Incident Response Workflow: Full Microsoft Defender XDR Investigation.
It started with one phishing email.
Then came the risky sign-in, the PowerShell command, the OAuth consent, the file downloads and the suspicious endpoint activity.
Each alert told part of the story, but none of them explained the incident by themselves.
Agent Foskett was not investigating a single alert. He was reconstructing the complete attack across identity, endpoint, email, cloud, network and Microsoft Defender XDR evidence.

Lesson overview
Bring together every major Microsoft Defender XDR investigation skill: email analysis, identity investigation, endpoint hunting, cloud activity review, network correlation, timeline building and incident reporting.
Why a full XDR investigation matters
The complete Microsoft Defender XDR workflow
Step 1 — Review Defender alerts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let TimeFrame = 7d;
AlertInfo
| where Timestamp > ago(TimeFrame)
| project Timestamp,
AlertId,
Title,
Severity,
Category,
ServiceSource,
DetectionSource
| order by Timestamp ascStep 2 — Review email evidence
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 11
- 12
let TimeFrame = 7d;
EmailEvents
| where Timestamp > ago(TimeFrame)
| where DeliveryAction in~ ("Delivered", "Junked", "Blocked", "Quarantined")
| project Timestamp,
SenderFromAddress,
RecipientEmailAddress,
Subject,
DeliveryAction,
ThreatTypes,
NetworkMessageId
| order by Timestamp descStep 3 — Review identity activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let TimeFrame = 7d;
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| project Timestamp,
AccountUpn,
ActionType,
IPAddress,
Location,
DeviceName,
FailureReason
| order by Timestamp ascStep 4 — Review endpoint execution
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let TimeFrame = 7d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe")
| project Timestamp,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileName
| order by Timestamp ascStep 5 — Review cloud activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
let TimeFrame = 7d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| project Timestamp,
AccountDisplayName,
Application,
ActionType,
IPAddress,
DeviceType,
ObjectName
| order by Timestamp ascStep 6 — Build the complete timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 7d;
let Alerts = AlertInfo
| where Timestamp > ago(TimeFrame)
| project Timestamp, EvidenceType = "Alert", Entity = Title, Detail = Severity;
let Identity = IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| project Timestamp, EvidenceType = "Identity", Entity = AccountUpn, Detail = strcat(ActionType, " from ", IPAddress);
let Endpoint = DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| project Timestamp, EvidenceType = "Endpoint", Entity = DeviceName, Detail = strcat(FileName, " ", ProcessCommandLine);
union Alerts, Identity, Endpoint
| order by Timestamp ascEvidence to correlate
Investigation checklist
Related Agent Foskett Academy lessons
Final thought
Full Microsoft Defender XDR investigation workflow
Agent Foskett Academy Lesson 120 teaches defenders how to conduct a complete Microsoft Defender XDR investigation across email, identity, endpoint, cloud, network and alert telemetry.
Microsoft Defender XDR incident response tutorial
This lesson explains how to correlate EmailEvents, IdentityLogonEvents, DeviceProcessEvents, CloudAppEvents, AlertInfo and AlertEvidence to reconstruct an attack timeline and determine blast radius.
End-to-end Microsoft security investigation with KQL
Learn how to investigate initial compromise, attacker activity, persistence, data exposure, containment and recovery using KQL and Microsoft Defender XDR evidence.
