13.3 Setting Up Your Investigation

2–3 hours · Module 13

Setting Up Your Investigation

Experienced analysts do not start typing queries the moment an alert fires. They set up their workspace, gather context, and plan their approach. Thirty seconds of preparation saves thirty minutes of scattered, unfocused investigation.

Open these tools

Before writing your first query, have these open and ready:

Defender XDR portal → Incidents & alerts (the alert that triggered this investigation)
Defender XDR portal → Advanced Hunting (your KQL workspace)
Defender XDR portal → Email & collaboration → Explorer (Threat Explorer for email analysis)
Entra ID portal → Sign-in logs (for quick entity lookups)
A text editor or OneNote → for documenting your investigation as you go

Document as you investigate, not after

Every query you run, every result you find, every decision you make — write it down immediately. At 2am during a multi-wave incident, you will not remember which users you already cleared and which still need checking. Your investigation notes become the basis for the incident report (subsection 13.11).

Evidence collection plan

Before you touch a single log, decide what evidence you need to preserve. If this incident leads to legal proceedings, regulatory reporting, or insurance claims, you need an evidence chain.

Preserve immediately:

Screenshot or export the original alert with all metadata
Export the phishing email (if still available in quarantine) including full headers
Note the current time and your identity as the investigator

Preserve during investigation:

Screenshot every KQL query and its results (or export to CSV)
Screenshot any portal pages showing alert detail, entity information, or remediation actions
Record every containment action with timestamp

Preserve after containment:

Export the complete sign-in log for affected users (30-day window)
Export the unified audit log for affected mailboxes (relevant timeframe)
Record the removal of any persistence mechanisms (inbox rules, forwarding)

Export the data, do not just screenshot it

Screenshots are useful for reports but are not machine-readable. For every critical query result, also export to CSV. This allows you to re-analyse the data later, share it with other investigators, and attach it to formal incident records.

Your investigation query template

Start every investigation with this template. It defines your variables once and references them throughout:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
// === INVESTIGATION: INC-2026-0227-001 ===
// Analyst: [your name]
// Date: 2026-02-27
// Status: Active
//
// Affected users (update as investigation progresses):
let affected_users = dynamic([
    "j.morrison@northgateeng.com"
]);
//
// Known attacker IPs (update as investigation progresses):
let attacker_ips = dynamic([
    "203.0.113.45"
]);
//
// Phishing domains (update as investigation progresses):
let phishing_domains = dynamic([
    "northgate-voicemail.com"
]);
//
// Investigation timeframe:
let incident_start = datetime(2026-02-27T09:00:00Z);
let incident_end = datetime(2026-03-02T00:00:00Z);

Update these variables as the investigation progresses. When you identify a new compromised user, add them to affected_users. When you find a new attacker IP, add it to attacker_ips. Every subsequent query references these variables instead of hardcoding values.

Check your understanding

1. Why should you define investigation variables in a let statement template rather than hardcoding values in each query?

Single source of truth — when you discover a new attacker IP, update it once in the template and every query that references the variable automatically includes it. No risk of forgetting to update one query out of twenty.

It makes queries run faster

KQL requires let statements

Consistency and efficiency. In a multi-wave incident, you may run 50+ queries. If the attacker IP is hardcoded in each one, adding a second IP means editing all 50 queries. A let variable means one edit, and the entire investigation updates. This also prevents errors — a typo in one hardcoded IP could cause you to miss critical evidence.

2. An incident may lead to regulatory reporting. Which evidence format is more defensible — screenshots or CSV exports?

Screenshots — they show exactly what the analyst saw

They are equally valid

Both — screenshots for visual context in reports, CSV exports for machine-readable evidence that can be independently verified and re-analysed

Screenshots show the analyst's view but cannot be re-analysed. CSV exports preserve the raw data and can be independently verified. Best practice is both: screenshots for narrative reports, CSVs for evidence archives. If forced to choose one, the CSV is more defensible because it is complete and verifiable.

← 13.4 Wave 1: Email Analysis 13.2 The Incident Briefing →