I tested the Exfiltration timeline against a controlled test scenario.

In my scenario, I:

Logged in from a blocked VPN

Deleted 4 emails

Viewed others

Sent 1 email to 4 users

Change technical contact in Entra

Downloaded various Onedrive files

Made new onedrive files

Before I could do anything else, Huntress locked me up.

The timeline did detect email deletions and send - but it did not detect anythign else.

This surprised me as after doing a GAL audit, and filtering results to the IP of the VPN service, I saw all these actions were detected.

Maybe this is what is being planned here:

But it would be nice to see this feature epanded on. Currently it is super pretty in the portal, but I would be happy if it were just the raw logs - saves the time of putting together an Audit and analyzing it.

Thank you.