In this section
Cloud IR Toolkit: Graph API, PowerShell, KQL, Sentinel, and Defender XDR for Investigation
Scenario
The CISO calls at 06:00. A board member's account is compromised — the insurer needs a preliminary report by end of business. You need to pull sign-in logs, check email access, verify whether data was exfiltrated from SharePoint, and determine whether the attacker created any persistent access in the directory. You don't have time to figure out which PowerShell module authenticates to which API. You need a toolkit that's configured, tested, and ready to go before the call comes in. This section sets that up.
Estimated time: 45 minutes.
Figure IR0.4. Five investigation surfaces, each optimized for different evidence types. The lab environment provides a Sentinel workspace with the NE Corpus for practicing every query in the course.
The five investigation surfaces
Cloud investigation doesn't use a single tool. Five surfaces serve different purposes, and choosing the right surface for each investigation question saves time and produces better evidence.
Graph API: bulk evidence export
The Microsoft Graph API provides programmatic access to Entra ID sign-in logs, audit logs, risky users, service principals, application registrations, and directory objects. You authenticate with an app registration or delegated permissions, then query REST endpoints for the evidence you need.
Graph API is the right surface when you need to export large volumes of evidence for offline analysis, when you need to query data programmatically across multiple users or time ranges, or when you need to collect evidence before the 30-day native retention window expires.
# Connect to Graph with investigation permissions
Connect-MgGraph -Scopes "AuditLog.Read.All","Directory.Read.All","User.Read.All"
# Export sign-in logs for the investigation window
$startDate = "2026-03-15T00:00:00Z"
$endDate = "2026-03-16T00:00:00Z"
$signIns = Get-MgAuditLogSignIn -Filter "createdDateTime ge $startDate and createdDateTime le $endDate" -All
# Export to CSV for analysis
$signIns | Select-Object CreatedDateTime, UserPrincipalName, AppDisplayName,
IPAddress, Location, ConditionalAccessStatus, Status,
@{N='MfaDetail';E={$_.MfaDetail | ConvertTo-Json -Compress}} |
Export-Csv -Path ".\signins-export.csv" -NoTypeInformation
Write-Host "Exported $($signIns.Count) sign-in records"The export produces a CSV with one row per sign-in event. Here's what the output looks like for the investigation window:
The permissions you need depend on what you're investigating. For identity investigation: AuditLog.Read.All, Directory.Read.All, User.Read.All. For application investigation: Application.Read.All. For group and role investigation: RoleManagement.Read.All, GroupMember.Read.All. Module 1 covers Graph API evidence collection in depth.
PowerShell: scripted collection and UAL access
Two PowerShell modules handle most cloud investigation tasks.
Microsoft.Graph is the PowerShell wrapper for the Graph API. It provides cmdlets for every Graph endpoint: Get-MgAuditLogSignIn, Get-MgAuditLogDirectoryAudit, Get-MgServicePrincipal, Get-MgApplication. It handles authentication, pagination, and rate limiting.
ExchangeOnlineManagement connects to Exchange Online for mailbox investigation. The critical cmdlet is Search-UnifiedAuditLog, which queries the Unified Audit Log directly. This is your evidence source of last resort — when Sentinel doesn't have the data and native Entra ID logs have expired, the UAL may still have the records within its retention window.
# Connect to Exchange Online
Connect-ExchangeOnline -UserPrincipalName admin@northgate-eng.co.uk
# Search UAL for MailItemsAccessed
$results = Search-UnifiedAuditLog `
-StartDate "2026-03-15" `
-EndDate "2026-03-16" `
-Operations "MailItemsAccessed" `
-UserIds "j.morrison@northgate-eng.co.uk" `
-ResultSize 5000 `
-SessionCommand ReturnLargeSet
Write-Host "Found $($results.Count) MailItemsAccessed records"The -SessionCommand ReturnLargeSet parameter is important. Without it, Search-UnifiedAuditLog returns a maximum of 100 records per call. With it, you can paginate through large result sets by calling the cmdlet repeatedly with the same SessionId.
Sentinel KQL: long-term retention queries
If your organization ingests Entra ID and M365 logs into a Sentinel workspace, Sentinel becomes your primary investigation surface. The retention is configurable (90 days to 2 years is typical), which means Sentinel has evidence that native logs have already expired.
Sentinel tables relevant to cloud investigation: SigninLogs, AADNonInteractiveUserSignInLogs, AADServicePrincipalSignInLogs, AuditLogs, OfficeActivity, SecurityAlert, SecurityIncident. Each table has its own schema, documented in the Sentinel data reference.
KQL (Kusto Query Language) is the query language for Sentinel. Every investigation module in this course includes KQL queries that run in the Sentinel workspace. If you're not familiar with KQL, the syntax is approachable — it reads left to right as a pipeline of data transformations.
SigninLogs
| where TimeGenerated > ago(30d)
| where UserPrincipalName == "j.morrison@northgate-eng.co.uk"
| where IPAddress != "203.0.113.10" // Morrison's normal office IP
| project TimeGenerated, UserPrincipalName, IPAddress, Location,
AppDisplayName, ConditionalAccessStatus, AuthenticationRequirement
| sort by TimeGenerated ascThis query finds every sign-in for Morrison from an IP address other than her office IP in the last 30 days. Simple, readable, and directly useful for investigation. Module 2 teaches sign-in log KQL in depth.
Defender XDR Advanced Hunting: cross-product correlation
Defender XDR Advanced Hunting provides KQL access to tables that span the Defender product family. The tables most relevant to cloud investigation are CloudAppEvents (file and app activity), EmailEvents (email delivery and sending), EmailUrlInfo (URLs in emails), EmailAttachmentInfo (email attachments), IdentityLogonEvents (Defender for Identity sign-ins), and IdentityDirectoryEvents (directory changes from Defender for Identity).
Advanced Hunting retention is 30 days for most tables. This means it's useful for recent investigations but not for historical evidence. When you need data older than 30 days, Sentinel or the UAL is the fallback.
The tables in Advanced Hunting have different schemas from their Sentinel equivalents. A sign-in event appears in SigninLogs (Sentinel) and IdentityLogonEvents (XDR) with different field names, different data types, and different levels of detail. Module 1 covers the schema mapping.
Hawk: automated first-hour collection
Hawk is an open-source PowerShell module built specifically for M365 incident response. It automates evidence collection that would otherwise require multiple cmdlets across multiple modules: sign-in log export, inbox rule enumeration, mail forwarding configuration check, mailbox delegate access review, and more.
# Install Hawk
Install-Module -Name Hawk -Force
# Run Hawk against a single user
Start-HawkUserInvestigation -UserPrincipalName j.morrison@northgate-eng.co.ukHawk produces a structured output directory with evidence files organized by category:
In under 30 seconds, Hawk surfaces the inbox rule, the anomalous sign-ins, the delegate access, and the OAuth consent grant. That's the first-hour triage. The deeper investigation — scoping the email exposure, tracing the data exfiltration, mapping the directory persistence — requires the KQL and Graph API skills the rest of this course teaches.
Hawk is a collection accelerator, not an investigation tool. It gathers the evidence. The investigation modules in this course teach you how to interpret it.
Lab environment setup
The investigation modules use the NE Corpus — 21 tables with approximately 79,000 rows of synthetic investigation data, loaded into a Sentinel workspace. The corpus includes four embedded attack chains: AiTM credential phishing, password spray, endpoint compromise, and ransomware pre-encryption indicators.
What you need:
An M365 E5 developer tenant (free from the Microsoft 365 Developer Program). The developer tenant provides 25 user licenses, Entra ID P2, Defender for Office 365, and Purview Audit Premium for 90 days (renewable). This gives you every evidence source the course covers.
A Sentinel workspace connected to the developer tenant. The workspace ingests sign-in logs, audit logs, and OfficeActivity from the developer tenant. The NE Corpus data loads into the workspace as custom tables for investigation practice.
Lab setup steps:
Step 1. Sign up for the Microsoft 365 Developer Program at developer.microsoft.com/microsoft-365/dev-program. Configure the E5 sandbox with sample data packs.
Step 2. Create an Azure subscription (free tier is sufficient). Create a Log Analytics workspace. Enable Microsoft Sentinel on the workspace.
Step 3. In Sentinel, enable the Entra ID connector (sign-in logs + audit logs) and the Microsoft 365 connector (OfficeActivity).
Step 4. Load the NE Corpus datasets into the workspace. The corpus files and loading instructions are in the lab pack at /downloads/lab-packs/cloud-ir-lab-pack.zip.
Step 5. Verify the setup by running the test query from the lab pack against SigninLogs. If the query returns results, the lab is ready.
Anti-Pattern
Running investigation queries against a production tenant for practice. Production tenants contain real employee data, real sign-in patterns, and real security events. Practicing investigation techniques against production data creates privacy, compliance, and data handling risks. The developer tenant and the NE Corpus provide the same evidence structure with synthetic data. Practice there.
The detailed lab setup guide with screenshots and troubleshooting is at /training/resources/lab-setup/. The lab pack includes the NE Corpus files, loading scripts, and verification queries.
Module 1 builds on this toolkit with the full cloud evidence architecture — every log source, every schema, every retention edge case, and every cross-source correlation technique.