Agent Foskett Academy • Lesson 6 • Sorting and Understanding Results
Sorting and Understanding Results
Once you have filtered the data and chosen useful columns, the next step is understanding the order of events.
Security investigations are often timelines. A suspicious sign-in happens. An email is delivered. A user clicks a link. A process starts. A connection is made.
The order by operator helps defenders sort KQL results so the newest, oldest or most relevant activity becomes easier to understand.
In this lesson, you will learn how to use order by, desc and asc to read Microsoft Defender XDR and Microsoft Sentinel telemetry as an investigation story.
The goal is simple:
Put the evidence in the right order.
Lesson overview
Learn how to sort KQL results, read timelines and understand the sequence of events during Microsoft security investigations.
Plain-English sorting introduction
order by, desc and asc
Reading timelines and event flow
Why sorting matters
Microsoft security telemetry is often easier to understand when events are placed in a clear order. Sorting helps defenders see what happened first, what happened next and what activity may be connected.
Read the timeline
Sorting by time helps defenders understand the order in which events occurred.
Find recent activity
Sorting newest first can quickly show what happened most recently in the environment.
Understand investigation flow
Sorted results help defenders connect sign-ins, emails, URL clicks, processes and cloud activity.
The order by operator
The order by operator sorts the results of a KQL query. Most security investigations sort by time because defenders need to understand when events happened.
- 1
- 2
- 3
- 4
- 5
- 6
EmailEvents | where Timestamp > ago(24h) | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject | order by Timestamp desc
Plain-English translation:
Show me recent email events, display useful columns, then sort the newest events first.
Show me recent email events, display useful columns, then sort the newest events first.
Understanding desc and asc
Sorting direction matters. Use desc when you want newest or highest values first. Use asc when you want oldest or lowest values first.
descDescending order. For timestamps, this usually means newest events appear first.
ascAscending order. For timestamps, this usually means oldest events appear first.
Default thinkingUse newest first for quick triage. Use oldest first when rebuilding a timeline from the beginning.
Sorting email investigations
Email investigations often begin by sorting messages by arrival time. This helps defenders understand when suspicious messages appeared and whether similar messages arrived close together.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailEvents | where Timestamp > ago(24h) | where Subject contains "invoice" | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction | order by Timestamp desc
Newest firstUseful when responding to a fresh user report or recent alert.
Similar subjectsSorting helps identify whether similar emails arrived in a short burst.
Delivery contextSeeing delivery action next to time helps show whether messages were delivered, blocked or quarantined.
Sorting sign-in investigations
Sign-in investigations rely heavily on time. Sorting sign-ins can help defenders identify repeated failures, unusual successful sign-ins or activity that happened after a suspicious authentication event.
- 1
- 2
- 3
- 4
- 5
- 6
SigninLogs | where TimeGenerated > ago(24h) | project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress, Location, ResultType | order by TimeGenerated desc
Authentication sequenceSorting can show whether failures happened before a successful sign-in.
Application accessSorted sign-ins help reveal which applications were accessed after authentication.
Location changesSorting can make unusual location changes easier to spot.
Sorting endpoint investigations
Endpoint investigations often need timeline reconstruction. Sorting process events helps defenders understand what started first, what launched next and whether activity looks suspicious.
- 1
- 2
- 3
- 4
- 5
- 6
DeviceProcessEvents | where Timestamp > ago(24h) | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName | order by Timestamp asc
Plain-English translation:
Show me endpoint process activity from the last 24 hours, display useful fields, then sort from oldest to newest so I can rebuild the timeline.
Show me endpoint process activity from the last 24 hours, display useful fields, then sort from oldest to newest so I can rebuild the timeline.
Newest first or oldest first?
There is no single correct answer. The sorting direction depends on the investigation question.
Use newest first for triageWhen an alert just fired, newest-first sorting quickly shows the latest activity.
Use oldest first for timelinesWhen rebuilding an incident, oldest-first sorting helps show the sequence from beginning to end.
Switch when neededGood investigators often sort both ways while checking different parts of the story.
Combining filter, project and order by
By this stage, your KQL query can now follow a very useful beginner investigation pattern: choose a table, filter the data, project useful columns and sort the results.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
EmailEvents | where Timestamp > ago(24h) | where Subject contains "invoice" | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction | order by Timestamp desc
Plain-English translation:
Search recent email, filter for invoice subjects, show useful fields and sort newest activity first.
Search recent email, filter for invoice subjects, show useful fields and sort newest activity first.
Beginner mistakes with sorting
Sorting is simple, but it can still mislead an investigation if defenders do not think carefully about the timeline.
Forgetting which time field is being usedDifferent tables may use Timestamp, TimeGenerated or other time fields. Sort by the correct field for the table.
Only reading the top rowThe newest event is not always the most important event. It is only the most recent one.
Missing the start of the storyNewest-first sorting is useful, but oldest-first sorting may better explain how an incident began.
Investigator mindset
Sorting is about more than neat results. It helps defenders turn raw telemetry into a readable story.
What happened first?Sort oldest first when trying to understand how the activity began.
What happened most recently?Sort newest first when triaging an active or recent investigation.
What changed over time?Sorted results help reveal escalation, repetition, persistence and movement through the environment.
What you learned
In this lesson, you learned how sorting helps defenders understand the order of events inside Microsoft security telemetry.
order by sorts resultsThe order by operator controls how query results are arranged.
desc and asc change directionUse desc for newest or highest first, and asc for oldest or lowest first.
Sorting supports timeline analysisSorted results help defenders understand sequence, flow and investigation context.
Next lesson coming soon
The next Agent Foskett Academy lesson will build on sorting and introduce summarize, helping defenders count, group and identify patterns across Microsoft security telemetry.
Lesson 7 — Counting and Grouping with summarize
Learn how summarize helps defenders count events, group activity and find patterns in Microsoft security data.
Keep building the investigation
After sorting results, the next step is learning how to count events and identify repeated behaviour.
Continue learning with Agent Foskett Academy, Microsoft Defender KQL Threat Hunting Guide, EmailEvents KQL Guide, KQL Email Spoofing, Microsoft Security and the GEMXIT Security Review.
Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD