Agent Foskett Academy • Lesson 120 • Incident Response Workflow Series

Incident Response Workflow: Full Microsoft Defender XDR Investigation.

It started with one phishing email.

Then came the risky sign-in, the PowerShell command, the OAuth consent, the file downloads and the suspicious endpoint activity.

Each alert told part of the story, but none of them explained the incident by themselves.

Agent Foskett was not investigating a single alert. He was reconstructing the complete attack across identity, endpoint, email, cloud, network and Microsoft Defender XDR evidence.

Agent Foskett Academy full Microsoft Defender XDR investigation workflow
Lesson overview

Bring together every major Microsoft Defender XDR investigation skill: email analysis, identity investigation, endpoint hunting, cloud activity review, network correlation, timeline building and incident reporting.

Correlate evidence across Defender XDR
Build an end-to-end attack timeline
Determine blast radius and containment
Document the final investigation

Why a full XDR investigation matters

A major incident rarely lives inside one table. The analyst must connect email, identity, endpoint, cloud, network and alert evidence into one defensible story.
One alert is not the incidentA Defender alert may identify the first clue, but the investigation must validate what happened before, during and after that alert.
Correlation creates confidenceWhen identity, endpoint, email and cloud evidence agree, defenders can move from suspicion to a clear incident narrative.
The timeline tells the storyA complete timeline helps identify initial access, attacker actions, impact, containment and recovery priorities.

The complete Microsoft Defender XDR workflow

Lesson 120 brings the previous Academy lessons together into one structured investigation process.
1. Start with the incidentReview the Defender incident, affected users, devices, alert names, severity, first seen time and current status.
2. Investigate emailCheck whether phishing, malicious URLs, attachments or suspicious senders were part of the initial compromise.
3. Investigate identityReview sign-ins, risky access, MFA, locations, token activity, Conditional Access and privilege changes.
4. Investigate endpointAnalyse process, file, registry and network events to detect execution, persistence, malware and lateral movement.
5. Investigate cloud activityReview Exchange, SharePoint, OneDrive, Teams and cloud app events for access, downloads, sharing and attacker actions.
6. Build the final timelineCombine all evidence into a chronological investigation that explains what happened and what must be contained.

Step 1 — Review Defender alerts

Start with the alert set so you understand what Microsoft Defender XDR has already detected.
step-1-review-defender-alerts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let TimeFrame = 7d;
AlertInfo
| where Timestamp > ago(TimeFrame)
| project Timestamp,
          AlertId,
          Title,
          Severity,
          Category,
          ServiceSource,
          DetectionSource
| order by Timestamp asc

Step 2 — Review email evidence

Check whether suspicious email delivery, phishing indicators or message identifiers connect to the incident.
step-2-email-evidence.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 11
  14. 12
let TimeFrame = 7d;
EmailEvents
| where Timestamp > ago(TimeFrame)
| where DeliveryAction in~ ("Delivered", "Junked", "Blocked", "Quarantined")
| project Timestamp,
          SenderFromAddress,
          RecipientEmailAddress,
          Subject,
          DeliveryAction,
          ThreatTypes,
          NetworkMessageId
| order by Timestamp desc

Step 3 — Review identity activity

Identity telemetry helps identify suspicious sign-ins, unusual locations, failed attempts and attacker authentication patterns.
step-3-identity-evidence.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let TimeFrame = 7d;
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| project Timestamp,
          AccountUpn,
          ActionType,
          IPAddress,
          Location,
          DeviceName,
          FailureReason
| order by Timestamp asc

Step 4 — Review endpoint execution

Endpoint process telemetry helps identify malicious execution, LOLBins, PowerShell abuse and suspicious parent-child relationships.
step-4-endpoint-evidence.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let TimeFrame = 7d;
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where FileName in~ ("powershell.exe", "cmd.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe", "wscript.exe")
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp asc

Step 5 — Review cloud activity

Cloud activity can reveal mailbox access, file downloads, SharePoint activity, Teams activity and data exposure.
step-5-cloud-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
let TimeFrame = 7d;
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| project Timestamp,
          AccountDisplayName,
          Application,
          ActionType,
          IPAddress,
          DeviceType,
          ObjectName
| order by Timestamp asc

Step 6 — Build the complete timeline

The final timeline brings different evidence types together so the analyst can explain the incident from first signal to final containment.
step-6-build-complete-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TimeFrame = 7d;
let Alerts = AlertInfo
    | where Timestamp > ago(TimeFrame)
    | project Timestamp, EvidenceType = "Alert", Entity = Title, Detail = Severity;
let Identity = IdentityLogonEvents
    | where Timestamp > ago(TimeFrame)
    | project Timestamp, EvidenceType = "Identity", Entity = AccountUpn, Detail = strcat(ActionType, " from ", IPAddress);
let Endpoint = DeviceProcessEvents
    | where Timestamp > ago(TimeFrame)
    | project Timestamp, EvidenceType = "Endpoint", Entity = DeviceName, Detail = strcat(FileName, " ", ProcessCommandLine);
union Alerts, Identity, Endpoint
| order by Timestamp asc

Evidence to correlate

A full Microsoft Defender XDR investigation should test each evidence stream before deciding the incident scope.
Email evidenceSender, recipients, subjects, delivery status, attachments, URLs, clicks and NetworkMessageId values.
Identity evidenceSign-ins, locations, MFA behaviour, risky access, Conditional Access, privilege changes and account activity.
Endpoint evidenceProcess trees, command lines, file writes, registry changes, persistence, network connections and device alerts.
Cloud evidenceExchange, SharePoint, OneDrive, Teams, app activity, external sharing, downloads and suspicious cloud access.
Network evidenceRemote IPs, domains, command-and-control traffic, lateral movement and unusual outbound connections.
Alert evidenceAlertInfo and AlertEvidence entities that connect users, devices, IP addresses, files and processes.

Investigation checklist

Use this checklist before closing a full Microsoft Defender XDR investigation.
Identify initial compromiseDetermine whether the incident began with phishing, stolen credentials, malware, OAuth consent or another entry point.
Determine patient zeroFind the first user, device, mailbox or application involved in the attack.
Measure blast radiusIdentify affected users, devices, mailboxes, files, cloud resources, applications and privileged accounts.
Contain the threatDisable accounts, isolate devices, revoke tokens, remove persistence, block indicators and preserve evidence.
Validate recoveryConfirm malicious activity has stopped and that affected users, devices and services have been restored safely.
Document the incidentProduce a final timeline, evidence summary, impact statement, containment actions and lessons learned.

Related Agent Foskett Academy lessons

Lesson 120 ties together the skills from the full Academy and the Incident Response Workflow series.
Phishing InvestigationStart with email delivery, user interaction, Safe Links and initial access evidence.
Compromised User AccountInvestigate account takeover, suspicious authentication and post-compromise activity.
Malware InfectionReview endpoint process, file and network telemetry for malicious execution.
Data ExfiltrationDetermine whether sensitive files were accessed, downloaded, shared or transferred externally.
Cloud Identity AttackInvestigate privilege escalation, Conditional Access changes and cloud identity compromise.
Building Reusable Hunting QueriesTurn investigation logic into reusable KQL workflows for repeatable response.

Final thought

A complete investigation is not about running one perfect query. It is about asking the right questions in the right order.
Agent Foskett mindsetTurn raw telemetry into evidence, evidence into a timeline and the timeline into a clear understanding of what happened.
Incident Response Workflow SeriesLesson 120 completes the workflow block by combining email, identity, endpoint, cloud and network evidence into one investigation.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Full Microsoft Defender XDR investigation workflow

Agent Foskett Academy Lesson 120 teaches defenders how to conduct a complete Microsoft Defender XDR investigation across email, identity, endpoint, cloud, network and alert telemetry.

Microsoft Defender XDR incident response tutorial

This lesson explains how to correlate EmailEvents, IdentityLogonEvents, DeviceProcessEvents, CloudAppEvents, AlertInfo and AlertEvidence to reconstruct an attack timeline and determine blast radius.

End-to-end Microsoft security investigation with KQL

Learn how to investigate initial compromise, attacker activity, persistence, data exposure, containment and recovery using KQL and Microsoft Defender XDR evidence.