Agent Foskett Academy • Lesson 49 • Investigating BehaviorEntities

Investigating BehaviorEntities: The User Wasn't Suspicious. The Behaviour Was.

The account belonged to a trusted employee.

The sign-ins looked normal.

No malware was detected.

No critical alerts fired.

Yet something did not look right.

The behaviour had changed.

BehaviorEntities revealed the pattern.

Agent Foskett Academy lesson explaining BehaviorEntities in Microsoft Defender XDR
Lesson overview

Learn how IdentityInfo helps defenders understand who an account belongs to, what access it has and how much risk it represents.

Investigate behavioural analytics
Identify unusual user activity
Detect hidden attack patterns
Build identity investigation context

Why BehaviorEntities matters

Attackers often use real accounts, real sessions and real cloud services. BehaviorEntities helps defenders look beyond single events and focus on behaviour that has changed.
Attackers often look legitimateCompromised users may pass MFA, use normal applications and avoid obvious malware. Behaviour can reveal what individual alerts miss.
Behaviour creates contextOne login may be normal. Repeated unusual activity, unfamiliar access patterns and changed behaviour may tell a different story.
Patterns reveal compromiseBehaviour analytics helps defenders identify risky activity that may not look suspicious when viewed in isolation.

Investigation scenario

The user was trusted. The account was active. The sign-ins looked normal. But the behaviour had changed.
The user was not generating alertsNo malware detections, no obvious phishing alerts and no endpoint incidents were connected to the account.
The activity started changingThe user began accessing resources they rarely used, downloads increased and cloud activity became unusual.
Behaviour became the indicatorDefenders turned to BehaviorEntities to understand whether the activity was normal for the user or a sign of compromise.

Step 1 — Review recent behaviour entities

Start with recent behaviour records and review the entity type, risk level and investigation priority.
behaviorentities-recent-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
BehaviorEntities
| where Timestamp > ago(7d)
| project Timestamp, EntityType, AccountName, RiskLevel,
          InvestigationPriority
| order by Timestamp desc

Step 2 — Investigate high-risk behaviour

High-risk behaviour deserves closer review, especially when the account is privileged, externally exposed or connected to sensitive data.
behaviorentities-high-risk.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
BehaviorEntities
| where Timestamp > ago(30d)
| where RiskLevel == "High"
| project Timestamp, EntityType, AccountName, RiskLevel, InvestigationPriority
| order by InvestigationPriority desc

Step 3 — Review one user

When an account becomes interesting, focus on that user and review behaviour chronologically.
behaviorentities-one-user.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
let TargetUser = "user@company.com";
BehaviorEntities
| where Timestamp > ago(30d)
| where AccountName == TargetUser
| project Timestamp, EntityType, AccountName, RiskLevel, InvestigationPriority
| order by Timestamp asc

Step 4 — Identify risky behaviour changes

Investigation priority can help defenders focus on behaviour that deserves attention before reviewing every single event manually.
behaviorentities-investigation-priority.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
BehaviorEntities
| where Timestamp > ago(14d)
| where InvestigationPriority > 70
| project Timestamp, AccountName, EntityType, RiskLevel, InvestigationPriority
| order by InvestigationPriority desc

Step 5 — Build the behaviour timeline

Behaviour becomes meaningful when defenders place it in order and ask what changed, when it changed and what happened next.
behaviorentities-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
let TargetUser = "user@company.com";
BehaviorEntities
| where AccountName == TargetUser
| project Timestamp, EntityType, RiskLevel, InvestigationPriority
| order by Timestamp asc

Step 6 — Pivot from behaviour to investigation evidence

Behaviour should not be investigated in isolation. Use it as a signal, then pivot into identity, cloud, email and endpoint telemetry.
behaviorentities-pivot-user-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
let RiskyUsers = BehaviorEntities
| where Timestamp > ago(14d)
| where InvestigationPriority > 70
| distinct AccountName;
CloudAppEvents
| where Timestamp > ago(14d)
| where AccountDisplayName in (RiskyUsers)
| project Timestamp, AccountDisplayName, Application, ActionType, IPAddress

Example behaviour story

A behaviour investigation often starts quietly. The evidence becomes clearer only when the pattern is placed into a timeline.
9:02 AM — Normal sign-inThe account authenticated successfully and no obvious alert was generated.
9:16 AM — Unusual cloud activityThe account accessed resources it rarely used before.
9:22 AM — Download pattern changedFile activity increased across cloud services.
9:31 AM — Risk level increasedBehaviour analytics began marking the account as more suspicious.
9:44 AM — Investigation priority roseThe behaviour became important enough to justify deeper investigation.
9:50 AM — Defender pivot beginsAnalysts pivoted into CloudAppEvents, IdentityLogonEvents and AlertEvidence.

Common investigation uses

BehaviorEntities is useful when defenders need to identify risk based on activity patterns rather than single alerts.
Insider risk investigationsIdentify unusual access, changed download behaviour or activity that does not match the user's normal role.
Compromised accountsDetect activity that looks authenticated but does not look normal for the account.
Risk-based huntingPrioritise users and entities showing elevated behaviour risk before deeper manual investigation.

Common mistakes

Behaviour investigations can go wrong when defenders look only for malware, alerts or obvious failures.
Looking for malware onlyNot every attack deploys malware. Some attacks use real accounts, consented access and cloud applications.
Ignoring behaviourUser activity often changes before defenders see a traditional high-confidence alert.
Investigating single eventsBehaviour becomes meaningful when viewed as a pattern over time.
BehaviorEntities helps defenders see what changed.
Use it to move from isolated events to patterns, risk and investigation priority.
Back to Academy →

What you learned

Behaviour creates contextActivity patterns often explain why a normal-looking account deserves investigation.
Risk indicators matterHigh risk levels and investigation priority values help defenders focus their effort.
Patterns reveal compromiseBehaviour analytics can uncover attacks hidden inside normal-looking authentication and cloud activity.

Related Agent Foskett Academy lessons

Investigating IdentityInfoUnderstand the user, role, permissions and identity context behind the behaviour.
Investigating SecurityIncidentConnect behavioural findings to incident-level investigations.
Investigating IdentityLogonEventsReview sign-in activity connected to risky behaviour.
Investigating CloudAppEventsInvestigate cloud activity after behaviour changes are identified.
Investigating AlertInfoReview alert metadata connected to behavioural detections.
Investigating AlertEvidenceConnect behaviour to users, devices, files, URLs and IP addresses.
Building Investigation TimelinesTurn behaviour changes into a chronological investigation story.
Connecting Tables with joinJoin behaviour signals to identity, cloud and endpoint evidence.

Coming next

Lesson 50 — The Timeline Told The StoryNext, Agent Foskett Academy reaches its capstone investigation: one attacker, one timeline and multiple Microsoft Defender XDR tables working together.
Why this mattersAfter learning the tables, defenders need to combine the evidence into one clear investigation workflow.
What you will learn nextUse identity, email, cloud, endpoint and alert evidence to reconstruct a complete Defender XDR investigation.

Final thought

The account looked normal.
Agent Foskett mindsetThe important question is not whether the user triggered an alert. The important question is whether the user's behaviour changed.
Follow the patternBehaviorEntities helps defenders investigate what changed before the attack becomes obvious.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating BehaviorEntities in Microsoft Defender XDR

Agent Foskett Academy Lesson 49 teaches defenders how to use BehaviorEntities to investigate behavioural analytics, unusual activity, risk indicators, investigation priority and suspicious patterns in Microsoft Defender XDR.

Learn BehaviorEntities for Microsoft Defender XDR hunting

This lesson explains how BehaviorEntities supports Microsoft Defender XDR investigations by helping defenders review risky behaviour, identify changed user activity and pivot into identity, cloud and alert evidence.