ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Microsoft Defender XDR • Modern Threat Investigation

Cyber Security Has Moved Beyond Basic Antivirus

Most organisations still judge security by one question:

“Did antivirus detect anything?”

But modern attacks rarely look like obvious malware anymore.

No ransomware popup. No flashing alert. Just quiet sign-ins, trusted sessions, MFA approvals and suspicious cloud activity.

The dashboard looked healthy.

The telemetry already knew something was wrong.

This Agent Foskett investigation explores how defenders use Microsoft Defender XDR, Sentinel, Entra ID and KQL hunting to investigate the signals traditional antivirus often misses.

Discuss Microsoft security investigations Back to Investigation Hub
Agent Foskett investigates why cyber security has moved beyond basic antivirus
Briefing summary

Modern attacks rarely rely on loud malware anymore. Most investigations now revolve around identity abuse, trusted sessions, suspicious cloud activity and quiet telemetry signals hidden inside Microsoft Defender XDR, Sentinel and Entra ID.

Investigate quiet identity signals
Hunt trusted-session abuse
Correlate Defender XDR telemetry
🚨 Modern attacks often look completely normal at first.
Modern attackers blend into trusted cloud activity, legitimate sessions and successful sign-ins. The investigation starts where antivirus visibility ends.
Book a security review →

Why antivirus alone no longer tells the full story

Traditional antivirus was designed to stop obvious malware. Modern attacks increasingly target identity, cloud access, browser sessions and trusted business workflows instead. The telemetry may contain warning signs long before a high-severity alert appears.
The attacker used legitimate accessModern incidents often involve valid credentials, trusted sessions or successful MFA rather than traditional malware execution.
The dashboard stayed greenMany attacks remain low-noise because they operate through approved applications, cloud services and normal business behaviour.
The telemetry already knewThe real clues often appear quietly inside SigninLogs, AuditLogs, EmailEvents and DeviceProcessEvents before major alerts fire.

The visibility gap most organisations already have

Most organisations already own powerful Microsoft security tooling. Defender XDR, Sentinel and Entra ID often contain the telemetry defenders need. The real problem is that nobody is actively investigating the weak signals hidden inside the data.
The tools were already thereMany organisations already own Microsoft Defender, Sentinel and Entra licensing but only use a fraction of the visibility available.
The alerts looked quietAttackers increasingly avoid high-severity detections and instead blend into trusted cloud behaviour and approved access paths.
The investigation never startedThe real issue is often not missing tools — it is failing to ask the telemetry deeper investigative questions.

First hunt: review unusual sign-ins that did not look malicious

Start with successful sign-ins. Modern attackers often want access that appears normal enough to avoid immediate action. Look for trusted sign-ins that occurred from unusual locations, unfamiliar devices or strange client applications.
successful-signins-with-unusual-context.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| where RiskLevelAggregated != "none" or RiskState != "none"
| project TimeGenerated,
          UserPrincipalName,
          AppDisplayName,
          IPAddress,
          Location,
          DeviceDetail,
          ConditionalAccessStatus,
          RiskLevelAggregated, RiskState
| order by TimeGenerated desc
What to reviewFocus on successful sign-ins where risk, location, device, browser, application or Conditional Access outcomes do not match the user’s normal behaviour.
Why it mattersA successful sign-in is not automatically safe. It may simply mean the attacker used credentials, tokens or MFA approval effectively.
Best next pivotPivot into AuditLogs, CloudAppEvents, mailbox activity and device telemetry to understand what happened after access was granted.

Modern attacks blend into trusted activity

Antivirus is strongest when something clearly malicious runs on a device. But identity-driven attacks often happen through cloud sessions, OAuth consent, inbox rules, trusted browsers and legitimate applications.
MFA can be presentAn MFA prompt does not always prove the real user was behind the session. Attackers can abuse fatigue, tokens, session cookies and trusted devices.
Email can be the starting pointPhishing, spoofing and credential theft often begin in email, but the real incident may unfold later inside identity and cloud telemetry.
Cloud actions tell the storyFile downloads, privilege changes, inbox rules, OAuth grants and suspicious application access can reveal what antivirus never saw.

Second hunt: look for suspicious post-sign-in activity

Once a suspicious sign-in is identified, the next question is simple: what did the account do next? AuditLogs can help defenders review account changes, application consent, mailbox behaviour and administrative activity.
post-signin-audit-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName has_any ("Add app role assignment", "Consent to application", "Update user", "Add member to role")
| project TimeGenerated,
          OperationName,
          Category,
          Result,
          InitiatedBy,
          TargetResources
| order by TimeGenerated desc

Third hunt: check email signals that antivirus may never explain

Email remains one of the most common starting points for modern compromise. The important clues are not always attachments or malware. They may be sender alignment, authentication failures, allowed clicks, forwarding rules or user interaction.
email-telemetry-beyond-antivirus.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
EmailEvents
| where Timestamp > ago(7d)
| where DeliveryAction in ("Delivered", "Junked")
| where AuthenticationDetails has_any ("dmarc=fail", "spf=fail", "dkim=fail") or ThreatTypes != ""
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          AuthenticationDetails,
          ThreatTypes, NetworkMessageId
| order by Timestamp desc

Fourth hunt: device behaviour that looks like normal administration

Attackers often use tools and commands already trusted inside Windows environments. The challenge is not only detecting malware — it is understanding whether legitimate tools were used in suspicious ways.
living-off-the-land-process-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "rundll32.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "download", "invoke", "http", "bypass")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp desc

What antivirus still does well

This is not an argument against antivirus. Endpoint protection remains important. The problem is assuming antivirus is the whole security strategy when modern compromise often moves through identity, email, cloud and SaaS activity.
It blocks known malwareAntivirus and endpoint protection are still essential for known threats, malicious files, exploit behaviour and endpoint-level detections.
It is one control layerAntivirus should sit beside identity protection, Conditional Access, email security, logging, investigation and response processes.
It cannot explain everythingIt cannot fully explain every risky sign-in, OAuth approval, inbox rule, cloud download, spoofed email or trusted session.

The Agent Foskett investigator mindset

Modern security is not only about waiting for a tool to shout. It is about asking better questions of the telemetry before weak signals become serious incidents.
Ask what changedDid the device, browser, IP, location, application, MFA behaviour or session pattern suddenly look different?
Correlate weak signalsOne weak signal may not prove compromise. Several weak signals together can tell a much stronger story.
Investigate before impactThe goal is to find suspicious behaviour while it is still quiet, not after ransomware, data theft or account takeover is obvious.

How GEMXIT approaches modern Microsoft security

At GEMXIT, we help organisations move beyond checkbox security by reviewing how Microsoft Defender XDR, Sentinel, Entra ID, email telemetry and KQL hunting work together in the real environment.
We review visibilityWe check whether important identity, endpoint, email, audit and cloud activity is actually being logged and retained.
We build investigation logicWe help turn raw telemetry into practical hunting queries, Sentinel logic, investigation workflows and useful dashboards.
We improve controlsWe help harden identity, Defender, Sentinel, Conditional Access, DMARC, admin access and Microsoft security operations processes.
Antivirus can stop malware. Investigation explains what actually happened.
GEMXIT helps organisations review Microsoft Defender XDR, Sentinel, Entra ID, email telemetry, KQL hunting workflows and the quiet signals most teams never investigate.
Contact GEMXIT

Final thought

Antivirus still matters.

But modern cyber security is no longer only about blocking malware.

It is about understanding behaviour. Identity. Sessions. Cloud access. Telemetry. Trust relationships.

The dashboard may still look healthy.

The investigation may already say otherwise.

The logs already knew.
At GEMXITWe help organisations investigate Microsoft Defender XDR, Sentinel, Entra ID, identity signals, email telemetry, cloud activity and real-world security operations workflows.
Agent Foskett mindsetThe question is not only: “Did antivirus detect anything?”

It is: “What did the telemetry quietly know?”

Continue the investigation with Microsoft Defender KQL Threat Hunting Guide, KQL Threat Hunting, The Dashboard Was Green, When Nothing Looks Wrong, MFA Session Hijacking, The After-Hours Download, The Email Came From Me, Microsoft Security and the GEMXIT Security Review.

Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Cyber Security Has Moved Beyond Basic Antivirus

This Agent Foskett investigation explains why modern cyber attacks increasingly bypass traditional antivirus thinking and why defenders must investigate Microsoft Defender XDR, Sentinel, Entra ID and KQL telemetry.

Microsoft Defender XDR and modern investigation workflows

GEMXIT helps organisations investigate identity attacks, suspicious sign-ins, trusted session abuse, phishing telemetry, OAuth misuse, endpoint behaviour and advanced Microsoft cloud security workflows.

The visibility gap inside Microsoft environments

Many organisations already own powerful Microsoft security tools, but visibility gaps remain when defenders fail to investigate weak signals hidden inside telemetry and KQL hunting workflows.