Incident Response Workflow: Compromised User Account.
The phishing email had been traced.
The Business Email Compromise had been contained.
But one question remained: what else did the attacker do while they had access?
Agent Foskett was no longer trying to prove the account was compromised. Microsoft Defender XDR had already given him enough evidence for that. Now he needed to reconstruct the attacker timeline, identify persistence, determine blast radius and make sure the account could be safely recovered.
Lesson overview
Learn how to investigate a compromised user account by correlating Microsoft Defender XDR identity, cloud, endpoint and alert telemetry into a clear incident response workflow.
Why compromised user account investigations matter
The compromised account response workflow
Step 1 — Review sign-in activity for the account
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where AccountUpn =~ UserToInvestigate
| project Timestamp,
AccountUpn,
ActionType,
IPAddress,
Location,
DeviceName,
FailureReason
| order by Timestamp ascStep 2 — Summarise IP addresses, locations and devices
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where AccountUpn =~ UserToInvestigate
| summarize SignInCount = count(),
IPAddresses = make_set(IPAddress, 50),
Locations = make_set(Location, 20),
Devices = make_set(DeviceName, 20),
FirstSeen = min(Timestamp),
LastSeen = max(Timestamp)
by AccountUpnStep 3 — Review Microsoft 365 cloud activity
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where AccountDisplayName =~ UserToInvestigate
or AccountId =~ UserToInvestigate
| project Timestamp,
AccountDisplayName,
Application,
ActionType,
ObjectName,
IPAddress,
DeviceType,
UserAgent
| order by Timestamp ascStep 4 — Correlate related Defender alerts
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
AlertEvidence
| where Timestamp > ago(TimeFrame)
| where AccountName =~ UserToInvestigate
or AccountUpn =~ UserToInvestigate
| project Timestamp,
AlertId,
EntityType,
EvidenceRole,
AccountName,
DeviceName,
RemoteIP,
FileName,
ProcessCommandLine
| order by Timestamp ascStep 5 — Review endpoint process activity by the account
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
DeviceProcessEvents
| where Timestamp > ago(TimeFrame)
| where AccountUpn =~ UserToInvestigate
or AccountName =~ UserToInvestigate
| project Timestamp,
DeviceName,
AccountName,
FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine
| order by Timestamp ascStep 6 — Build a combined account investigation timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
let TimeFrame = 14d;
let UserToInvestigate = "user@contoso.com";
let SignIns =
IdentityLogonEvents
| where Timestamp > ago(TimeFrame)
| where AccountUpn =~ UserToInvestigate
| project Timestamp, Source="IdentityLogonEvents", Action=ActionType, Detail=strcat(IPAddress, " ", Location), DeviceName;
let CloudActivity =
CloudAppEvents
| where Timestamp > ago(TimeFrame)
| where AccountDisplayName =~ UserToInvestigate or AccountId =~ UserToInvestigate
| project Timestamp, Source="CloudAppEvents", Action=ActionType, Detail=ObjectName, DeviceName="";
union SignIns, CloudActivity
| order by Timestamp ascCompromised account investigation clues
Containment and recovery checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Incident Response Workflow Compromised User Account in Microsoft Defender XDR
Agent Foskett Academy Lesson 113 teaches defenders how to investigate compromised user accounts using Microsoft Defender XDR, Microsoft Entra ID, CloudAppEvents, IdentityLogonEvents, AlertEvidence and practical KQL workflows.
Learn compromised account incident response with KQL and Microsoft Defender XDR
Compromised account investigations help Microsoft security analysts validate suspicious sign-ins, reconstruct attacker timelines, review cloud activity, identify persistence, determine blast radius and contain identity compromise.
Microsoft Entra ID compromised user account investigation tutorial
This lesson explains how to investigate user account compromise, risky sign-ins, stolen credentials, suspicious authentication, cloud activity, endpoint execution and post-compromise behaviour using Microsoft security telemetry.
