In the search bar I typed in signin.office365x24.com and clicked search since this is the suspicious domain name. Then under DOMAINS the suspicious link was listed and chicken on telling us the domain exists in the ingested data. 

VT context section provides VirusTotal information available for the domain. The WHOIS section provides a summary of information about the domain using WHOIS which is a free publicly available directory that includes information about registered domain names. PREVALENCE section provides a graph which outlines the historical regularity of the domain. Less prevalent domain usually means a greater threat. The RESOLVED IPS section provides additional context about the domain such as the IP address that maps to signin.office365x24.com. This section is helpful to expanding the investigation to see if there is broader compromise. The SIBLING DOMAIN section provides additional context about if it shares a parent or top domain which in this case it does being login.office365X24.com. The TIMELINE tab provides information about the events and interactions made with this domain. Clicking on the EXPAND ALL tab reveals details about the HTTP requests made including GET and POST requests. Finally the ASSETS tab provides a list of assets that have accessed the domain. 

Chronicle provides quick access to threat intelligence data from the search results. By clicking on VT CONTEXT it will analyze available VirusTotal information about this domain. This domain(signin.office365x24.com) was flagged as phishing and malicious by several security vendors along with the domain name office365x24.com being flagged as malware, malicious phishing and suspicious by security vendors.  

information about the events and assets relating to the domain are separated into two tabs: TIMELINE and ASSETS. Timeline shows the events that include when each asset accessed the domain. ASSETS list hostnames, IP addresses, MAC addresses, or devices that have accessed the domain. Under the ASSETS tab there are 6 distinct assets that have accessed the domain. Under the TIMELINE tab there are 24 distinct events of assets accessing this domain. By clicking expand all on the TIMELINE tab it reveals details about the HTTP requests made including GET and POST requests. The POST information is especially useful because it means that data was sent to the domain while also suggesting a possible successful phish. 

Attackers sometimes reuse infrastructure for multiple attacks. In these cases, multiple domain names resolve to the same IP address. In this example there are two resolved IPS: 104.215.148.63 and 40.100.174.34. Under the 40.100.174.34 IP address there are additional assets(8) affected and additional domains(2) associated with this IP address. There are also additional post requests under TIMELINE suggesting an asset may have been phished.