Here is a simple Microsoft Sentinel search to show how much phishing/spam email is received vs good email for a specified user in a given time frame.

let UserToAnalyze="[email protected]";
EmailEvents
| where RecipientEmailAddress==UserToAnalyze
| project RecipientEmailAddress, ThreatTypes
| evaluate pivot(ThreatTypes)
| sort by RecipientEmailAddress asc

Thank you to Microsoft for publishing this query on GitHub.

Microsoft Sentinel is a great way to get a handle on your security infrastructure. One of the items that Microsoft Security does an excellent job of is scouring the web for evidence of reused credentials being leaked through a third-party service. While you can manually go through all of the alerts located in the portal.cloudappsecurity.com, an easier way to bring this data forward is with the search below:

SecurityAlert\
| summarize arg_max(TimeGenerated, \*) by SystemAlertId\
| where AlertType == "LeakedCredentials"\
| project TimeGenerated, AlertType, Compromised Entity

The results can be tweaked by time and date. You can also build on this search to automate playbook actions within the Microsoft Sentinel environment.

A common Splunk question I am asked is what is the easiest way to determine the duration for an account logged into Windows. While there are many opportunities for erroneous data because a user may be logging into several services on different machines at the same time, a report can be generated along the following lines:

sourcetype=WinEventLog:Security
(EventCode=4624 OR EventCode=4634)
| eval day=strftime(_time,"%m/%d/%Y")
| stats earliest(_time) AS logon latest(_time)
 AS logoff by user host day
| eval logon=strftime(logon,"%m/%d/%Y %H.%M.%S"),
 logoff=strftime(logoff,"%m/%d/%Y %H.%M.%S")

To limit the results to a particular machine, you can either adjust the search to include the particular machine you are looking for or conversely exclude common machines from the report.