occasionally see a JavaScript error displayed at the end of the authentication - you can safely ignore this.
On successful authentication you should see a popup schema button.

In [4]:
if not WORKSPACE_ID or not TENANT_ID:
    try:
        WORKSPACE_ID = ws_id.value
        TENANT_ID = ten_id.value
    except NameError:
        raise ValueError('No workspace or Tenant Id.')

mas.kql.load_kql_magic()
%kql loganalytics://code().tenant(TENANT_ID).workspace(WORKSPACE_ID)
In [5]:
%kql search * | summarize RowCount=count() by Type | project-rename Table=Type
la_table_set = _kql_raw_result_.to_dataframe()
table_index = la_table_set.set_index('Table')['RowCount'].to_dict()
display(Markdown('Current data in workspace'))
display(la_table_set.T)

Current data in workspace

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
Table HuntingBookmark SecurityBaselineSummary ProtectionStatus UpdateSummary Heartbeat SecurityBaseline Update Operation ProcessCreationSqlV2_CL AzureNetworkAnalytics_CL ConfigurationData SecurityDetection ConfigurationChange Syslog_CL AwsEventsSample_CL Syslog SSHAlertDataV1_CL SecurityEvent BYOThreatIntelv1_CL SSHAlertDataV2cls_CL SqlLogArtifacts_CL SSHAlertDataV2_CL ProcessCreationSqlV1_CL ThreatIntelSample_CL OfficeActivity ScratchData_CL Usage SecurityAlert AzureActivity AzureMetrics AzureDiagnostics AuditLog_CL AutorunsArtifacts_CL MruArtifacts_CL AmcacheArtifacts_CL
RowCount 18 343 9613 1071 692777 52484 217969 7164 75323 9954701 241901 6514 21345 3451 510 1332914 1 1399240 6 1 141584 15 75323 27 1994 70792 37688 6726 116620 7551436 174322 53339593 76846402 6714992 362040170

Contents

Office 365 Activity

Log Analytics Queries

In [11]:
if ('OfficeActivity' not in table_index or
        table_index['OfficeActivity'] == 0):
    display(Markdown('<font color="red"><h2>Warning. Office Data not available.</h2></font><br>'
                     'Either Office 365 data has not been imported into the workspace or'
                     ' the OfficeActivity table is empty.<br>'
                     'This workbook is not useable with the current workspace.'))
In [6]:
from msticpy.sectools.geoip import GeoLiteLookup
iplocation = GeoLiteLookup()

# Queries
ad_changes_query = '''
OfficeActivity
| where TimeGenerated >= datetime({start})
| where TimeGenerated <= datetime({end})
| where RecordType == 'AzureActiveDirectory'
| where Operation in ('Add service principal.',
                      'Change user password.', 
                      'Add user.', 
                      'Add member to role.')
| where UserType == 'Regular' 
| project OfficeId, TimeGenerated, Operation, OrganizationId, 
          OfficeWorkload, ResultStatus, OfficeObjectId, 
          UserId = tolower(UserId), ClientIP, ExtendedProperties
'''


office_ops_query = '''
OfficeActivity
| where TimeGenerated >= datetime({start})
| where TimeGenerated <= datetime({end})
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon")
| extend UserAgent = extractjson("$[0].Value", ExtendedProperties, typeof(string))
| union (
    OfficeActivity 
    | where TimeGenerated >= datetime({start})
    | where TimeGenerated <= datetime({end})
    | where RecordType !in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon")
)
| where UserType == 'Regular'
'''


office_ops_summary_query = '''
let timeRange=ago(30d);
let officeAuthentications = OfficeActivity
| where TimeGenerated >= timeRange
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon")
| extend UserAgent = extractjson("$[0].Value", ExtendedProperties, typeof(string))
| where Operation == "UserLoggedIn";
officeAuthentications
| union (
    OfficeActivity 
    | where TimeGenerated >= timeRange
    | where RecordType !in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon")
)
| where UserType == 'Regular'
| extend RecordOp = strcat(RecordType, '-', Operation)
| summarize OperationCount=count() by RecordType, Operation, UserId, UserAgent, ClientIP, bin(TimeGenerated, 1h)
// render timeline
'''


office_logons_byua_query = '''
let end = datetime({end});
let threshold={threshold};
let start = end - 1d;
let hist_start = start - 30d;
let hist_end = end;
let officeAuthentications = OfficeActivity
| where TimeGenerated >= hist_start
| where TimeGenerated <= hist_end
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon")
| extend UserAgent = extractjson("$[0].Value", ExtendedProperties, typeof(string))
| where Operation == "UserLoggedIn";
let lookupWindow = end - start;
let lookupBin = lookupWindow / 2.0; 
officeAuthentications 
| project-rename Start = TimeGenerated
| extend TimeKey = bin(Start, lookupBin)
| join kind = inner (
    officeAuthentications
    | project-rename End = TimeGenerated
    | extend TimeKey = range(bin(End - lookupWindow, lookupBin), bin(End, lookupBin), lookupBin)
    | mvexpand TimeKey to typeof(datetime)
) on UserAgent, TimeKey
| project timeSpan = End - Start, UserId, ClientIP , UserAgent , Start, End
| summarize Count_ClientIP = dcount(ClientIP) by UserId
| where Count_ClientIP > threshold
| join kind=inner (  
    officeAuthentications
    | summarize minTime=min(TimeGenerated), maxTime=max(TimeGenerated) by UserId, UserAgent, ClientIP
) on UserAgent
'''

office_logons_byuser_query = '''
let end = datetime({end});
let start = datetime({start});
let threshold={threshold};
let officeAuthentications = OfficeActivity
| where TimeGenerated >= start
| where TimeGenerated <= end
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon")
| extend UserAgent = extractjson("$[0].Value", ExtendedProperties, typeof(string))
| where Operation == "UserLoggedIn";
let lookupWindow = 1d;
let lookupBin = lookupWindow / 2.0; 
officeAuthentications 
| project-rename Start = TimeGenerated
| extend TimeKey = bin(Start, lookupBin)
| join kind = inner (
    officeAuthentications
    | project-rename End = TimeGenerated
    | extend TimeKey = range(bin(End - lookupWindow, lookupBin), bin(End, lookupBin), lookupBin)
    | mvexpand TimeKey to typeof(datetime)
) on UserId, TimeKey
| project timeSpan = End - Start, UserId, ClientIP , UserAgent, Start, End
| summarize Count_ClientIP = dcount(ClientIP) by UserId
| where Count_ClientIP > threshold
| join kind=inner (  
    officeAuthentications
    | summarize minTime=min(TimeGenerated), maxTime=max(TimeGenerated) by UserId, UserAgent, ClientIP
) on UserId
'''

# %kql -query office_logons_query
# office_logons_df = _kql_raw_result_.to_dataframe()

#
# Description: New user agents associated with a clientIP for sharepoint file uploads/downloads. 
#
# DataSource: #OfficeActivity
#
# Techniques: #Exfiltration
#
new_user_agents = '''
let end = datetime({end});
let start = datetime({end});
let hist_start = start - 30d;
let hist_end = start;
let historicalUA =
OfficeActivity
| where TimeGenerated >= hist_start
| where TimeGenerated <= hist_end
| where UserType == 'Regular'
| summarize op_count = count() by UserId, UserAgent, RecordType, Operation;
let recentUA = OfficeActivity
| where TimeGenerated >= start
| where TimeGenerated <= end
| where UserType == 'Regular'
| summarize op_count = count() by UserId, UserAgent, RecordType, Operation;
recentUA | join kind=leftanti (
   historicalUA 
) on UserId, UserAgent
| where not(isempty(UserId))
'''

user_logon_anom_query = '''
let LogonEvents=() {{
let logonFail=OfficeActivity
| where TimeGenerated >= datetime({start})
| where TimeGenerated <= datetime({end})
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon") and ResultStatus =~ "Failed"
| project  TimeGenerated, AccountName=split(UserId, "@").[0], AccountDomain = iff(RecordType == "AzureActiveDirectoryAccountLogon",UserDomain,split(UserId, "@").[1]), UserId, IpAddress=ClientIP, OrganizationId, 
ActionType="LogonFailure";
let logonSuccess=OfficeActivity
| where TimeGenerated >= datetime({start})
| where TimeGenerated <= datetime({end})
| where RecordType in ("AzureActiveDirectoryAccountLogon", "AzureActiveDirectoryStsLogon") and ResultStatus =~ "Succeeded"
| project  TimeGenerated, AccountName=split(UserId, "@").[0], AccountDomain = iff(RecordType == "AzureActiveDirectoryAccountLogon",UserDomain,split(UserId, "@").[1]), UserId, IpAddress=ClientIP, OrganizationId, 
ActionType="Logon";
 logonFail | union logonSuccess}}; 
let logonSummary =
 LogonEvents 
| summarize count() by ActionType, IpAddress, tostring(AccountName), tostring(AccountDomain), UserId, OrganizationId, bin(TimeGenerated, 1m); 
let logon_success = logonSummary | where ActionType == "Logon";
let logon_fail = logonSummary | where ActionType == "LogonFailure";
logon_fail | join kind = leftouter (logon_success) on  IpAddress
| project TimeGenerated, IpAddress, failCount=count_, AccountName, OrganizationId, UserId, successCount=count_1 
| extend successRate = 1.0*successCount/(successCount+failCount)
| project TimeGenerated, IpAddress, AccountName, successRate, failCount, successCount, UserId, OrganizationId
'''
This product includes GeoLite2 data created by MaxMind, available from https://www.maxmind.com.
This library uses services provided by ipstack. https://ipstack.com
In [7]:
# set the origin time to the time of our alert
o365_query_times = mas.QueryTime(units='days',
                           before=3, after=1, max_before=60, max_after=20)
o365_query_times.display()

Contents

Tenant-wide Information

AAD Operations Changes to users and groups

In [13]:
print('Getting data...', end=' ')
o365_query = ad_changes_query.format(start = o365_query_times.start, 
                                     end=o365_query_times.end)
%kql -query o365_query
ad_changes_df = _kql_raw_result_.to_dataframe()
print('done.')
ad_changes_df[['TimeGenerated', 'Operation', 
       'OfficeWorkload', 'ResultStatus', 'OfficeObjectId', 'UserId',
       'ClientIP']]
Getting data... done.
Out[13]:
TimeGenerated Operation OfficeWorkload ResultStatus OfficeObjectId UserId ClientIP
0 2019-02-08 21:34:02 Change user password. AzureActiveDirectory Success [email protected] [email protected] <null>
1 2019-02-08 21:29:05 Add user. AzureActiveDirectory Success [email protected] [email protected] <null>
2 2019-02-08 21:29:06 Add member to role. AzureActiveDirectory Success [email protected] [email protected] <null>

Contents

Logon Anomalies

Logon failures from an ipaddress that then succeed.

In [14]:
print('Getting data...', end=' ')
o365_query = user_logon_anom_query.format(start = o365_query_times.start, 
                                          end=o365_query_times.end)
%kql -query o365_query
user_logon_anom_df = _kql_raw_result_.to_dataframe()
print('done.')
user_logon_anom_df.sort_values('failCount')
Getting data... done.
Out[14]:
TimeGenerated IpAddress AccountName successRate failCount successCount UserId OrganizationId
0 2019-02-12 04:33:00 131.107.174.209 ianh 0.888889 2 16 [email protected] aa46238d-13fc-4314-8f0c-94044435adb1
1 2019-02-12 04:33:00 131.107.174.209 ianh 0.333333 2 1 [email protected] aa46238d-13fc-4314-8f0c-94044435adb1
2 2019-02-16 03:43:00 23.97.60.214 ianh 0.727273 3 8 [email protected] aa46238d-13fc-4314-8f0c-94044435adb1
3 2019-02-16 03:43:00 23.97.60.214 ianh 0.750000 3 9 [email protected] aa46238d-13fc-4314-8f0c-94044435adb1

Contents

Summary of O365 Activity Types

Warning this query can be time consuming for large O365 subscriptions

In [15]:
print('Getting data...', end=' ')
o365_query = office_ops_summary_query.format(start = o365_query_times.start, 
                                             end=o365_query_times.end)
%kql -query o365_query
office_ops_summary_df = _kql_raw_result_.to_dataframe()
print('done.')
(office_ops_summary_df
 .assign(UserId = lambda x: x.UserId.str.lower())
 .groupby(['RecordType', 'Operation'])
 .aggregate({'ClientIP': 'nunique',
             'UserId': 'nunique',
             'OperationCount': 'sum'}))
Getting data... done.
Out[15]:
ClientIP UserId OperationCount
RecordType Operation
36 ListUpdated 1 1 1
AzureActiveDirectory Add member to role. 1 1 1
Add user. 1 1 1
Change user password. 1 1 1
Update StsRefreshTokenValidFrom Timestamp. 1 1 1
Update user. 1 1 2
AzureActiveDirectoryStsLogon UserLoggedIn 8 2 100
SharePoint PageViewed 3 2 9
SearchQueryPerformed 6 2 82
SiteCollectionCreated 1 1 1
SharePointFileOperation FileAccessed 3 2 64
FileDownloaded 3 1 90
FileModified 4 1 31
FileModifiedExtended 3 1 12
FilePreviewed 3 1 16
FileUploaded 7 1 40
FolderCreated 1 1 6
FolderModified 2 2 10

Contents

Variability of IP Address for users

In [16]:
unique_ip_op_ua = (office_ops_summary_df.assign(UserId = lambda x: x.UserId.str.lower())
                   .groupby(['UserId', 'Operation'])
                   .aggregate({'ClientIP': 'nunique', 'OperationCount': 'sum'})).reset_index()

user_ip_op = sns.catplot(x="ClientIP", y="UserId", hue='Operation', data=unique_ip_op_ua, height=5, aspect=2)
user_ip_op.fig.suptitle('Variability of IP Address Usage by user');
In [17]:
office_ops_summary_df
Out[17]:
RecordType Operation UserId UserAgent ClientIP TimeGenerated OperationCount
0 SharePoint SearchQueryPerformed [email protected] 40.108.218.165 2019-02-21 04:00:00 13
1 SharePoint SearchQueryPerformed [email protected] 40.108.218.172 2019-02-26 04:00:00 13
2 SharePoint SearchQueryPerformed [email protected] 40.108.218.174 2019-02-05 04:00:00 13
3 SharePointFileOperation FileDownloaded [email protected] OneDriveMpc/1.0 131.107.147.209 2019-02-12 04:00:00 41
4 SharePointFileOperation FileAccessed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.147.209 2019-02-12 04:00:00 4
5 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.147.209 2019-02-12 04:00:00 1
6 SharePoint SearchQueryPerformed [email protected] 40.108.218.172 2019-02-10 04:00:00 13
7 SharePointFileOperation FilePreviewed [email protected] OneDriveMpc/1.0 174.21.171.55 2019-02-10 04:00:00 10
8 SharePointFileOperation FileAccessed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:00:00 36
9 SharePointFileOperation FileUploaded [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:00:00 34
10 SharePointFileOperation FileModified [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:00:00 27
11 SharePointFileOperation FolderCreated [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:00:00 6
12 SharePointFileOperation FolderModified [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:00:00 5
13 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:00:00 2
14 SharePointFileOperation FileModifiedExtended [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:00:00 10
15 AzureActiveDirectory Update user. [email protected]rosoft.com <null> 2019-02-10 20:00:00 2
16 SharePointFileOperation FolderModified [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.147.209 2019-02-08 21:00:00 4
17 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.147.209 2019-02-08 21:00:00 2
18 SharePoint SearchQueryPerformed [email protected] 51.140.143.190 2019-02-08 21:00:00 3
19 SharePointFileOperation FileAccessed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.147.209 2019-02-08 21:00:00 7
20 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.147.209 2019-02-08 21:00:00 2
21 SharePointFileOperation FolderModified [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.147.209 2019-02-08 21:00:00 1
22 SharePointFileOperation FileAccessed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.147.209 2019-02-08 21:00:00 3
23 SharePoint SiteCollectionCreated [email protected] 2019-02-08 21:00:00 1
24 AzureActiveDirectory Update StsRefreshTokenValidFrom Timestamp. [email protected] <null> 2019-02-08 21:00:00 1
25 AzureActiveDirectory Change user password. [email protected] <null> 2019-02-08 21:00:00 1
26 AzureActiveDirectory Add user. [email protected] <null> 2019-02-08 21:00:00 1
27 AzureActiveDirectory Add member to role. [email protected] <null> 2019-02-08 21:00:00 1
28 SharePointFileOperation FileDownloaded [email protected] OneDriveMpc/1.0 23.97.60.214 2019-02-16 03:00:00 47
29 SharePointFileOperation FileAccessed [email protected]soft.com Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... 23.97.60.214 2019-02-16 03:00:00 4
30 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... 23.97.60.214 2019-02-16 03:00:00 1
31 SharePointFileOperation FilePreviewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... 20.190.140.50 2019-02-16 03:00:00 3
32 SharePointFileOperation FilePreviewed [email protected] OneDriveMpc/1.0 23.97.60.214 2019-02-16 03:00:00 3
33 SharePoint SearchQueryPerformed [email protected] 40.108.218.172 2019-02-16 04:00:00 13
34 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 2019-02-16 02:00:00 1
35 SharePointFileOperation FileAccessed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 2019-02-16 02:00:00 6
36 SharePointFileOperation FileModified [email protected] MSWAC 40.81.159.43 2019-02-16 02:00:00 1
37 SharePointFileOperation FileDownloaded [email protected] MSWAC 40.81.159.203 2019-02-16 02:00:00 1
38 SharePointFileOperation FileUploaded [email protected] MSWAC 40.81.159.203 2019-02-16 02:00:00 1
39 36 ListUpdated [email protected] ODMTADocCache/1.0 51.140.84.119 2019-02-16 02:00:00 1
40 SharePointFileOperation FileUploaded [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 20.190.133.114 2019-02-16 02:00:00 1
41 SharePointFileOperation FileModified [email protected] MSWAC 40.81.158.170 2019-02-16 02:00:00 1
42 SharePointFileOperation FileModifiedExtended [email protected] MSWAC 40.81.126.127 2019-02-16 03:00:00 1
43 SharePointFileOperation FileUploaded [email protected] MSWAC 40.81.126.127 2019-02-16 03:00:00 1
44 SharePointFileOperation FileModified [email protected] MSWAC 40.81.126.127 2019-02-16 03:00:00 1
45 SharePointFileOperation FileDownloaded [email protected] MSWAC 40.81.159.203 2019-02-16 03:00:00 1
46 SharePointFileOperation FileAccessed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 2019-02-16 03:00:00 4
47 SharePointFileOperation FileModifiedExtended [email protected] MSWAC 40.81.159.43 2019-02-16 03:00:00 1
48 SharePointFileOperation FileUploaded [email protected] MSWAC 40.81.159.166 2019-02-16 03:00:00 1
49 SharePointFileOperation FileUploaded [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 20.190.133.115 2019-02-16 03:00:00 1
50 SharePointFileOperation FileModified [email protected] MSWAC 40.81.158.170 2019-02-16 03:00:00 1
51 SharePointFileOperation FileUploaded [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 2019-02-16 03:00:00 1
52 SharePoint SearchQueryPerformed [email protected] 51.140.110.25 2019-01-28 16:00:00 1
53 SharePoint SearchQueryPerformed [email protected] 40.108.218.163 2019-01-30 04:00:00 13
54 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.174.209 2019-02-12 04:00:00 17
55 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-11 20:00:00 10
56 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-11 03:00:00 1
57 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-11 02:00:00 1
58 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-11 01:00:00 1
59 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-11 00:00:00 1
60 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-10 22:00:00 1
61 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-10 21:00:00 1
62 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 167.220.2.209 2019-02-08 21:00:00 1
63 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:00:00 9
64 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-10 20:00:00 18
65 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-11 04:00:00 3
66 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) ... 194.69.103.9 2019-01-31 16:00:00 3
67 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... 23.97.60.214 2019-02-16 03:00:00 17
68 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 167.220.2.81 2019-02-16 02:00:00 1
69 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 167.220.2.209 2019-02-08 21:00:00 5
70 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.174.81 2019-02-08 21:00:00 10

Contents

Accounts with multiple IPs and Geolocations

In [18]:
restrict_cols = ['RecordType', 'TimeGenerated', 'Operation',
                 'UserId', 'ClientIP', 'UserAgent']
office_ops_summary = office_ops_summary_df[restrict_cols].assign(UserId = lambda x: x.UserId.str.lower())
unique_ip_op_ua['ClientIPCount'] = unique_ip_op_ua['ClientIP']
office_ops_merged = pd.merge(unique_ip_op_ua.query('ClientIP > 1').drop(columns='ClientIP'), 
                             office_ops_summary,
                             on=['UserId', 'Operation'])

client_ips = office_ops_merged.query('ClientIP != "<null>" & ClientIP != ""')['ClientIP'].drop_duplicates().tolist()
ip_entities = []
for ip in client_ips:
    ip_entity = mas.IpAddress(Address=ip)
    iplocation.lookup_ip(ip_entity=ip_entity)
    ip_dict = {'Address': ip_entity.Address}
    ip_dict.update(ip_entity.Location.properties)
    ip_entities.append(pd.Series(ip_dict))

ip_locs_df = pd.DataFrame(data=ip_entities)
ip_locs_df

office_ops_summary_ip_loc = pd.merge(office_ops_merged, 
                                     ip_locs_df, left_on='ClientIP', 
                                     right_on='Address', how='left')

(office_ops_summary_ip_loc.groupby(['UserId', 'CountryCode', 'City'])
                   .aggregate({'ClientIP': 'nunique', 'OperationCount': 'sum'})).reset_index()
Out[18]:
UserId CountryCode City ClientIP OperationCount
0 [email protected] GB Hornsey 1 13
1 [email protected] GB London 2 8
2 [email protected] US Redmond 1 13
3 [email protected] GB London 4 468
4 [email protected] GB Cardiff 1 83
5 [email protected] GB London 4 365
6 [email protected] SG Singapore 2 273
7 [email protected] US Redmond 2 472
8 [email protected] US Seattle 1 343

Contents

User Logons where User has logged on from > N IP Address in period

In [19]:
th_wgt = widgets.IntSlider(value=1, min=1, max=50, step=1, description='Set IP Count Threshold', **WIDGET_DEFAULTS)
th_wgt
In [22]:
print('Getting data...', end=' ')
o365_query = office_logons_byuser_query.format(start = o365_query_times.start, 
                                               end=o365_query_times.end,
                                               threshold=th_wgt.value)
%kql -query o365_query
office_logons_byuser_df = _kql_raw_result_.to_dataframe()
print('done.')
office_logons_byuser_df
Getting data... done.
Out[22]:
UserId Count_ClientIP UserId1 UserAgent ClientIP minTime maxTime
0 [email protected] 6 [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 131.107.174.209 2019-02-12 04:33:55 2019-02-12 04:34:56
1 [email protected] 6 [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 167.220.2.149 2019-02-10 20:19:30 2019-02-11 20:24:55
2 [email protected] 6 [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 174.21.171.55 2019-02-10 04:29:45 2019-02-11 03:22:08
3 [email protected] 6 [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... 23.97.60.214 2019-02-16 03:44:15 2019-02-16 03:45:53
4 [email protected] 6 [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 167.220.2.81 2019-02-16 02:53:15 2019-02-16 02:53:15
5 [email protected] 6 [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 167.220.2.209 2019-02-08 21:32:57 2019-02-08 21:34:19

Contents

Matrix of Selected Operation Types by Location and IP

In [23]:
print('Getting data...', end=' ')
o365_query = office_ops_query.format(start=o365_query_times.start, 
                                     end=o365_query_times.end)
%kql -query o365_query
office_ops_df = _kql_raw_result_.to_dataframe()
print('done.') 

# Get Locations for distinct IPs
client_ips = office_ops_df.query('ClientIP != "<null>" & ClientIP != ""')['ClientIP'].drop_duplicates().tolist()
ip_entities = []
for ip in client_ips:
    ip_entity = mas.IpAddress(Address=ip)
    iplocation.lookup_ip(ip_entity=ip_entity)
    ip_dict = {'Address': ip_entity.Address}
    ip_dict.update(ip_entity.Location.properties)
    ip_entities.append(pd.Series(ip_dict))

ip_locs_df = pd.DataFrame(data=ip_entities)

# Get rid of unneeded columns
restrict_cols = ['OfficeId', 'RecordType', 'TimeGenerated', 'Operation',
                 'OrganizationId', 'UserType', 'UserKey', 'OfficeWorkload',
                 'ResultStatus', 'OfficeObjectId', 'UserId', 'ClientIP','UserAgent']
office_ops_restr = office_ops_df[restrict_cols]

# Merge main DF with IP location data
office_ops_locs = pd.merge(office_ops_restr, ip_locs_df, how='right', left_on='ClientIP', right_on='Address',
         indicator=True)

limit_op_types = ['FileDownloaded', 'FileModified','FileUploaded',
                  'UserLoggedIn','UserLoginFailed','Add member to role.',
                 'Add user.','Change user password.', 'Update user.']

office_ops_locs = office_ops_locs[office_ops_locs.Operation.isin(limit_op_types)]

# Calculate operations grouped by location and operation type
cm = sns.light_palette("yellow", as_cmap=True)
country_by_op_count = (office_ops_locs[['Operation', 'RecordType', 'CountryCode', 'City']]
                        .groupby(['CountryCode', 'City', 'Operation'])
                        .count())
display(country_by_op_count.unstack().fillna(0).rename(columns={'RecordType':'OperationCount'})
        .style.background_gradient(cmap=cm))

# Group by Client IP, Country, Operation
clientip_by_op_count = (office_ops_locs[['ClientIP', 'Operation', 'RecordType', 'CountryCode']]
                        .groupby(['ClientIP', 'CountryCode', 'Operation'])
                        .count())

(clientip_by_op_count.unstack().fillna(0).rename(columns={'RecordType':'OperationCount'})
 .style.background_gradient(cmap=cm))
Getting data... done.
OperationCount
Operation FileDownloaded FileModified FileUploaded UserLoggedIn UserLoginFailed
CountryCode City
GB Cardiff 0 1 1 0 0
Hornsey 0 0 0 3 0
London 2 3 2 0 0
SG Singapore 47 0 0 17 3
US Redmond 41 0 1 27 2
Seattle 0 27 34 10 0
Out[23]:
OperationCount
Operation FileDownloaded FileModified FileUploaded UserLoggedIn UserLoginFailed
ClientIP CountryCode
131.107.147.209 US 41 0 1 0 0
131.107.174.209 US 0 0 0 17 2
131.107.174.81 US 0 0 0 10 0
167.220.2.149 US 0 0 0 36 0
167.220.2.209 US 0 0 0 6 0
167.220.2.81 US 0 0 0 1 0
174.21.171.55 US 0 27 34 10 0
194.69.103.9 GB 0 0 0 3 0
20.190.133.114 US 0 0 1 0 0
20.190.133.115 US 0 0 1 0 0
23.97.60.214 SG 47 0 0 17 3
40.81.126.127 GB 0 1 1 0 0
40.81.158.170 GB 0 2 0 0 0
40.81.159.166 GB 0 0 1 0 0
40.81.159.203 GB 2 0 1 0 0
40.81.159.43 GB 0 1 0 0 0

Contents

Geolocation Map of Client IPs

In [24]:
from msticpy.nbtools.foliummap import FoliumMap
folium_map = FoliumMap()

def get_row_ip_loc(row):
    try:
        _, ip_entity = iplocation.lookup_ip(ip_address=row.ClientIP)
        return ip_entity
    except ValueError:
        return None
    
off_ip_locs = (office_ops_df[['ClientIP']]
                   .drop_duplicates()
                   .apply(get_row_ip_loc, axis=1)
                   .tolist())
ip_locs = [ip_list[0] for ip_list in off_ip_locs if ip_list]
    
display(HTML('<h3>External IP Addresses seen in Office Activity</h3>'))
display(HTML('Numbered circles indicate multiple items - click to expand.'))


icon_props = {'color': 'purple'}
folium_map.add_ip_cluster(ip_entities=ip_locs,
                          **icon_props)
display(folium_map.folium_map)

External IP Addresses seen in Office Activity

Numbered circles indicate multiple items - click to expand.

Contents

Distinct User Agent Strings in Use

In [25]:
display(Markdown('### IPs and User Agents - frequency of use'))
display(Markdown('Distinct UserAgents by num of operations'))
office_ops_df[['UserAgent', 'Operation']].groupby(['UserAgent']).count().rename(columns={'Operation':'OpCount'})

IPs and User Agents - frequency of use

Distinct UserAgents by num of operations

Out[25]:
OpCount
UserAgent
102
MSWAC 11
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 OPR/48.0.2685.52 28
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763 15
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36 59
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.96 Safari/537.36 166
Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/71.0.3578.89 Mobile/15E148 Safari/605.1 3
ODMTADocCache/1.0 1
OneDriveMpc/1.0 101

Contents

Graphical Activity Timeline

In [26]:
with warnings.catch_warnings():
    warnings.simplefilter("ignore")
    display(Markdown('### Change in rate of Activity Class (RecordType) and Operation'))
    sns.relplot(data=office_ops_summary_df, x='TimeGenerated', y='OperationCount', kind='line', aspect=2, 
                hue='RecordType')
    sns.relplot(data=office_ops_summary_df.query('RecordType == "SharePointFileOperation"'), 
                x='TimeGenerated', y='OperationCount', hue='Operation', kind='line', aspect=2)

Change in rate of Activity Class (RecordType) and Operation

Contents

Users With largest Activity Type Count

In [27]:
with warnings.catch_warnings():
    warnings.simplefilter("ignore")
    display(Markdown('### Identify Users/IPs with largest operation count'))
    office_ops = office_ops_summary_df.assign(Account=lambda x: 
                                              (x.UserId.str.extract('([^@]+)@.*', expand=False)).str.lower())

    limit_op_types = ['FileDownloaded', 'FileModified','FileUploaded',
                      'UserLoggedIn','UserLoginFailed','Add member to role.',
                     'Add user.','Change user password.', 'Update user.']
    office_ops = office_ops[office_ops.Operation.isin(limit_op_types)]
    
    sns.catplot(data=office_ops, y='Account', x='OperationCount', 
                hue='Operation', aspect=2)
    display(office_ops.pivot_table('OperationCount', index=['Account'], 
                                   columns='Operation').style.bar(color='orange', align='mid'))

Identify Users/IPs with largest operation count

Operation Add member to role. Add user. Change user password. FileDownloaded FileModified FileUploaded Update user. UserLoggedIn
Account
admin 1 1 nan nan nan nan nan 6.5
ianh nan nan 1 22.5 6.2 5.71429 2 5.8
In [28]:
new_df = office_ops_df[['OfficeId', 'RecordType', 'TimeGenerated', 'Operation',
       'OrganizationId', 'UserType', 'UserKey', 'OfficeWorkload',
       'ResultStatus', 'OfficeObjectId', 'UserId', 'ClientIP','UserAgent']]
pd.merge(new_df, ip_locs_df, how='left', left_on='ClientIP', right_on='Address')
Out[28]:
OfficeId RecordType TimeGenerated Operation OrganizationId UserType UserKey OfficeWorkload ResultStatus OfficeObjectId UserId ClientIP UserAgent Address AdditionalData CountryCode CountryName State City Longitude Latitude
0 2996a117-fafc-4aef-4cf0-08d697b49cb6 SharePoint 2019-02-21 04:25:29 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
1 3804b988-3246-432e-aee0-08d697b49c99 SharePoint 2019-02-21 04:25:29 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
2 baf6bf3d-0331-4eb9-fffa-08d697b49c69 SharePoint 2019-02-21 04:25:29 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
3 48650146-aa81-4bc6-0271-08d697b49c4b SharePoint 2019-02-21 04:25:29 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
4 4f341987-d450-4adf-02fc-08d697b49c2c SharePoint 2019-02-21 04:25:28 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
5 08f29424-348b-43b2-cacf-08d697b49bf2 SharePoint 2019-02-21 04:25:28 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
6 b83fff1b-b13e-49d0-ab9d-08d697b49b50 SharePoint 2019-02-21 04:25:27 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
7 d2ddd6ab-603f-4567-49bb-08d697b49b2f SharePoint 2019-02-21 04:25:27 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
8 2973db75-9c22-42f0-86ab-08d697b49b0b SharePoint 2019-02-21 04:25:27 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
9 b8939a44-77de-4a44-767d-08d697b49aba SharePoint 2019-02-21 04:25:26 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
10 22a4c257-3d75-4626-51ed-08d697b49a94 SharePoint 2019-02-21 04:25:26 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
11 f41c06c7-7044-4b4b-203b-08d697b49163 SharePoint 2019-02-21 04:25:10 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
12 d3fe91f1-677f-47de-3604-08d697b49138 SharePoint 2019-02-21 04:25:10 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 9807c29e-70ce-0000-4ad6-bdb47165c679 [email protected] 40.108.218.165 40.108.218.165 {} GB United Kingdom England London -0.0931 51.5142
13 ab27c34d-c108-4310-1cd9-08d69ba48e22 SharePoint 2019-02-26 04:40:38 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
14 e3483aa2-05c5-45fb-1d90-08d69ba48e03 SharePoint 2019-02-26 04:40:37 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
15 6ccf74ee-c301-4381-0ce8-08d69ba48dd1 SharePoint 2019-02-26 04:40:37 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
16 62a75527-4f5b-4256-4ad8-08d69ba48dad SharePoint 2019-02-26 04:40:37 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
17 bb5b47f1-fbe7-429b-1092-08d69ba48d93 SharePoint 2019-02-26 04:40:37 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
18 c5cb1428-c628-4205-76f1-08d69ba48d57 SharePoint 2019-02-26 04:40:36 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
19 5ab72e27-4d7d-4c66-cb48-08d69ba48cca SharePoint 2019-02-26 04:40:35 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
20 b94a4447-7de2-4b2f-6a5c-08d69ba48ca9 SharePoint 2019-02-26 04:40:35 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
21 b55e86b5-2479-4154-5944-08d69ba48c77 SharePoint 2019-02-26 04:40:35 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
22 92ce73a2-efc1-40e1-4a04-08d69ba48c26 SharePoint 2019-02-26 04:40:34 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
23 3b4fbf75-4ce3-4076-5fd0-08d69ba48bfb SharePoint 2019-02-26 04:40:34 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
24 2d752aad-c00a-4178-b395-08d69ba48bac SharePoint 2019-02-26 04:40:33 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
25 86132e97-7402-4095-6668-08d69ba48b7f SharePoint 2019-02-26 04:40:33 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 76a4c39e-00f9-0000-5bd3-e8ed7005ebbf [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
26 6fb2b5ca-b056-42bc-8e0c-a4f48751d65f AzureActiveDirectoryStsLogon 2019-01-31 16:05:48 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0000-c000-000000000000 [email protected] 194.69.103.9 Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) ... 194.69.103.9 {} GB United Kingdom England Hornsey -0.1167 51.5833
27 b59c918f-6c64-44cb-ab5a-bf3c461e684d AzureActiveDirectoryStsLogon 2019-01-31 16:05:47 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0000-c000-000000000000 [email protected] 194.69.103.9 Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) ... 194.69.103.9 {} GB United Kingdom England Hornsey -0.1167 51.5833
28 98c49ed0-5f2b-4fdf-b87f-2b387c20b8d8 AzureActiveDirectoryStsLogon 2019-01-31 16:05:41 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0000-c000-000000000000 [email protected] 194.69.103.9 Mozilla/5.0 (iPhone; CPU iPhone OS 12_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) ... 194.69.103.9 {} GB United Kingdom England Hornsey -0.1167 51.5833
29 dc6febf6-f74d-422e-f277-08d68b1ec49c SharePoint 2019-02-05 04:02:38 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
30 966f9bb1-898a-4472-6a54-08d68b1ec474 SharePoint 2019-02-05 04:02:38 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
31 0bd9085d-6f5b-4ee9-6d20-08d68b1ec436 SharePoint 2019-02-05 04:02:37 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
32 1e68b9ab-a89e-4a2f-474c-08d68b1ec410 SharePoint 2019-02-05 04:02:37 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
33 43e6dd5f-95a0-4470-bf5b-08d68b1ec3e7 SharePoint 2019-02-05 04:02:37 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
34 9f210b18-8ed0-40e5-d641-08d68b1ec39d SharePoint 2019-02-05 04:02:36 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
35 bb6505e0-2dbe-4565-f24c-08d68b1ec2d7 SharePoint 2019-02-05 04:02:35 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
36 3f7184c1-7a37-46ce-7e4c-08d68b1ec2a3 SharePoint 2019-02-05 04:02:35 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
37 cbe4258e-a433-436a-9532-08d68b1ec259 SharePoint 2019-02-05 04:02:34 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
38 641d55a2-be54-4146-3840-08d68b1ec1db SharePoint 2019-02-05 04:02:33 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
39 3daee4db-85f5-4d64-1427-08d68b1ec196 SharePoint 2019-02-05 04:02:33 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
40 0d0f68f3-a8d2-4af3-3921-08d68b1ec11a SharePoint 2019-02-05 04:02:32 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
41 2b0172be-0cdf-4725-7ec5-08d68b1ec0de SharePoint 2019-02-05 04:02:32 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint f0dfbc9e-30eb-0000-4ad6-b24e51916dcd [email protected] 40.108.218.174 40.108.218.174 {} GB United Kingdom England London -0.0931 51.5142
42 fd374b98-9a16-4369-f974-08d68280c4b7 SharePoint 2019-01-25 04:51:28 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 5b42b99e-3085-0000-6222-5fd93fd16a94 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
43 9a192fcc-50d9-4df1-2dff-08d68280c46e SharePoint 2019-01-25 04:51:28 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 5b42b99e-3085-0000-6222-5fd93fd16a94 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
44 5ee3319c-9592-44c1-87bb-08d68280c445 SharePoint 2019-01-25 04:51:27 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 5b42b99e-3085-0000-6222-5fd93fd16a94 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
45 f5ce459f-cf08-4633-ba4e-08d68280c6de SharePoint 2019-01-25 04:51:32 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 5b42b99e-3085-0000-6222-5fd93fd16a94 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
46 3f5a2bef-45f4-4cd4-bb37-08d68280c6bf SharePoint 2019-01-25 04:51:32 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 5b42b99e-3085-0000-6222-5fd93fd16a94 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
47 b46cd5d4-77b4-4467-e509-08d68280c688 SharePoint 2019-01-25 04:51:31 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 5b42b99e-3085-0000-6222-5fd93fd16a94 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
48 2bf83f9b-80ac-4ab3-83ed-08d68280c667 SharePoint 2019-01-25 04:51:31 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 5b42b99e-3085-0000-6222-5fd93fd16a94 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
49 fe8dc916-d83c-4887-8551-08d68280c648 SharePoint 2019-01-25 04:51:31 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 5b42b99e-3085-0000-6222-5fd93fd16a94 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
436 05980b7f-27d0-4086-8390-08d693c120f6 SharePointFileOperation 2019-02-16 03:45:01 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
437 e742a1e9-d9e4-4d16-c1e5-08d693c120b3 SharePointFileOperation 2019-02-16 03:45:00 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
438 1dcf62a7-67d5-49d9-644a-08d693c12054 SharePointFileOperation 2019-02-16 03:44:59 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
439 4620ed55-ea54-4f13-48b9-08d693c11f74 SharePointFileOperation 2019-02-16 03:44:58 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
440 b56975a9-1a8f-4c84-dddd-08d693c11e85 SharePointFileOperation 2019-02-16 03:44:56 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
441 709a549c-b747-44c4-dc40-08d693c11cdf SharePointFileOperation 2019-02-16 03:44:54 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Book.xlsx [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
442 dc4e9352-915f-4a09-24e5-08d693c10fb8 SharePointFileOperation 2019-02-16 03:44:32 FilePreviewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
443 069a9542-bc4f-4850-001f-08d693c11014 SharePointFileOperation 2019-02-16 03:44:32 FilePreviewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Terms ... [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
444 43b403d5-150e-49d8-87bb-08d693c10e92 SharePointFileOperation 2019-02-16 03:44:30 FilePreviewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 20.190.140.50 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... 20.190.140.50 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
445 1972246f-d5f6-43fc-dadd-08d693c1100a SharePointFileOperation 2019-02-16 03:44:32 FilePreviewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 OneDriveMpc/1.0 23.97.60.214 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
446 b799f496-12e2-43e2-0153-08d693c10ec2 SharePointFileOperation 2019-02-16 03:44:30 FilePreviewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Terms ... [email protected] 20.190.140.50 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... 20.190.140.50 {} SG Singapore Central Singapore Community Development Council Singapore 103.8558 1.2931
447 eb3bbb08-8c17-4613-f113-08d693c45626 SharePoint 2019-02-16 04:07:58 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
448 725e3360-c92e-474a-eafd-08d693c45375 SharePoint 2019-02-16 04:07:54 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
449 36e891b6-7414-46dc-e76f-08d693ba639f SharePoint 2019-02-16 02:56:46 PageViewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/_layouts/15/oned... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
450 72db453b-1b99-4d37-3292-08d693ba6699 SharePointFileOperation 2019-02-16 02:56:51 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
451 24133802-d613-4792-d05b-08d693ba6696 SharePointFileOperation 2019-02-16 02:56:51 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
452 18c68639-c938-46de-6e0d-08d693ba6694 SharePointFileOperation 2019-02-16 02:56:51 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
453 5a043c42-2b3d-45ac-f185-08d693ba204e SharePointFileOperation 2019-02-16 02:54:53 FileModified aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 40.81.159.43 MSWAC 40.81.159.43 {} GB United Kingdom England London -0.0931 51.5142
454 ae7d7ace-8fe1-4312-b264-08d693ba247e SharePointFileOperation 2019-02-16 02:55:00 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Terms ... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
455 c82f7b30-c6dc-4214-4380-08d693ba67d6 SharePointFileOperation 2019-02-16 02:56:53 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] SharePoint https://m365x054215-my.sharepoint.com/User Photos/Profile Pictures/ianh_m365x054215_onmicrosoft_... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
456 c2019e59-aba1-4b2a-682d-08d693ba2633 SharePointFileOperation 2019-02-16 02:55:03 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Terms ... [email protected] 40.81.159.203 MSWAC 40.81.159.203 {} GB United Kingdom England London -0.0931 51.5142
457 648e58df-14f2-49f2-bd80-08d693ba2400 SharePointFileOperation 2019-02-16 02:54:59 FileUploaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Terms ... [email protected] 40.81.159.203 MSWAC 40.81.159.203 {} GB United Kingdom England London -0.0931 51.5142
458 ea0dfabe-6ca3-4844-3dd4-08d693ba08e5 SharePointFileOperation 2019-02-16 02:54:14 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
459 ff8d4676-91e8-4e30-a869-08d693ba25be 36 2019-02-16 02:55:02 ListUpdated aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/personal/ianh_m3... [email protected] 51.140.84.119 ODMTADocCache/1.0 51.140.84.119 {} GB United Kingdom England London -0.0931 51.5142
460 1827a799-9b5f-4082-b7c2-08d693b9fec0 SharePointFileOperation 2019-02-16 02:53:57 FileUploaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 20.190.133.114 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 20.190.133.114 {} US United States Washington None -122.3321 47.6062
461 935acd8c-d863-42ca-e4a0-08d693ba0dc0 SharePointFileOperation 2019-02-16 02:54:22 FileModified aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 40.81.158.170 MSWAC 40.81.158.170 {} GB United Kingdom England London -0.0931 51.5142
462 3e9d7170-5ed8-4b45-0ff0-08d693bb1274 SharePointFileOperation 2019-02-16 03:01:39 FileModifiedExtended aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Book.xlsx [email protected] 40.81.126.127 MSWAC 40.81.126.127 {} GB United Kingdom Wales Cardiff -3.2000 51.5000
463 82a80319-3d31-42a5-9b6d-08d693bb12e1 SharePointFileOperation 2019-02-16 03:01:40 FileUploaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Budget... [email protected] 40.81.126.127 MSWAC 40.81.126.127 {} GB United Kingdom Wales Cardiff -3.2000 51.5000
464 89d902e8-26d9-4ff7-8a7e-08d693bb05ac SharePointFileOperation 2019-02-16 03:01:18 FileModified aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Book.xlsx [email protected] 40.81.126.127 MSWAC 40.81.126.127 {} GB United Kingdom Wales Cardiff -3.2000 51.5000
465 5b266285-7633-4362-eb31-08d693baf4e7 SharePointFileOperation 2019-02-16 03:00:50 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Extend... [email protected] 40.81.159.203 MSWAC 40.81.159.203 {} GB United Kingdom England London -0.0931 51.5142
466 91d7343f-a4ae-44d3-5dfc-08d693baf2fd SharePointFileOperation 2019-02-16 03:00:46 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Extend... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
467 f0cf46cf-23db-4fd9-ee33-08d693baf24e SharePointFileOperation 2019-02-16 03:00:45 FileModifiedExtended aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 40.81.159.43 MSWAC 40.81.159.43 {} GB United Kingdom England London -0.0931 51.5142
468 a02ecb4d-9193-4f52-a22c-08d693baf297 SharePointFileOperation 2019-02-16 03:00:46 FileUploaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Extend... [email protected] 40.81.159.166 MSWAC 40.81.159.166 {} GB United Kingdom England London -0.0931 51.5142
469 fdc8e70e-83f0-4f40-bd2f-08d693bb130f SharePointFileOperation 2019-02-16 03:01:40 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Budget... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
470 579df58a-380c-401a-a274-08d693bb0483 SharePointFileOperation 2019-02-16 03:01:16 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|100320003b5602fc[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Book.xlsx [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
471 1eee2dca-752e-4d84-e02a-08d693bb0343 SharePointFileOperation 2019-02-16 03:01:14 FileUploaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Book.xlsx [email protected] 20.190.133.115 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 20.190.133.115 {} US United States Washington None -122.3321 47.6062
472 0c4afb68-27a9-4044-4d83-08d693bae2e8 SharePointFileOperation 2019-02-16 03:00:19 FileModified aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 40.81.158.170 MSWAC 40.81.158.170 {} GB United Kingdom England London -0.0931 51.5142
473 01beef88-e772-4fb7-f05a-08d693bae0d8 SharePointFileOperation 2019-02-16 03:00:16 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
474 d593ad26-d978-409d-2bb5-08d693bae0d4 SharePointFileOperation 2019-02-16 03:00:16 FileUploaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 131.107.147.209 {} US United States Washington Redmond -122.1215 47.6740
475 f6ba9665-b8db-47b6-0e49-08d693c5dcef SharePoint 2019-02-16 04:18:54 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
476 4be9df27-7315-4d30-865c-08d693c5dcc6 SharePoint 2019-02-16 04:18:54 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
477 fb8708e2-0b2c-4142-6634-08d693c5dc24 SharePoint 2019-02-16 04:18:53 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
478 9fe2690e-1b52-4a65-54bd-08d693c5dbf2 SharePoint 2019-02-16 04:18:52 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
479 3c4e263a-5767-4a90-07fe-08d693c5dbc5 SharePoint 2019-02-16 04:18:52 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
480 ad0b853f-c88f-4879-a4a9-08d693c5da1c SharePoint 2019-02-16 04:18:49 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
481 5f4ba491-15b8-4f12-b0bc-08d693c4604d SharePoint 2019-02-16 04:08:15 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
482 a4543605-9dfd-411e-6422-08d693c46020 SharePoint 2019-02-16 04:08:15 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
483 c1be926d-bed8-4981-f1d6-08d693c45e45 SharePoint 2019-02-16 04:08:12 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
484 4b40c538-16da-4c5c-a5b6-08d693c45acc SharePoint 2019-02-16 04:08:06 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142
485 9d19611d-1395-4cb1-d92c-08d693c459db SharePoint 2019-02-16 04:08:04 SearchQueryPerformed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0i.t|00000003-0000-0ff1-ce00-000000000000|[email protected] SharePoint 6c6ac09e-006e-0000-4ad6-bb8b6e897763 [email protected] 40.108.218.172 40.108.218.172 {} GB United Kingdom England London -0.0931 51.5142

486 rows × 21 columns

Contents

Office User Investigation

In [29]:
# set the origin time to the time of our alert
o365_query_times_user = mas.QueryTime(units='days',
                           before=2, after=1, max_before=60, max_after=20, auto_display=True)
In [32]:
distinct_users = office_ops_df[['UserId']].sort_values('UserId')['UserId'].str.lower().drop_duplicates().tolist()
distinct_users
user_select = mas.SelectItem(description='Select User Id', item_list=distinct_users, auto_display=True)
                               # (items=distinct_users)

Contents

Activity Summary

In [34]:
# Provides a summary view of a given account's activity
# For use when investigating an account that has been identified as having associated suspect activity or been otherwise compromised. 
# All office activity by UserName using UI to set Time range
# Tags: #Persistence, #Discovery, #Lateral Movement, #Collection

user_activity_query = '''
OfficeActivity
| where TimeGenerated >= datetime({start})
| where TimeGenerated <= datetime({end})
| where UserKey has "{user}" or UserId has "{user}"
'''
print('Getting data...', end=' ')
o365_query = user_activity_query.format(start=o365_query_times_user.start, 
                                        end=o365_query_times_user.end,
                                        user=user_select.value)
%kql -query o365_query
user_activity_df = _kql_raw_result_.to_dataframe()
print('done.')
user_activity_df
Getting data... done.
Out[34]:
OfficeId RecordType TimeGenerated Operation OrganizationId UserType UserKey OfficeWorkload ResultStatus OfficeObjectId UserId ClientIP Site_ ItemType EventSource Source_Name UserAgent MachineDomainInfo MachineId Site_Url SourceRelativeUrl SourceFileName SourceFileExtension DestinationRelativeUrl DestinationFileName ... Client LoginStatus UserDomain Actor ActorContextId ActorIpAddress InterSystemsId IntraSystemId SupportTicketId AADTarget TargetContextId DataCenterSecurityEventType Start_Time EffectiveOrganization ElevationTime ElevationApprover ElevationApprovedTime ElevationRequestId ElevationRole ElevationDuration GenericInfo TenantId OfficeTenantId SourceSystem Type
0 342b29ef-2110-44eb-5fc6-08d68e0d3bf6 SharePoint 2019-02-08 21:34:41 PageViewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/_layouts/15/oned... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 Page SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... ... NaN NaN 2019-02-08 21:44:43 2019-02-08 21:44:43 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
1 64c13f90-9cbf-4f9c-1b8e-08d68e0d3da6 SharePointFileOperation 2019-02-08 21:34:43 FolderModified aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 Folder SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents ... NaN NaN 2019-02-08 21:44:43 2019-02-08 21:44:43 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
2 075d4df6-73ed-4e3d-aa43-08d68e0d3cfe SharePointFileOperation 2019-02-08 21:34:42 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Forms DispForm.aspx aspx ... NaN NaN 2019-02-08 21:44:43 2019-02-08 21:44:43 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
3 469b37de-a02d-4a40-e581-08d68e0d3cf9 SharePointFileOperation 2019-02-08 21:34:42 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Forms EditForm.aspx aspx ... NaN NaN 2019-02-08 21:44:43 2019-02-08 21:44:43 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
4 bcc050b3-442e-4d9c-61fd-08d68e0d3cf0 SharePointFileOperation 2019-02-08 21:34:42 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Forms Upload.aspx aspx ... NaN NaN 2019-02-08 21:44:43 2019-02-08 21:44:43 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
5 8c83344f-1279-4d0a-601b-08d68e0d2a6f SharePoint 2019-02-08 21:34:11 PageViewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] SharePoint https://m365x054215-my.sharepoint.com/_layouts/15/MyBraryFirstRun.aspx [email protected] 131.107.147.209 94823fb0-11d5-4424-b933-8663eafa73a3 Page SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... ... NaN NaN 2019-02-08 21:44:43 2019-02-08 21:44:43 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
6 fed5954a-4524-4fad-b14d-08d68e0d2bc6 SharePoint 2019-02-08 21:34:13 SiteCollectionCreated aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com [email protected] 4f96a3b3-f5ae-4706-af77-7984baf27d79 Site SharePoint ... NaN NaN 2019-02-08 21:44:43 2019-02-08 21:44:43 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
7 5964899e-cf7c-436d-941b-ff59132d853c AzureActiveDirectoryStsLogon 2019-02-08 21:34:16 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded Unknown [email protected] 167.220.2.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.209 af9a487e-295a-4eec-96bd-d8e1f92c5684 f7604729-1134-4f55-841a-9c1268be0000 [\r\n {\r\n "ID": "Unknown",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-08 22:07:25 2019-02-08 22:07:25 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
8 3aff6f76-fc0d-4e77-9b3f-4ba127d24d32 AzureActiveDirectoryStsLogon 2019-02-08 21:34:19 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 0f698dd4-f011-4d23-a33e-b36416dcb1e6 [email protected] 167.220.2.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.209 36451911-4743-4605-ad3f-0bf2df3f7433 f48d515e-5e3c-458b-bdd5-b5160dbc0000 [\r\n {\r\n "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-08 22:07:25 2019-02-08 22:07:25 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
9 57ec8e92-1cc4-4da4-af05-3735c83fa474 AzureActiveDirectoryStsLogon 2019-02-08 21:34:17 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 5f09333a-842c-47da-a157-57da27fcbca5 [email protected] 167.220.2.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.209 dee39980-abd8-4bd4-9aa1-926891294f26 c8332732-c3ca-44aa-a97b-eae3d8bf0000 [\r\n {\r\n "ID": "5f09333a-842c-47da-a157-57da27fcbca5",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-08 22:07:25 2019-02-08 22:07:25 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
10 a9a136d2-f712-4410-be7c-b7921011bbd8 AzureActiveDirectoryStsLogon 2019-02-08 21:32:57 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000003-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.209 3913be9e-f07c-0000-6222-51dd3be31df1 48bdfbbf-e94b-4c39-b28e-6d2f8b950d00 [\r\n {\r\n "ID": "00000003-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-08 21:51:03 2019-02-08 21:51:03 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
11 3f3ee89e-cffe-49a8-95b6-011f0eb22729 AzureActiveDirectory 2019-02-08 21:34:02 Update StsRefreshTokenValidFrom Timestamp. aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Success [email protected] [email protected] <null> ... NaN [\r\n {\r\n "ID": "[email protected]",\r\n "Type": 5\r\n },\r\n {\r\n ... aa46238d-13fc-4314-8f0c-94044435adb1 <null> [\r\n {\r\n "ID": "User_6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 2\r\n },\r\n ... aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-08 21:51:03 2019-02-08 21:51:03 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
12 08071af1-99d6-4978-b11c-c419d7b882ce AzureActiveDirectory 2019-02-08 21:34:02 Change user password. aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Success [email protected] [email protected] <null> ... NaN [\r\n {\r\n "ID": "[email protected]",\r\n "Type": 5\r\n },\r\n {\r\n ... aa46238d-13fc-4314-8f0c-94044435adb1 <null> [\r\n {\r\n "ID": "User_6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 2\r\n },\r\n ... aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-08 21:51:03 2019-02-08 21:51:03 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
13 c6517b58-0f86-4be1-a8a0-93b71a69947f AzureActiveDirectoryStsLogon 2019-02-08 21:34:15 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.209 94f6c3cf-065f-431c-8dca-dbcad057208e 39c5d72b-fa0e-4384-b635-4d774d010d00 [\r\n {\r\n "ID": "00000002-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-08 21:51:03 2019-02-08 21:51:03 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
14 5fda61a8-c8d3-414d-9cc6-08d693c1976b ExchangeAdmin 2019-02-16 03:48:19 Set-Mailbox aa46238d-13fc-4314-8f0c-94044435adb1 Admin 100320003B5602FC Exchange True ianh [email protected] 23.97.60.214:10811 ... NaN NaN 2019-02-16 03:57:23 2019-02-16 03:57:23 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
15 2f2a649f-51f1-4734-52d7-08d693c12cc3 SharePointFileOperation 2019-02-16 03:45:20 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Extend... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents Extended Terms.docx docx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
16 464fb121-5147-4b1a-f34a-08d693c12c82 SharePointFileOperation 2019-02-16 03:45:20 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Budget... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents Budget 2019.xlsx xlsx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
17 8e4239eb-d72b-4d33-2ca2-08d693c12b16 SharePointFileOperation 2019-02-16 03:45:18 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual Japanese.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
18 15a0b86e-1d7f-4581-79a9-08d693c111bb SharePointFileOperation 2019-02-16 03:44:35 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Forms DispForm.aspx aspx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
19 0c07c626-95a6-4ddb-1890-08d693c111b9 SharePointFileOperation 2019-02-16 03:44:35 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Forms EditForm.aspx aspx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
20 ab389151-c8ee-45ff-b5bd-08d693c111b6 SharePointFileOperation 2019-02-16 03:44:35 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Forms/... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Forms Upload.aspx aspx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
21 9fd6d462-17af-4539-7cbb-08d693c11323 SharePointFileOperation 2019-02-16 03:44:37 FileAccessed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] SharePoint https://m365x054215-my.sharepoint.com/User Photos/Profile Pictures/ianh_m365x054215_onmicrosoft_... [email protected] 23.97.60.214 94823fb0-11d5-4424-b933-8663eafa73a3 File SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... https://m365x054215-my.sharepoint.com/ User Photos/Profile Pictures ianh_m365x054215_onmicrosoft_com_SThumb.jpg jpg ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
22 75d9efdb-8c13-4c4a-734c-08d693c12cd4 SharePointFileOperation 2019-02-16 03:45:20 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Terms ... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents Terms and Conditions.docx docx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
23 3d6e67d1-d61f-4db0-772d-08d693c12c96 SharePointFileOperation 2019-02-16 03:45:20 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents Document.docx docx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
24 25c2f107-0a63-4734-e0d6-08d693c12bde SharePointFileOperation 2019-02-16 03:45:19 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual Spanish.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
25 769079c4-81b9-4836-76b2-08d693c12ad1 SharePointFileOperation 2019-02-16 03:45:17 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual Japanese.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
26 7a80f900-5593-4103-4906-08d693c129a0 SharePointFileOperation 2019-02-16 03:45:15 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual French.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
27 31adfd42-cf87-44f0-f084-08d693c128c4 SharePointFileOperation 2019-02-16 03:45:14 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual Addendum Spanish.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
28 cb0ef8e9-fdb3-4429-b7f3-08d693c1288b SharePointFileOperation 2019-02-16 03:45:13 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual Addendum German.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
29 3d86465e-01a0-4991-94a6-08d693c12846 SharePointFileOperation 2019-02-16 03:45:13 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual Addendum English.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
30 80041b7a-a9ad-41ef-9a60-08d693c127ab SharePointFileOperation 2019-02-16 03:45:12 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Getting Started Japanese.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
31 4cd008e7-98da-48a6-0545-08d693c126f4 SharePointFileOperation 2019-02-16 03:45:11 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Getting Started French.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
32 4a3fadc6-3635-4542-3727-08d693c12603 SharePointFileOperation 2019-02-16 03:45:09 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive/License Agreement EULA Native Instruments Japanese.rtf rtf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
33 2e0456e2-c6b2-4e1d-056d-08d693c1252f SharePointFileOperation 2019-02-16 03:45:08 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive/License Agreement EULA Native Instruments English.rtf rtf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
34 0791c847-475d-48e1-8383-08d693c1246b SharePointFileOperation 2019-02-16 03:45:06 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive/License Agreement EULA Native Instruments deutsch.rtf rtf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
35 90c5b161-451b-4c88-eb68-08d693c123f1 SharePointFileOperation 2019-02-16 03:45:06 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive 1.1.4 Manual Addendum English.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
36 805770c0-3be4-47f9-5c6d-08d693c122be SharePointFileOperation 2019-02-16 03:45:04 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals Nakamichi_CDP-2_service_manual.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
37 7fbff88a-bbf9-4cc0-41bc-08d693c121a0 SharePointFileOperation 2019-02-16 03:45:02 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals Nakamichi_480_service_manual.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
38 83332db6-a62c-4dfd-e57a-08d693c12121 SharePointFileOperation 2019-02-16 03:45:01 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals MAudio-KS61ES_EN01.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
39 84cbe412-b00e-49ae-4ab6-08d693c120c7 SharePointFileOperation 2019-02-16 03:45:00 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Manual Addendum Japanese.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
40 d6c655c7-6da5-444b-1352-08d693c1206f SharePointFileOperation 2019-02-16 03:45:00 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Manual Addendum French.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
41 880d1425-bd87-4b6f-57b8-08d693c11fcf SharePointFileOperation 2019-02-16 03:44:59 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Getting Started Spanish.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
42 636946bd-4558-4836-73df-08d693c11eea SharePointFileOperation 2019-02-16 03:44:57 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Getting Started German.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
43 c1b5f773-b5bd-4333-4d12-08d693c11d3d SharePointFileOperation 2019-02-16 03:44:54 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Getting Started English.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
44 b336877e-04c3-4981-3b68-08d693c10f1d SharePoint 2019-02-16 03:44:31 PageViewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/_layouts/15/oned... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 Page SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
45 80843a0e-5f5d-41a3-b3d9-08d693c10ef4 SharePointFileOperation 2019-02-16 03:44:30 FilePreviewed aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 20.190.140.50 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents Document.docx docx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
46 c4d63cf4-c616-41cd-bcdc-08d693c12cb9 SharePointFileOperation 2019-02-16 03:45:20 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents Document1.docx docx ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
47 d5282c43-9c29-4e5f-71e8-08d693c12c6d SharePointFileOperation 2019-02-16 03:45:20 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Readme.txt txt ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
48 fa6f2bac-4628-452d-e48e-08d693c12b1a SharePointFileOperation 2019-02-16 03:45:18 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual Japanese.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
49 f8b2d971-651c-44d6-18b5-08d693c12a49 SharePointFileOperation 2019-02-16 03:45:16 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 23.97.60.214 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive Manual German.pdf pdf ... NaN NaN 2019-02-16 03:57:58 2019-02-16 03:57:58 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ... ...
315 41e700fd-6653-44cf-08c7-08d690a37ab7 SharePointFileOperation 2019-02-12 04:35:13 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive/License Agreement EULA Native Instruments deutsch.rtf rtf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
316 307f5e3d-fd94-401f-fd51-08d690a37a08 SharePointFileOperation 2019-02-12 04:35:12 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals Nakamichi_CR-3_service_manual.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
317 6a7fd567-9f02-4d91-6c14-08d690a37951 SharePointFileOperation 2019-02-12 04:35:10 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals Nakamichi_CDP-2_service_manual.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
318 f919ce48-f9ea-4134-6036-08d690a37846 SharePointFileOperation 2019-02-12 04:35:09 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals Nakamichi_480_service_manual.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
319 6f92ad63-e923-4e23-271f-08d690a3782c SharePointFileOperation 2019-02-12 04:35:08 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals MAudio-KS61ES_EN01.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
320 487fac31-3142-43cf-033a-08d690a377e7 SharePointFileOperation 2019-02-12 04:35:08 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Manual Addendum Spanish.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
321 35937494-73e2-4385-049a-08d690a377c8 SharePointFileOperation 2019-02-12 04:35:08 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Manual Addendum Japanese.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
322 7aaafbb3-3496-477a-0532-08d690a377a9 SharePointFileOperation 2019-02-12 04:35:08 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Manual Addendum German.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
323 dbcfad08-fed7-4bf5-695e-08d690a3778c SharePointFileOperation 2019-02-12 04:35:07 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Manual Addendum French.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
324 2d09f0fd-bf71-4334-a5d6-08d690a37768 SharePointFileOperation 2019-02-12 04:35:07 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Manual Addendum English.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
325 b447ebdd-c5ed-47b3-9973-08d690a376f8 SharePointFileOperation 2019-02-12 04:35:06 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Getting Started Spanish.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
326 1d7994a6-bd52-4e47-26cb-08d690a37686 SharePointFileOperation 2019-02-12 04:35:06 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Getting Started Japanese.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
327 021b6321-eb9b-4fb0-b4e4-08d690a37632 SharePointFileOperation 2019-02-12 04:35:05 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Getting Started German.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
328 0a7b7d80-1bb5-4969-1b92-08d690a375d8 SharePointFileOperation 2019-02-12 04:35:05 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Getting Started French.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
329 00d0b7db-df5f-4f61-7949-08d690a374b0 SharePointFileOperation 2019-02-12 04:35:03 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Absynth Absynth 5 Getting Started English.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
330 8ce53045-df61-4714-2b16-08d690a37b6f SharePointFileOperation 2019-02-12 04:35:14 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive/License Agreement EULA Native Instruments English.rtf rtf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
331 0d6daceb-db12-44b6-0acf-08d690a37acd SharePointFileOperation 2019-02-12 04:35:13 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive/License Agreement EULA Native Instruments deutsch.rtf rtf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
332 c1e8271f-99fe-4b55-e823-08d690a37a68 SharePointFileOperation 2019-02-12 04:35:12 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Massive Massive 1.1.4 Manual Addendum English.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
333 5e25f285-02f9-4c4e-2fb4-08d690a3796c SharePointFileOperation 2019-02-12 04:35:11 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals Nakamichi_CDP-2_service_manual.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
334 2443146c-6764-4955-38e1-08d690a37893 SharePointFileOperation 2019-02-12 04:35:09 FileDownloaded aa46238d-13fc-4314-8f0c-94044435adb1 Regular i:0h.f|membership|[email protected] OneDrive https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Docume... [email protected] 131.107.147.209 4f96a3b3-f5ae-4706-af77-7984baf27d79 File SharePoint OneDriveMpc/1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/ Documents/Documents/Manuals Nakamichi_480_service_manual.pdf pdf ... NaN NaN 2019-02-12 04:44:49 2019-02-12 04:44:49 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
335 b7134e6a-6cd7-40ed-b754-d5f3e0411974 AzureActiveDirectoryStsLogon 2019-02-12 04:34:20 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 3db6de67-ca4e-41e3-8254-5a2a0af36b62 8a39f63b-6d76-48d0-a8f5-c25d10300000 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
336 71978ae6-3d34-42a9-bb16-4077b4f9f2b3 AzureActiveDirectoryStsLogon 2019-02-12 04:34:23 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 59714433-0ee1-4ae6-93be-6ec49f35f914 458f0c5f-dd61-49a3-a97e-dd94552f0000 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
337 f9ca2f9d-5e80-4d3f-9775-5c043f38f4ce AzureActiveDirectoryStsLogon 2019-02-12 04:33:09 UserLoginFailed aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Failed 00000002-0000-0000-c000-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 9bc2b022-579a-4e03-9f35-1174b0421073 2cacb5de-09e5-4e5d-a4c2-1c1476310000 [\r\n {\r\n "ID": "00000002-0000-0000-c000-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
338 311491f4-73c6-4f58-8c94-df3a0f59bc97 AzureActiveDirectoryStsLogon 2019-02-12 04:34:26 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 8075ff59-3efa-41e2-950c-094d2c311abf 9e7120ca-9a43-4ad7-b696-9abfd9300000 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
339 5ace32d1-2ac1-4fcf-a4c5-b0f9b2e0394f AzureActiveDirectoryStsLogon 2019-02-12 04:34:17 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 1d35b3af-8487-413e-a5ae-c1b79321cc5d 9e7120ca-9a43-4ad7-b696-9abfd4300000 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
340 08b83562-68ad-4f3d-bbcd-18f153bf0908 AzureActiveDirectoryStsLogon 2019-02-12 04:34:50 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000003-0000-0ff1-ce00-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 9422bf9e-807a-0000-4ad6-b2d56f4d6d4f 08a97bd8-f1eb-4458-9c8b-aadeb4960100 [\r\n {\r\n "ID": "00000003-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
341 18aea047-ed7d-4e3b-8c45-e7ca5c3f8dc0 AzureActiveDirectoryStsLogon 2019-02-12 04:34:30 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 e6ab382b-6ca1-48d7-9b81-38dde26a131f 0842baad-fa06-4b4c-8d45-169ee7930100 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
342 17072e04-6023-4457-9cd0-b376a0dcf6b1 AzureActiveDirectoryStsLogon 2019-02-12 04:34:28 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 e042b068-d580-4faf-be46-6bcda1bf0198 08a97bd8-f1eb-4458-9c8b-aaded0950100 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
343 62d11863-6f8a-4d79-9438-2b38f1c38d55 AzureActiveDirectoryStsLogon 2019-02-12 04:34:16 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 0f698dd4-f011-4d23-a33e-b36416dcb1e6 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 bc8eb481-1b69-4064-83df-d24a70040a87 17f473bd-5256-4a3d-8563-86edbca50100 [\r\n {\r\n "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
344 06449760-b9fa-4029-a913-c48042400e7b AzureActiveDirectoryStsLogon 2019-02-12 04:33:55 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0000-c000-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 9bc2b022-579a-4e03-9f35-1174b0421073 b7f09da1-4e3a-4ed5-b684-acbfec970100 [\r\n {\r\n "ID": "00000002-0000-0000-c000-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
345 b87b1838-4590-412f-a02c-ad98edf5d1f5 AzureActiveDirectoryStsLogon 2019-02-12 04:34:04 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 5f09333a-842c-47da-a157-57da27fcbca5 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 9587cbbd-2798-49d5-a779-04a56362d548 0842baad-fa06-4b4c-8d45-169ec3920100 [\r\n {\r\n "ID": "5f09333a-842c-47da-a157-57da27fcbca5",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
346 51a4960c-9204-4c0b-bd33-d5fad6631cad AzureActiveDirectoryStsLogon 2019-02-12 04:34:02 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000003-0000-0000-c000-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 2de707ae-6b8f-4bae-a6c5-4d3a04baf250 421738b3-f86b-4f94-8f7d-d3e1928c0100 [\r\n {\r\n "ID": "00000003-0000-0000-c000-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
347 ebfd2922-a9a0-4426-b532-a39b6f18056e AzureActiveDirectoryStsLogon 2019-02-12 04:34:56 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 0f698dd4-f011-4d23-a33e-b36416dcb1e6 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 bf66df27-7b4b-4264-8132-3f31e61cd079 17f473bd-5256-4a3d-8563-86ed79a70100 [\r\n {\r\n "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
348 ae9af0ae-8916-47a3-a127-32a735e268d8 AzureActiveDirectoryStsLogon 2019-02-12 04:34:03 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0000-c000-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 f0ea2f0e-335b-432b-b139-4899300eddf5 8a39f63b-6d76-48d0-a8f5-c25d0a300000 [\r\n {\r\n "ID": "00000002-0000-0000-c000-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
349 49df7c32-68ea-4db3-b454-1d16ccd28e7f AzureActiveDirectoryStsLogon 2019-02-12 04:34:01 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded Unknown [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 79ea99c6-06e8-4efb-81fe-5c50ccc6cb02 8a39f63b-6d76-48d0-a8f5-c25d06300000 [\r\n {\r\n "ID": "Unknown",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
350 267fb5a2-d77a-4775-b4ea-d8c72c2d734a AzureActiveDirectoryStsLogon 2019-02-12 04:34:03 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0000-c000-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 f0ea2f0e-335b-432b-b139-4899300eddf5 458f0c5f-dd61-49a3-a97e-dd944f2f0000 [\r\n {\r\n "ID": "00000002-0000-0000-c000-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
351 d921bfe1-a177-4113-a2de-c4d2a944a7a0 AzureActiveDirectoryStsLogon 2019-02-12 04:34:02 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 5f09333a-842c-47da-a157-57da27fcbca5 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 91cfe9ba-2f67-476d-a995-25d279796c8c 458f0c5f-dd61-49a3-a97e-dd944e2f0000 [\r\n {\r\n "ID": "5f09333a-842c-47da-a157-57da27fcbca5",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
352 98601e51-9be6-470c-8110-4dc8c884591a AzureActiveDirectoryStsLogon 2019-02-12 04:34:01 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0ff1-ce00-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 4284fc51-2cfe-40bc-a400-5b333dd788a3 9e7120ca-9a43-4ad7-b696-9abfcc300000 [\r\n {\r\n "ID": "00000002-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
353 71f27742-3281-40cb-97ef-eaa52819b1a0 AzureActiveDirectoryStsLogon 2019-02-12 04:33:17 UserLoginFailed aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Failed 00000002-0000-0000-c000-000000000000 [email protected] 131.107.174.209 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 131.107.174.209 9bc2b022-579a-4e03-9f35-1174b0421073 9e7120ca-9a43-4ad7-b696-9abfa1300000 [\r\n {\r\n "ID": "00000002-0000-0000-c000-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-12 05:00:39 2019-02-12 05:00:39 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
354 43fd8c3a-9fcd-4c98-39d5-08d690a36618 ExchangeAdmin 2019-02-12 04:34:38 Set-Mailbox aa46238d-13fc-4314-8f0c-94044435adb1 Admin 100320003B5602FC Exchange True ianh [email protected] [2001:4898:80e8:9:785b:4d80:d096:548f]:11237 ... NaN NaN 2019-02-12 04:37:55 2019-02-12 04:37:55 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
355 d41fc194-525c-4365-bad3-13e026d82491 AzureActiveDirectoryStsLogon 2019-02-11 20:24:48 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 4a59a544-63b8-429b-a698-9c458378373a 18153420-0868-489c-b1e0-0b063ae60300 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
356 3941d8df-9764-41ba-ac2f-0b7eaa4f688f AzureActiveDirectoryStsLogon 2019-02-11 20:24:42 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 7b899981-fcd5-4d6d-b0de-f1d307aeef81 f48d515e-5e3c-458b-bdd5-b5160ce40300 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
357 85ed1f64-695b-4f4d-80dc-f93a5830b5c2 AzureActiveDirectoryStsLogon 2019-02-11 20:24:40 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 0f698dd4-f011-4d23-a33e-b36416dcb1e6 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 a2aeb363-2064-45fd-93f6-1db060391c25 c8332732-c3ca-44aa-a97b-eae3ebf60300 [\r\n {\r\n "ID": "0f698dd4-f011-4d23-a33e-b36416dcb1e6",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
358 124f00c8-74d4-4dfc-9745-98dfa9d2f3cf AzureActiveDirectoryStsLogon 2019-02-11 20:24:40 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 5f09333a-842c-47da-a157-57da27fcbca5 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 7b95aff2-5d23-4b55-88ea-6f064769b0c2 18153420-0868-489c-b1e0-0b0636e60300 [\r\n {\r\n "ID": "5f09333a-842c-47da-a157-57da27fcbca5",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
359 565b5385-c627-4412-b521-4aba65254cf2 AzureActiveDirectoryStsLogon 2019-02-11 20:24:35 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000002-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 044ebaad-ad43-48d2-afb1-f77edd4084f7 0b0ff43f-3339-4cc7-91f6-1996a1ff3600 [\r\n {\r\n "ID": "00000002-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
360 c163ace1-135f-45e5-b7fb-17a604116016 AzureActiveDirectoryStsLogon 2019-02-11 20:24:45 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 e164b141-615b-46c1-abe5-2330275021c4 39c5d72b-fa0e-4384-b635-4d7703c63400 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
361 0bd9a09f-7b2c-44c4-ae06-3bc5d7237bee AzureActiveDirectoryStsLogon 2019-02-11 20:24:40 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000003-0000-0000-c000-000000000000 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 735f0222-58ba-42c5-b9af-6cdf62a7052b 38ead8eb-4b50-489c-9747-720b8b453700 [\r\n {\r\n "ID": "00000003-0000-0000-c000-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
362 8d4bbf49-17f6-458f-bc9d-8d2604ea8a2a AzureActiveDirectoryStsLogon 2019-02-11 20:24:51 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 733cb44b-50e0-42ac-b35a-8a06318f7343 8965a237-0cda-429f-8c06-946321e03400 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
363 b6b06ba0-890d-4313-b1c4-256b869f477d AzureActiveDirectoryStsLogon 2019-02-11 20:24:53 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 b1b5b368-8abc-48cd-980c-363cc62a571d 0b0ff43f-3339-4cc7-91f6-19961f003700 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity
364 ed79e722-4029-47b2-a013-7c3f3b94023a AzureActiveDirectoryStsLogon 2019-02-11 20:24:55 UserLoggedIn aa46238d-13fc-4314-8f0c-94044435adb1 Regular [email protected] AzureActiveDirectory Succeeded 00000004-0000-0ff1-ce00-000000000000 [email protected] 167.220.2.149 ... NaN [\r\n {\r\n "ID": "6e68fbc9-9ce3-4f4a-b2d4-45f52067c122",\r\n "Type": 0\r\n },\r\n {\r\... aa46238d-13fc-4314-8f0c-94044435adb1 167.220.2.149 5107f165-4b4d-4aeb-b15e-70ececa8de5e 2b252e0c-2110-441b-841b-f77670de3700 [\r\n {\r\n "ID": "00000004-0000-0ff1-ce00-000000000000",\r\n "Type": 0\r\n }\r\n] aa46238d-13fc-4314-8f0c-94044435adb1 NaN 2019-02-11 20:52:20 2019-02-11 20:52:20 NaT NaN 52b1ab41-869e-4138-9e40-2a4457f09bf0 aa46238d-13fc-4314-8f0c-94044435adb1 OfficeActivityManager OfficeActivity

365 rows × 91 columns

Contents

Operation Breakdown for User

In [39]:
my_df = (user_activity_df[['OfficeId', 'RecordType', 'TimeGenerated', 'Operation',
                           'ResultStatus', 'UserId', 'ClientIP','UserAgent']]
         .groupby(['Operation', 'ResultStatus', 'ClientIP'])
         .aggregate({'OfficeId': 'count'})
         .rename(columns={'OfficeId': 'OperationCount', 'ClientIP': 'IPCount'})
         .reset_index())
sns.catplot(x='OperationCount', y="Operation", hue="ClientIP", jitter=False, data=my_df, aspect=2.5);

Contents

IP Count for Different User Operations

In [38]:
my_df2 = (user_activity_df[['OfficeId', 'RecordType', 'TimeGenerated', 'Operation',
                           'ResultStatus', 'UserId', 'ClientIP','UserAgent']]
         .groupby(['Operation'])
         .aggregate({'OfficeId': 'count', 'ClientIP': 'nunique'})
         .rename(columns={'OfficeId': 'OperationCount', 'ClientIP': 'IPCount'})
         .reset_index())
sns.barplot(x='IPCount', y="Operation", data=my_df2);

Contents

Activity Timeline

In [37]:
nbdisp.display_timeline(data=user_activity_df,
                         title='Office Operations',
                         source_columns=['OfficeWorkload', 'Operation', 'ClientIP', 'ResultStatus'],
                         height=200)
Loading BokehJS ...

Contents

User IP GeoMap

In [40]:
def get_row_ip_loc(row):
    try:
        _, ip_entity = iplocation.lookup_ip(ip_address=row.ClientIP)
        return ip_entity
    except ValueError:
        return None
    
from msticpy.nbtools.foliummap import FoliumMap
folium_map = FoliumMap()
off_ip_locs = (user_activity_df[['ClientIP']]
                   .drop_duplicates()
                   .apply(get_row_ip_loc, axis=1)
                   .tolist())
ip_locs = [ip_list[0] for ip_list in off_ip_locs if ip_list]
    
display(HTML('<h3>External IP Addresses seen in Office Activity</h3>'))
display(HTML('Numbered circles indicate multiple items - click to expand.'))


icon_props = {'color': 'purple'}
folium_map.add_ip_cluster(ip_entities=ip_locs,
                          **icon_props)
display(folium_map.folium_map)

External IP Addresses seen in Office Activity

Numbered circles indicate multiple items - click to expand.

Contents

Check for User IPs in Azure Network Flow Data

The full data is available in the Dataframe az_net_query_byip

In [41]:
if ('AzureNetworkAnalytics_CL' not in table_index or
        table_index['AzureNetworkAnalytics_CL'] == 0):
    display(Markdown('<font color="red"><h2>Warning. Azure network flow data not available.</h2></font><br>'
                     'This section of the notebook is not useable with the current workspace.'))
    
# Azure Network Analytics Base Query
az_net_analytics_query =r'''
AzureNetworkAnalytics_CL 
| where SubType_s == 'FlowLog'
| where FlowStartTime_t >= datetime({start})
| where FlowEndTime_t <= datetime({end})
| project TenantId, TimeGenerated, 
    FlowStartTime = FlowStartTime_t, 
    FlowEndTime = FlowEndTime_t, 
    FlowIntervalEndTime = FlowIntervalEndTime_t, 
    FlowType = FlowType_s,
    ResourceGroup = split(VM_s, '/')[0],
    VMName = split(VM_s, '/')[1],
    VMIPAddress = VMIP_s, 
    PublicIPs = extractall(@"([\d\.]+)[|\d]+", dynamic([1]), PublicIPs_s),
    SrcIP = SrcIP_s,
    DestIP = DestIP_s,
    ExtIP = iif(FlowDirection_s == 'I', SrcIP_s, DestIP_s),
    L4Protocol = L4Protocol_s, 
    L7Protocol = L7Protocol_s, 
    DestPort = DestPort_d, 
    FlowDirection = FlowDirection_s,
    AllowedOutFlows = AllowedOutFlows_d, 
    AllowedInFlows = AllowedInFlows_d,
    DeniedInFlows = DeniedInFlows_d, 
    DeniedOutFlows = DeniedOutFlows_d,
    RemoteRegion = AzureRegion_s,
    VMRegion = Region_s
| extend AllExtIPs = iif(isempty(PublicIPs), pack_array(ExtIP), 
                         iif(isempty(ExtIP), PublicIPs, array_concat(PublicIPs, pack_array(ExtIP)))
                         )
| project-away ExtIP
| mvexpand AllExtIPs
{where_clause}
'''

# Build the query parameters
all_user_ips = user_activity_df['ClientIP'].drop_duplicates().tolist()
all_user_ips = [ip for ip in all_user_ips if ip and ip != '<null>']
ip_list = ','.join(['\'{}\''.format(i) for i in all_user_ips])

az_ip_where = f'''
| where (AllExtIPs in ({ip_list}) 
        or SrcIP in ({ip_list}) 
        or DestIP in ({ip_list}) 
        ) and 
    (AllowedOutFlows > 0 or AllowedInFlows > 0)'''
print('getting data...')
az_net_query_byip = az_net_analytics_query.format(where_clause=az_ip_where,
                                                  start=o365_query_times_user.start,
                                                  end=o365_query_times_user.end)

net_default_cols = ['FlowStartTime', 'FlowEndTime', 'VMName', 'VMIPAddress', 
                'PublicIPs', 'SrcIP', 'DestIP', 'L4Protocol', 'L7Protocol',
                'DestPort', 'FlowDirection', 'AllowedOutFlows', 
                'AllowedInFlows']

%kql -query az_net_query_byip
az_net_comms_df = _kql_raw_result_.to_dataframe()
az_net_comms_df[net_default_cols]

import warnings

with warnings.catch_warnings():
    warnings.simplefilter("ignore")
    
    az_net_comms_df['TotalAllowedFlows'] = az_net_comms_df['AllowedOutFlows'] + az_net_comms_df['AllowedInFlows']
    sns.catplot(x="L7Protocol", y="TotalAllowedFlows", col="FlowDirection", data=az_net_comms_df)
    sns.relplot(x="FlowStartTime", y="TotalAllowedFlows", 
                col="FlowDirection", kind="line", 
                hue="L7Protocol", data=az_net_comms_df).set_xticklabels(rotation=50)

cols = ['VMName', 'VMIPAddress', 'PublicIPs', 'SrcIP', 'DestIP', 'L4Protocol',
        'L7Protocol', 'DestPort', 'FlowDirection', 'AllExtIPs', 'TotalAllowedFlows']
flow_index = az_net_comms_df[cols].copy()
def get_source_ip(row):
    if row.FlowDirection == 'O':
        return row.VMIPAddress if row.VMIPAddress else row.SrcIP
    else:
        return row.AllExtIPs if row.AllExtIPs else row.DestIP
    
def get_dest_ip(row):
    if row.FlowDirection == 'O':
        return row.AllExtIPs if row.AllExtIPs else row.DestIP
    else:
        return row.VMIPAddress if row.VMIPAddress else row.SrcIP

flow_index['source'] = flow_index.apply(get_source_ip, axis=1)
flow_index['target'] = flow_index.apply(get_dest_ip, axis=1)
flow_index['value'] = flow_index['L7Protocol']

cm = sns.light_palette("green", as_cmap=True)
with warnings.catch_warnings():
    warnings.simplefilter("ignore")
    display(flow_index[['source', 'target', 'value', 'L7Protocol', 
                        'FlowDirection', 'TotalAllowedFlows']]
            .groupby(['source', 'target', 'value', 'L7Protocol', 'FlowDirection'])
            .sum().unstack().style.background_gradient(cmap=cm))

nbdisp.display_timeline(data=az_net_comms_df.query('AllowedOutFlows > 0'),
                         overlay_data=az_net_comms_df.query('AllowedInFlows > 0'),
                         title='Network Flows (out=blue, in=green)',
                         time_column='FlowStartTime',
                         source_columns=['FlowType', 'AllExtIPs', 'L7Protocol', 'FlowDirection'],
                         height=300)
getting data...
TotalAllowedFlows
FlowDirection I O
source target value L7Protocol
10.0.3.4 23.97.60.214 http http nan 45
131.107.147.209 10.0.3.5 ms-wbt-server ms-wbt-server 28 nan
23.97.60.214 23.97.60.214 ms-wbt-server ms-wbt-server 6 nan
ssh ssh 12 nan
Loading BokehJS ...

Contents

Rare Combinations of Country/UserAgent/Operation Type

The dataframe below lists combinations in the time period that had less than 3 instances. This might help you to spot relatively unusual activity.

In [42]:
from msticpy.sectools.eventcluster import (dbcluster_events, 
                                           add_process_features, 
                                           char_ord_score,
                                           token_count,
                                           delim_count)

restrict_cols = ['OfficeId', 'RecordType', 'TimeGenerated', 'Operation',
                 'OrganizationId', 'UserType', 'UserKey', 'OfficeWorkload',
                 'ResultStatus', 'OfficeObjectId', 'UserId', 'ClientIP','UserAgent']
feature_office_ops = office_ops_df[restrict_cols]
feature_office_ops = ( pd.merge(feature_office_ops, 
                                ip_locs_df, how='left', 
                                left_on='ClientIP', right_on='Address')
                      .fillna(''))

# feature_office_ops = office_ops_df.copy()

feature_office_ops['country_num'] = feature_office_ops.apply(lambda x: char_ord_score(x, 'CountryCode') if x.CountryCode else 0, axis=1)
feature_office_ops['ua_tokens'] = feature_office_ops.apply(lambda x: char_ord_score(x, 'UserAgent'), axis=1)
feature_office_ops['user_num'] = feature_office_ops.apply(lambda x: char_ord_score(x, 'UserId'), axis=1)
feature_office_ops['op_num'] = feature_office_ops.apply(lambda x: char_ord_score(x, 'Operation'), axis=1)

# you might need to play around with the max_cluster_distance parameter.
# decreasing this gives more clusters.
(clustered_ops, dbcluster, x_data) = dbcluster_events(data=feature_office_ops,
                                                      cluster_columns=['country_num',
                                                                       'op_num',
                                                                       'ua_tokens'],
                                                      time_column='TimeGenerated',
                                                      max_cluster_distance=0.0001)
print('Number of input events:', len(feature_office_ops))
print('Number of clustered events:', len(clustered_ops))
display(Markdown('#### Rarest combinations'))
display(clustered_ops[['TimeGenerated', 'RecordType',
                        'Operation', 'UserId', 'UserAgent', 'ClusterSize',
                        'OfficeObjectId', 'CountryName']]
    .query('ClusterSize <= 2')
    .sort_values('ClusterSize', ascending=True))
display(Markdown('#### Most common operations'))
display((clustered_ops[['RecordType', 'Operation', 'ClusterSize']]
    .sort_values('ClusterSize', ascending=False)
    .head(10)))
Number of input events: 486
Number of clustered events: 34

Rarest combinations

TimeGenerated RecordType Operation UserId UserAgent ClusterSize OfficeObjectId CountryName
127 2019-02-16 02:53:15 AzureActiveDirectoryStsLogon UserLoggedIn [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 1.0 00000002-0000-0000-c000-000000000000 United States
418 2019-02-16 03:44:31 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.316... 1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/_layouts/15/oned... Singapore
449 2019-02-16 02:56:46 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.328... 1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/_layouts/15/oned... United States
459 2019-02-16 02:55:02 36 ListUpdated [email protected] ODMTADocCache/1.0 1.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/personal/ianh_m3... United Kingdom
130 2019-02-12 04:33:09 AzureActiveDirectoryStsLogon UserLoginFailed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.357... 2.0 00000002-0000-0000-c000-000000000000 United States
284 2019-02-10 04:31:10 SharePoint PageViewed [email protected] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.362... 2.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/_layouts/15/oned... United States
456 2019-02-16 02:55:03 SharePointFileOperation FileDownloaded [email protected] MSWAC 2.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Terms ... United Kingdom
462 2019-02-16 03:01:39 SharePointFileOperation FileModifiedExtended [email protected] MSWAC 2.0 https://m365x054215-my.sharepoint.com/personal/ianh_m365x054215_onmicrosoft_com/Documents/Book.xlsx United Kingdom

Most common operations

RecordType Operation ClusterSize
0 SharePoint SearchQueryPerformed 95.0
389 SharePointFileOperation FileDownloaded 47.0
55 AzureActiveDirectoryStsLogon UserLoggedIn 46.0
157 SharePointFileOperation FileDownloaded 41.0
267 SharePointFileOperation FileAccessed 36.0
268 SharePointFileOperation FileUploaded 34.0
61 AzureActiveDirectoryStsLogon UserLoggedIn 33.0
269 SharePointFileOperation FileModified 27.0
107 AzureActiveDirectoryStsLogon UserLoggedIn 17.0
171 SharePointFileOperation FileAccessed 14.0

Contents

Appendices

Available DataFrames

In [43]:
print('List of current DataFrames in Notebook')
print('-' * 50)
current_vars = list(locals().keys())
for var_name in current_vars:
    if isinstance(locals()[var_name], pd.DataFrame) and not var_name.startswith('_'):
        print(var_name)
List of current DataFrames in Notebook
--------------------------------------------------
la_table_set
ad_changes_df
user_logon_anom_df
office_ops_summary_df
unique_ip_op_ua
office_ops_summary
office_ops_merged
ip_locs_df
office_ops_summary_ip_loc
office_logons_byuser_df
office_ops_df
office_ops_restr
office_ops_locs
country_by_op_count
clientip_by_op_count
office_ops
new_df
user_activity_df
my_df
my_df2
az_net_comms_df
flow_index
feature_office_ops
clustered_ops

Saving Data to Excel

To save the contents of a pandas DataFrame to an Excel spreadsheet use the following syntax

writer = pd.ExcelWriter('myWorksheet.xlsx')
my_data_frame.to_excel(writer,'Sheet1')
writer.save()