Agent Foskett Academy • Lesson 50 • Capstone Investigation

The Timeline Told The Story.

The phishing email was only the beginning.

The attacker gained access.

Cloud activity followed.

Files were accessed.

Multiple alerts fired.

Individually, none of the evidence told the full story.

The timeline did.

Agent Foskett Academy capstone lesson explaining complete Microsoft Defender XDR investigation timelines
Lesson overview

Learn how IdentityInfo helps defenders understand who an account belongs to, what access it has and how much risk it represents.

Combine multiple evidence tables
Build a complete attack timeline
Turn alerts into a story
Build identity investigation context

Why this lesson is different

Lesson 50 is the Agent Foskett Academy capstone. Instead of learning one table, defenders combine multiple Microsoft Defender XDR tables into one complete investigation.
One table rarely tells the full storyEmail, identity, cloud, endpoint, alert and incident evidence each explain one part of the attack.
The timeline connects the evidenceWhen events are placed in order, the attacker path becomes easier to understand, explain and respond to.
This is how investigations workReal Defender XDR investigations require pivots, context and a clear story from initial access through to response.

Investigation scenario

A phishing email arrived. The user clicked. Authentication followed. Cloud activity changed. Alerts fired. The evidence was scattered across multiple tables.
The user clicked a phishing emailThe message looked legitimate enough to pass the user's first test. The link became the starting point.
The attacker obtained accessMinutes later, authentication activity appeared. The sign-in looked successful and the session continued.
The cloud activity changedFiles were accessed, mail activity changed and cloud application events began telling the next part of the story.

Evidence tables used in this investigation

The capstone investigation brings together the tables covered throughout the Academy.
EmailEventsFind the suspicious message and understand sender, recipient, subject and delivery context.
UrlClickEventsConfirm whether the user clicked the link and when that activity occurred.
IdentityLogonEventsReview authentication activity after the click and identify suspicious access patterns.
CloudAppEventsInvestigate what happened inside Microsoft 365 and connected cloud applications after access was gained.
AlertInfo and AlertEvidenceUnderstand which alerts fired and which users, devices, files, URLs and IP addresses were involved.
SecurityIncidentReview the correlated incident and use it to guide the complete investigation story.

Step 1 — Find the email

Start with the message. Identify the suspicious email, sender, recipient, subject and time of delivery.
timeline-step-1-find-email.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(7d)
| where Subject has "Invoice"
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
          Subject, DeliveryAction, NetworkMessageId
| order by Timestamp asc
Timeline entry: 8:01 AM — Phishing email delivered.

Step 2 — Investigate URL click activity

Move from the message to the click. Determine whether the user interacted with the link.
timeline-step-2-url-click.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
UrlClickEvents
| where Timestamp > ago(7d)
| project Timestamp, AccountUpn, Url, ActionType, NetworkMessageId
| order by Timestamp asc
Timeline entry: 8:03 AM — User clicks phishing link.

Step 3 — Review authentication activity

After a click, investigate sign-in activity for the same user. Look for successful authentication, unusual IP addresses or changed access patterns.
timeline-step-3-authentication.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
IdentityLogonEvents
| where Timestamp > ago(7d)
| project Timestamp, AccountUpn, ActionType, IPAddress, Application
| order by Timestamp asc
Timeline entry: 8:05 AM — Successful authentication observed.

Step 4 — Review cloud activity

Authentication is not the end of the story. Cloud activity explains what happened after access was gained.
timeline-step-4-cloud-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
CloudAppEvents
| where Timestamp > ago(7d)
| project Timestamp, AccountDisplayName, Application, ActionType, IPAddress
| order by Timestamp asc
Timeline entry: 8:07 AM — Cloud activity begins.

Step 5 — Review alerts

Alerts explain which detections fired as the attack progressed. They are clues, not the entire investigation.
timeline-step-5-alerts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
AlertInfo
| where Timestamp > ago(7d)
| project Timestamp, AlertId, Title, Severity, Category
| order by Timestamp asc
Timeline entry: 8:12 AM — Defender raises alerts.

Step 6 — Review alert evidence

AlertEvidence connects the alert to the actual entities involved in the investigation.
timeline-step-6-alert-evidence.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
AlertEvidence
| where Timestamp > ago(7d)
| project Timestamp, AlertId, EntityType, EvidenceRole, AccountName, DeviceName
| order by Timestamp asc
Timeline entry: 8:13 AM — Evidence linked to alerts.

Step 7 — Review the incident

SecurityIncident brings related alerts and evidence together so defenders can understand the attack as one investigation.
timeline-step-7-security-incident.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
SecurityIncident
| where Timestamp > ago(7d)
| project Timestamp, IncidentNumber, Title, Severity, Status
| order by Timestamp asc
Timeline entry: 8:14 AM — Incident created.

Building the full story

Viewed separately, the events are interesting. Viewed together, they become the attack.
8:01 AM — Email deliveredEmailEvents showed the suspicious message entering the environment.
8:03 AM — Link clickedUrlClickEvents showed the user interacting with the phishing URL.
8:05 AM — AuthenticationIdentityLogonEvents showed successful access after the click.
8:07 AM — Cloud activityCloudAppEvents showed activity inside Microsoft 365 after access was gained.
8:12 AM — Alerts generatedAlertInfo showed detections firing as the attack progressed.
8:14 AM — Incident createdSecurityIncident connected the events into one investigation.

Common investigation uses

This workflow helps defenders move from individual telemetry records to a complete incident narrative.
Phishing investigationsConnect email delivery, URL clicks, authentication activity and post-click cloud activity.
Business email compromiseFollow account access, mailbox behaviour, cloud application activity and alert evidence.
Incident reportingExplain what happened in plain language using a timeline that leadership and technical teams can follow.

Common mistakes

Timeline investigations fail when defenders stop too early or treat every table as a separate story.
Stopping at the first alertThe first alert may not be the first event. Always work backward and forward from the detection.
Ignoring what happened after accessAuthentication matters, but post-authentication cloud and endpoint activity often explains impact.
Keeping evidence in silosEmail, identity, cloud and alert evidence become stronger when connected into one timeline.
The timeline turns scattered evidence into an investigation.
Use it to explain what happened, when it happened and why it matters.
Back to Academy →

What you learned

Investigations require contextOne table rarely tells the full story. Context comes from connecting evidence.
Timelines expose attacker behaviourEvents become meaningful when defenders place them in the order they occurred.
Multiple tables create one investigationDefender XDR becomes powerful when email, identity, cloud, alert and incident telemetry work together.

Related Agent Foskett Academy lessons

Investigating EmailEventsStart with the suspicious message and understand the email evidence.
Investigating UrlClickEventsConfirm whether the user clicked a suspicious URL.
Investigating IdentityLogonEventsReview authentication activity after the click.
Investigating CloudAppEventsInvestigate cloud activity after access was gained.
Investigating AlertInfoReview alert metadata connected to the investigation.
Investigating AlertEvidenceConnect alerts to users, devices, files, URLs and IP addresses.
Investigating SecurityIncidentReview the correlated incident that brings the attack together.
Building Investigation TimelinesLearn the foundation of chronological Defender XDR investigations.

Coming next

More Agent Foskett Academy lessons are comingThe Academy will continue expanding into practical Defender XDR, Microsoft Sentinel, identity, cloud and endpoint investigations.
Where the path goes nextFuture lessons can move into complete case files, incident response workflows, query packs and Microsoft Sentinel hunting scenarios.
What Lesson 50 provesAfter learning the tables, defenders are ready to combine the evidence and explain what really happened.

Final thought

The logs already knew.
Agent Foskett mindsetThe important question is not which alert fired first. The important question is what really happened.
Follow the timelineThe evidence may be scattered, but the timeline can still tell the story.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

The Timeline Told The Story

Agent Foskett Academy Lesson 50 teaches defenders how to combine Microsoft Defender XDR evidence from EmailEvents, UrlClickEvents, IdentityLogonEvents, CloudAppEvents, AlertInfo, AlertEvidence and SecurityIncident into a complete attack timeline.

Learn complete Defender XDR investigation timelines

This capstone lesson explains how defenders move beyond single tables and reconstruct what really happened by connecting email, identity, cloud, alert and incident telemetry.