ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Microsoft Defender XDR • Timeline Investigation

The Timeline Told The Story

The sign-in looked normal.

The data access looked normal.

The lateral movement looked normal.

The timeline changed everything.

The logs already knew.

Discuss timeline investigations Back to Investigation Hub
Agent Foskett timeline investigation showing sign-in, privilege escalation, data access and lateral movement
Briefing summary

A single event can look normal. A timeline changes everything. When sign-ins, role changes, data access and device activity are placed in order, the investigation starts to explain itself.

Sign-in 08:12
Priv esc 08:24
Data access 08:27 • Lateral move 08:31
🧵 He connects what others never will.
The investigation was not solved by one alert. It was solved by placing the evidence in order and following the timeline.
Book a security review →

Why the timeline matters

Security incidents often hide between separate tables, different timestamps and ordinary-looking events. The sign-in may not be suspicious by itself. The file access may look routine. The network connection may seem harmless. The story appears when each action is placed in sequence.
The order changed the meaningA sign-in followed by privilege escalation, data access and lateral movement tells a very different story from each event viewed alone.
The gaps matteredShort gaps between actions can show intent, automation or a hands-on-keyboard attack moving quickly through the environment.
The logs already knewThe evidence was already there. The defender's job was to connect sign-in, identity, cloud and endpoint telemetry into one readable timeline.

First hunt: start with the sign-in

Begin with authentication activity. Look for the first access event that started the sequence, then keep enough context to pivot into other activity later.
sign-in-starting-point.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
IdentityLogonEvents
| where Timestamp > ago(7d)
| where AccountUpn has "user@domain.com"
| project Timestamp,
          AccountUpn,
          Application,
          LogonType,
          IPAddress,
          DeviceName
| order by Timestamp asc
What to reviewLook for unusual IP addresses, unfamiliar devices, new applications, odd timing or sign-ins that do not match the user's normal pattern.
Why it mattersThe sign-in is often the first pin on the wall. Every later event needs to be compared against it.
Best next pivotUse the account, IP address, device name and timestamp to search privilege changes and cloud activity.

Second hunt: look for privilege escalation

The poster says Priv Esc 08:24. In a real investigation, that could be a new role assignment, consent grant, group membership change or administrative action that gave the account more reach.
privilege-escalation-after-signin.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
CloudAppEvents
| where Timestamp > ago(7d)
| where AccountDisplayName has "user"
| where ActionType has_any (
    "Add member to role",
    "Add member to group",
    "Consent to application",
    "Update user")
| project Timestamp, AccountDisplayName, ActionType, Application, IPAddress, RawEventData
| order by Timestamp asc

Third hunt: identify data access

Privilege becomes dangerous when it is used. Search for cloud application events, file access, downloads, mailbox activity or sensitive data actions that occurred after the role change.
data-access-after-privilege-change.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
CloudAppEvents
| where Timestamp > ago(7d)
| where AccountDisplayName has "user"
| where ActionType has_any (
    "FileDownloaded",
    "FileAccessed",
    "MailItemsAccessed",
    "SearchQueryPerformed")
| project Timestamp, AccountDisplayName, ActionType, Application, IPAddress, ObjectName
| order by Timestamp asc

Fourth hunt: check for lateral movement

The final note on the wall says Lateral Move 08:31. This is where endpoint telemetry becomes critical. Search for remote logons, network connections, suspicious process launches or movement between devices.
lateral-movement-after-data-access.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessAccountUpn has "user@domain.com"
| where RemotePort in (445, 3389, 5985, 5986)
| project Timestamp,
          DeviceName,
          InitiatingProcessAccountUpn,
          InitiatingProcessFileName,
          RemoteUrl,
          RemoteIP,
          RemotePort
| order by Timestamp asc

Fifth hunt: assemble the timeline

Once the key events are identified, combine them into a single investigation view. This does not need to be perfect on the first pass. The goal is to see the sequence, then refine it.
attack-timeline-story.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let TargetUser = "user@domain.com";
let SignIns = IdentityLogonEvents
| where Timestamp > ago(7d)
| where AccountUpn == TargetUser
| project Timestamp, EventType = "Sign-in", Account = AccountUpn, Detail = Application, IPAddress, DeviceName;
let CloudActions = CloudAppEvents
| where Timestamp > ago(7d)
| where AccountDisplayName has "user"
| project Timestamp, EventType = ActionType, Account = AccountDisplayName, Detail = Application, IPAddress, DeviceName = "Cloud";
SignIns
| union CloudActions
| order by Timestamp asc

What the timeline can prove

A timeline does more than list events. It explains cause, sequence and context. It helps defenders move from disconnected telemetry to a clear incident narrative.
What happened firstThe timeline identifies the first visible sign-in or access event that started the investigation.
What changed nextPrivilege changes, consent grants, group updates and data access become easier to understand when they are placed after the initial access.
Where the attacker movedEndpoint and network telemetry can show whether the account stayed in one place or began reaching into other systems.

The Agent Foskett investigator mindset

Do not investigate every event as though it lives alone. Place it on the wall. Add the timestamp. Draw the connection. Then ask what happened before it and what happened after it.
Start with timeSort ascending. Let the events unfold in the order the attacker created them.
Connect weak signalsA single event may not be enough. Several weak signals in the right order can become strong evidence.
He connects what others never willThat is the difference between checking alerts and investigating the story hidden inside the logs.

How GEMXIT approaches timeline investigations

GEMXIT helps organisations use Microsoft Defender XDR and Microsoft Sentinel telemetry to reconstruct incidents, explain attack paths and improve security operations workflows.
We review telemetry coverageWe help check whether identity, endpoint, email, cloud and audit telemetry are available for real investigations.
We build practical KQL workflowsWe help turn scattered evidence into usable hunting queries, timeline views and repeatable investigation steps.
We improve investigation readinessWe help teams understand what to collect, how to correlate it and how to explain the timeline when an incident unfolds.
The alert did not explain it. The timeline did.
GEMXIT helps organisations investigate Microsoft Defender XDR telemetry, Microsoft Sentinel logs, timestamps, KQL and real-world attack paths.
Contact GEMXIT

Final thought

The sign-in was recorded.

The timeline told the story.

The logs already knew.
At GEMXITWe help organisations investigate Microsoft Defender XDR, Microsoft Sentinel, identity telemetry, endpoint telemetry, cloud activity, timestamps and real-world security operations workflows.
Agent Foskett mindsetThe question is not only: “What alert fired?”

It is: “What story does the timeline tell?”

Continue the investigation with The Logs Already Knew, The User Was Added To A Privileged Group At 3:12AM, The After-Hours Download, The VPN Login Continued After The Exit Meeting, KQL Threat Hunting, Microsoft Defender KQL Threat Hunting Complete Guide, Microsoft Defender and the GEMXIT Security Review.

Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

The Timeline Told The Story

This Agent Foskett investigation explains how Microsoft Defender XDR, IdentityLogonEvents, DeviceEvents, DeviceNetworkEvents, CloudAppEvents, timestamps and KQL can help defenders reconstruct attack timelines from sign-in, privilege escalation, data access and lateral movement events.

Microsoft Defender XDR timeline investigation with KQL

GEMXIT helps organisations investigate identity activity, privilege escalation, cloud data access, lateral movement, endpoint telemetry and Microsoft Defender Advanced Hunting workflows.

Attack timeline reconstruction

Timeline analysis helps defenders connect scattered security events across Microsoft Defender XDR and Microsoft Sentinel so the incident story becomes clear.