Why this lesson is different
Lesson 50 is the Agent Foskett Academy capstone. Instead of learning one table, defenders combine multiple Microsoft Defender XDR tables into one complete investigation.
One table rarely tells the full storyEmail, identity, cloud, endpoint, alert and incident evidence each explain one part of the attack.
The timeline connects the evidenceWhen events are placed in order, the attacker path becomes easier to understand, explain and respond to.
This is how investigations workReal Defender XDR investigations require pivots, context and a clear story from initial access through to response.
Investigation scenario
A phishing email arrived. The user clicked. Authentication followed. Cloud activity changed. Alerts fired. The evidence was scattered across multiple tables.
The user clicked a phishing emailThe message looked legitimate enough to pass the user's first test. The link became the starting point.
The attacker obtained accessMinutes later, authentication activity appeared. The sign-in looked successful and the session continued.
The cloud activity changedFiles were accessed, mail activity changed and cloud application events began telling the next part of the story.
Evidence tables used in this investigation
The capstone investigation brings together the tables covered throughout the Academy.
EmailEventsFind the suspicious message and understand sender, recipient, subject and delivery context.
UrlClickEventsConfirm whether the user clicked the link and when that activity occurred.
IdentityLogonEventsReview authentication activity after the click and identify suspicious access patterns.
CloudAppEventsInvestigate what happened inside Microsoft 365 and connected cloud applications after access was gained.
AlertInfo and AlertEvidenceUnderstand which alerts fired and which users, devices, files, URLs and IP addresses were involved.
SecurityIncidentReview the correlated incident and use it to guide the complete investigation story.
Step 1 — Find the email
Start with the message. Identify the suspicious email, sender, recipient, subject and time of delivery.
timeline-step-1-find-email.kql
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailEvents
| where Timestamp > ago(7d)
| where Subject has "Invoice"
| project Timestamp, SenderFromAddress, RecipientEmailAddress,
Subject, DeliveryAction, NetworkMessageId
| order by Timestamp asc
Timeline entry: 8:01 AM — Phishing email delivered.
Step 2 — Investigate URL click activity
Move from the message to the click. Determine whether the user interacted with the link.
timeline-step-2-url-click.kql
- 1
- 2
- 3
- 4
- 5
- 6
UrlClickEvents
| where Timestamp > ago(7d)
| project Timestamp, AccountUpn, Url, ActionType, NetworkMessageId
| order by Timestamp asc
Timeline entry: 8:03 AM — User clicks phishing link.
Step 3 — Review authentication activity
After a click, investigate sign-in activity for the same user. Look for successful authentication, unusual IP addresses or changed access patterns.
timeline-step-3-authentication.kql
- 1
- 2
- 3
- 4
- 5
- 6
IdentityLogonEvents
| where Timestamp > ago(7d)
| project Timestamp, AccountUpn, ActionType, IPAddress, Application
| order by Timestamp asc
Timeline entry: 8:05 AM — Successful authentication observed.
Step 4 — Review cloud activity
Authentication is not the end of the story. Cloud activity explains what happened after access was gained.
timeline-step-4-cloud-activity.kql
- 1
- 2
- 3
- 4
- 5
- 6
CloudAppEvents
| where Timestamp > ago(7d)
| project Timestamp, AccountDisplayName, Application, ActionType, IPAddress
| order by Timestamp asc
Timeline entry: 8:07 AM — Cloud activity begins.
Step 5 — Review alerts
Alerts explain which detections fired as the attack progressed. They are clues, not the entire investigation.
timeline-step-5-alerts.kql
- 1
- 2
- 3
- 4
- 5
- 6
AlertInfo
| where Timestamp > ago(7d)
| project Timestamp, AlertId, Title, Severity, Category
| order by Timestamp asc
Timeline entry: 8:12 AM — Defender raises alerts.
Step 6 — Review alert evidence
AlertEvidence connects the alert to the actual entities involved in the investigation.
timeline-step-6-alert-evidence.kql
- 1
- 2
- 3
- 4
- 5
- 6
AlertEvidence
| where Timestamp > ago(7d)
| project Timestamp, AlertId, EntityType, EvidenceRole, AccountName, DeviceName
| order by Timestamp asc
Timeline entry: 8:13 AM — Evidence linked to alerts.
Step 7 — Review the incident
SecurityIncident brings related alerts and evidence together so defenders can understand the attack as one investigation.
timeline-step-7-security-incident.kql
- 1
- 2
- 3
- 4
- 5
- 6
SecurityIncident
| where Timestamp > ago(7d)
| project Timestamp, IncidentNumber, Title, Severity, Status
| order by Timestamp asc
Timeline entry: 8:14 AM — Incident created.
Building the full story
Viewed separately, the events are interesting. Viewed together, they become the attack.
8:01 AM — Email deliveredEmailEvents showed the suspicious message entering the environment.
8:03 AM — Link clickedUrlClickEvents showed the user interacting with the phishing URL.
8:05 AM — AuthenticationIdentityLogonEvents showed successful access after the click.
8:07 AM — Cloud activityCloudAppEvents showed activity inside Microsoft 365 after access was gained.
8:12 AM — Alerts generatedAlertInfo showed detections firing as the attack progressed.
8:14 AM — Incident createdSecurityIncident connected the events into one investigation.
Common investigation uses
This workflow helps defenders move from individual telemetry records to a complete incident narrative.
Phishing investigationsConnect email delivery, URL clicks, authentication activity and post-click cloud activity.
Business email compromiseFollow account access, mailbox behaviour, cloud application activity and alert evidence.
Incident reportingExplain what happened in plain language using a timeline that leadership and technical teams can follow.
Common mistakes
Timeline investigations fail when defenders stop too early or treat every table as a separate story.
Stopping at the first alertThe first alert may not be the first event. Always work backward and forward from the detection.
Ignoring what happened after accessAuthentication matters, but post-authentication cloud and endpoint activity often explains impact.
Keeping evidence in silosEmail, identity, cloud and alert evidence become stronger when connected into one timeline.
What you learned
Investigations require contextOne table rarely tells the full story. Context comes from connecting evidence.
Timelines expose attacker behaviourEvents become meaningful when defenders place them in the order they occurred.
Multiple tables create one investigationDefender XDR becomes powerful when email, identity, cloud, alert and incident telemetry work together.
Coming next
More Agent Foskett Academy lessons are comingThe Academy will continue expanding into practical Defender XDR, Microsoft Sentinel, identity, cloud and endpoint investigations.
Where the path goes nextFuture lessons can move into complete case files, incident response workflows, query packs and Microsoft Sentinel hunting scenarios.
What Lesson 50 provesAfter learning the tables, defenders are ready to combine the evidence and explain what really happened.