Initial access

Auth Bruteforcing

Select time scope, create a visualization with source IPs, usernames, and Counts, then filter by failed auth. Once the relevant IPs are found, refilter by successful auths

Web Server enumeration

Select time scope, create a visualization with source IPs, http response codes, and Counts, then filter by the relevant destination port (80/443/whatever). Identify the IP that is spamming the 404s and then check out the User-Agent Filter by succesful requests on the relevant IP (200,301,302) and examine urls and queries of the requests.

Phishing links

Files downloaded via a web browser

Check for Event ID 11 (file creation) from the relevant web browsers on the relevant machine, and make sure to include the "users" and "file path" columns

Files downloaded via an email client

Same logic as above ; make a query to find Event ID 11s while making sure the "process" part of the query is relevant to whatever email client we're using.