Agent Foskett Academy • Lesson 89 • Incident Response Timeline
Building an Incident Timeline in Microsoft Defender XDR.
One alert was not the incident.
One device was not the story.
The timeline connected everything.
Agent Foskett put the evidence in order.
Lesson overview
Learn how defenders build a complete incident timeline by correlating identity, email, endpoint, network and file evidence across Microsoft Defender XDR.
Start with the first known event
Correlate email, identity and device telemetry
Order evidence chronologically
Explain the attack from start to finish
Why incident timelines matter
Microsoft Defender XDR investigations become stronger when individual events are placed into a clear sequence that explains what happened, when it happened and why it mattered.
Timelines remove guessworkA timeline helps defenders separate assumptions from evidence by showing the order of identity, email, endpoint, file and network activity.
Chronology shows cause and effectA suspicious sign-in before mailbox activity means something different to a sign-in after a phishing click. Order matters.
A timeline supports responseContainment, remediation and reporting are easier when the investigation can explain the attack path in plain language.
The incident timeline workflow
Agent Foskett builds the investigation timeline by collecting events from multiple Defender XDR tables and ordering them around the incident window.
1. Define the incident windowStart with the first known alert, email, click, process, sign-in or report, then expand the window before and after that event.
2. Identify the affected userDetermine the account involved, including UPN, display name, device names and any related mailbox or identity activity.
3. Identify the affected devicesFind every endpoint connected to the user, alert, IOC or suspicious activity during the investigation window.
4. Collect identity evidenceReview sign-ins, logon activity, risky authentication patterns and unusual access events.
5. Collect email and click evidenceUse email and URL click telemetry to determine whether phishing or BEC activity contributed to the incident.
6. Collect endpoint evidenceReview process, file, registry, persistence and network telemetry from affected devices.
7. Combine the evidenceNormalise key fields and use union to place different event types into one ordered timeline.
8. Write the investigation storyExplain the sequence: initial access, execution, credential use, persistence, lateral movement, impact and containment.
Step 1 — Define the incident window
Start with a practical time range around the first known alert or suspicious event.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let IncidentStart = datetime(2026-06-28 01:00:00);
let IncidentEnd = datetime(2026-06-28 06:00:00);
DeviceProcessEvents
| where Timestamp between (IncidentStart .. IncidentEnd)
| project Timestamp,
DeviceName,
AccountUpn,
FileName,
ProcessCommandLine,
InitiatingProcessFileName
| order by Timestamp asc
Step 2 — Build an endpoint activity timeline
Combine process, file and network activity so endpoint behaviour can be reviewed in chronological order.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
let TargetDevice = "REPLACE_WITH_DEVICE_NAME";
let IncidentStart = ago(24h);
union
(
DeviceProcessEvents
| where DeviceName == TargetDevice and Timestamp > IncidentStart
| project Timestamp, DeviceName, AccountUpn, EventType="Process", Detail=strcat(FileName, " ", ProcessCommandLine)
),
(
DeviceFileEvents
| where DeviceName == TargetDevice and Timestamp > IncidentStart
| project Timestamp, DeviceName, AccountUpn=InitiatingProcessAccountUpn, EventType="File", Detail=strcat(FileName, " ", FolderPath)
),
(
DeviceNetworkEvents
| where DeviceName == TargetDevice and Timestamp > IncidentStart
| project Timestamp, DeviceName, AccountUpn, EventType="Network", Detail=strcat(RemoteUrl, " ", RemoteIP)
)
| order by Timestamp asc
Step 3 — Add identity and logon evidence
Identity activity helps show whether the same account was used before, during or after the endpoint activity.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TargetUser = "user@contoso.com";
let IncidentStart = ago(24h);
union
(
IdentityLogonEvents
| where AccountUpn == TargetUser and Timestamp > IncidentStart
| project Timestamp, AccountUpn, DeviceName, EventType="IdentityLogon", Detail=strcat(ActionType, " from ", IPAddress)
),
(
DeviceLogonEvents
| where AccountUpn == TargetUser and Timestamp > IncidentStart
| project Timestamp, AccountUpn, DeviceName, EventType="DeviceLogon", Detail=strcat(ActionType, " ", LogonType)
)
| order by Timestamp asc
Step 4 — Add email and URL click evidence
If phishing or BEC is suspected, include email delivery and user click activity in the same investigation timeline.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TargetUser = "user@contoso.com";
let IncidentStart = ago(7d);
union
(
EmailEvents
| where RecipientEmailAddress == TargetUser and Timestamp > IncidentStart
| project Timestamp, Account=RecipientEmailAddress, EventType="Email", Detail=strcat(SenderFromAddress, " | ", Subject, " | ", DeliveryAction)
),
(
UrlClickEvents
| where AccountUpn == TargetUser and Timestamp > IncidentStart
| project Timestamp, Account=AccountUpn, EventType="URLClick", Detail=strcat(ActionType, " | ", Url)
)
| order by Timestamp asc
Step 5 — Build the combined incident timeline
Use a common set of projected columns so multiple telemetry sources can be placed into one ordered timeline.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
let TargetUser = "user@contoso.com";
let TargetDevice = "REPLACE_WITH_DEVICE_NAME";
let IncidentStart = ago(24h);
union
(
DeviceProcessEvents
| where DeviceName == TargetDevice and Timestamp > IncidentStart
| project Timestamp, Source="DeviceProcessEvents", Entity=DeviceName, Account=AccountUpn, Detail=strcat(FileName, " ", ProcessCommandLine)
),
(
DeviceNetworkEvents
| where DeviceName == TargetDevice and Timestamp > IncidentStart
| project Timestamp, Source="DeviceNetworkEvents", Entity=DeviceName, Account=AccountUpn, Detail=strcat(RemoteUrl, " ", RemoteIP)
),
(
DeviceFileEvents
| where DeviceName == TargetDevice and Timestamp > IncidentStart
| project Timestamp, Source="DeviceFileEvents", Entity=DeviceName, Account=InitiatingProcessAccountUpn, Detail=strcat(FileName, " ", FolderPath)
),
(
IdentityLogonEvents
| where AccountUpn == TargetUser and Timestamp > IncidentStart
| project Timestamp, Source="IdentityLogonEvents", Entity=AccountUpn, Account=AccountUpn, Detail=strcat(ActionType, " ", IPAddress)
)
| order by Timestamp asc
Step 6 — Summarise the incident stages
After the detailed timeline is built, summarise key stages so the incident can be explained clearly.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let Timeline = DeviceProcessEvents
| where Timestamp > ago(24h)
| project Timestamp, Stage="Execution", DeviceName, AccountUpn, Detail=ProcessCommandLine;
Timeline
| summarize FirstSeen=min(Timestamp),
LastSeen=max(Timestamp),
EventCount=count(),
Devices=make_set(DeviceName),
Accounts=make_set(AccountUpn)
by Stage
| order by FirstSeen asc
How to read timeline evidence
The goal is not only to collect events. The goal is to explain the attack path.
Initial accessIdentify the first event that gave the attacker a foothold, such as a phishing email, risky sign-in, exploit or suspicious download.
ExecutionShow what ran, which parent process launched it, which account was involved and whether command-line evidence supports malicious activity.
Credential useLook for suspicious sign-ins, device logons, credential theft behaviour or account activity that follows the initial compromise.
Persistence and movementIdentify scheduled tasks, registry changes, services, lateral logons and remote connections that show the attacker tried to stay or move.
Real-world investigation
The first alertMicrosoft Defender XDR raised an alert for suspicious PowerShell execution on one workstation at 1:42 AM.
The earlier clueEmailEvents showed the same user received a phishing email thirty minutes before the PowerShell activity.
The clickUrlClickEvents showed the user clicked the link and continued through the warning page.
The endpoint activityDeviceProcessEvents showed PowerShell launching from a browser process and running an encoded command.
The network connectionDeviceNetworkEvents showed the device contacting an unfamiliar external IP immediately after execution.
The identity activityIdentityLogonEvents showed the same account signing in from a new location shortly after the endpoint activity.
The timelineWhen the evidence was placed in order, the investigation showed phishing, execution, outbound communication and suspicious account use.
The conclusionThe incident required device isolation, password reset, session revocation, mailbox review and enterprise-wide incident timelineing.
Investigation checklist
Incident window definedSet a clear start and end time, then expand the range if earlier or later evidence appears.
Entities identifiedConfirm affected users, devices, IP addresses, domains, URLs, hashes and message identifiers.
Evidence normalisedProject common fields such as Timestamp, Source, Entity, Account and Detail to combine different tables.
Events orderedSort evidence chronologically so cause, effect and attacker progression are easier to understand.
Stages labelledMap evidence to investigation stages such as initial access, execution, persistence, lateral movement and impact.
Response documentedRecord containment, remediation and follow-up hunting actions linked to the timeline evidence.
Related Agent Foskett Academy lessons
Building a Device TimelineBuild a device-focused timeline using process, file, network and logon telemetry.
Building an Incident TimelineSearch for indicators across endpoint, email and identity data to determine wider scope.
Investigating Lateral MovementFollow attackers as they move from one system to another using valid accounts and remote access.
Investigating Credential TheftIdentify suspicious credential use and account activity during a compromise.
Investigating Persistence TechniquesInvestigate scheduled tasks, registry changes, services and other methods used to maintain access.
Building a Complete Phishing InvestigationCorrelate email, URL click, endpoint process, network and file evidence into one phishing investigation.
Coming next
Lesson 90 — Investigating a Business Email Compromise (BEC)Next, Agent Foskett investigates a BEC incident by correlating email, sign-in, mailbox, URL click and identity activity across Microsoft Defender XDR.
Why this mattersLesson 89 builds the complete timeline. Lesson 90 applies that timeline mindset to one of the most common and damaging real-world email compromise scenarios.
Final thought
An incident timeline turns scattered telemetry into a defensible investigation story.
Agent Foskett mindsetDo not explain the incident from memory. Explain it from evidence, in order, with each conclusion tied back to Defender XDR telemetry.
The timeline told the storyWhen the events are placed in the right order, the attack path becomes clear enough to explain, contain and remediate.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
