Agent Foskett Academy • Lesson 85 • Advanced Defender XDR Investigation

Building a Device Timeline in Microsoft Defender XDR.

One process started.

A file appeared.

A network connection followed.

Agent Foskett put the evidence in order.

Agent Foskett Academy lesson building a device timeline in Microsoft Defender XDR
Lesson overview

Learn how to build a clear device timeline by correlating Microsoft Defender XDR process, network, file and logon events into one investigation story.

Start with the device
Correlate key event tables
Order evidence by time
Explain what happened

Why device timelines matter

A single event rarely explains an incident. A device timeline helps defenders show what started, what changed, what connected and what happened next.
Processes show executionDeviceProcessEvents helps identify which commands ran, which parent process launched them and which account was involved.
Network shows communicationDeviceNetworkEvents helps reveal outbound connections, remote infrastructure and the initiating process behind the traffic.
Files show impactDeviceFileEvents helps confirm payloads, scripts, archives, renamed files and other changes written to disk.

The device timeline workflow

Agent Foskett builds the timeline from the device outward, placing each piece of telemetry into chronological order.
1. Which device is in scope?Start with the affected DeviceName and define the investigation window.
2. What executed first?Review suspicious processes, command lines and parent-child relationships.
3. Who was logged on?Use logon evidence to understand which account was active on the device.
4. What files changed?Look for created, modified, renamed or deleted files around the same time.
5. What connected externally?Review outbound connections and match them to initiating processes.
6. Did persistence appear?Check for registry, scheduled task, service or startup path activity.
7. What happened before and after?Expand the window to include pre-attack staging and post-execution impact.
8. Can the story be explained?Summarise the timeline in plain language so responders can act on it.

Step 1 — Define the device and timeframe

Begin with the affected device and a tight investigation window. This keeps the first timeline focused and readable.
step-1-define-device-window.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
let targetDevice = "WIN-0421";
let startTime = ago(24h);
let endTime = now();
DeviceProcessEvents
| where Timestamp between (startTime .. endTime)
| where DeviceName =~ targetDevice
| project Timestamp,
          DeviceName,
          AccountName,
          FileName,
          ProcessCommandLine,
          InitiatingProcessFileName
| order by Timestamp asc

Step 2 — Build the process timeline

Process activity often forms the backbone of the device timeline because it shows what executed and what launched it.
step-2-process-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let targetDevice = "WIN-0421";
DeviceProcessEvents
| where Timestamp > ago(24h)
| where DeviceName =~ targetDevice
| project EventType = "Process",
          Timestamp,
          DeviceName,
          AccountName,
          FileName,
          Detail = ProcessCommandLine,
          Parent = InitiatingProcessFileName
| order by Timestamp asc

Step 3 — Add file activity

File events help identify downloads, payload creation, script staging and suspicious changes after execution.
step-3-file-activity-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let targetDevice = "WIN-0421";
DeviceFileEvents
| where Timestamp > ago(24h)
| where DeviceName =~ targetDevice
| project EventType = "File",
          Timestamp,
          DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName,
          Detail = FolderPath,
          Parent = InitiatingProcessFileName
| order by Timestamp asc

Step 4 — Add network activity

Network telemetry shows whether the device contacted external infrastructure and which process initiated the connection.
step-4-network-activity-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let targetDevice = "WIN-0421";
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where DeviceName =~ targetDevice
| project EventType = "Network",
          Timestamp,
          DeviceName,
          AccountName = InitiatingProcessAccountName,
          FileName = InitiatingProcessFileName,
          Detail = strcat(RemoteUrl, " ", RemoteIP),
          Parent = InitiatingProcessParentFileName
| order by Timestamp asc

Step 5 — Add logon activity

Logon evidence helps explain who was active on the device and whether remote access occurred before suspicious execution.
step-5-logon-activity-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
let targetDevice = "WIN-0421";
DeviceLogonEvents
| where Timestamp > ago(24h)
| where DeviceName =~ targetDevice
| project EventType = "Logon",
          Timestamp,
          DeviceName,
          AccountName,
          FileName = LogonType,
          Detail = ActionType,
          Parent = RemoteDeviceName
| order by Timestamp asc

Step 6 — Combine process, file, network and logon events

Use union to create one chronological device timeline that can be reviewed, filtered and explained.
step-6-combined-device-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
  32. 32
  33. 33
  34. 34
  35. 35
  36. 36
  37. 37
  38. 38
let targetDevice = "WIN-0421";
let startTime = ago(24h);
let processEvents = DeviceProcessEvents
| where Timestamp > startTime
| where DeviceName =~ targetDevice
| project EventType = "Process", Timestamp, DeviceName, AccountName,
          Primary = FileName,
          Detail = ProcessCommandLine,
          Source = InitiatingProcessFileName;
let fileEvents = DeviceFileEvents
| where Timestamp > startTime
| where DeviceName =~ targetDevice
| project EventType = "File", Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          Primary = FileName,
          Detail = FolderPath,
          Source = InitiatingProcessFileName;
let networkEvents = DeviceNetworkEvents
| where Timestamp > startTime
| where DeviceName =~ targetDevice
| project EventType = "Network", Timestamp, DeviceName,
          AccountName = InitiatingProcessAccountName,
          Primary = InitiatingProcessFileName,
          Detail = strcat(RemoteUrl, " ", RemoteIP),
          Source = InitiatingProcessParentFileName;
let logonEvents = DeviceLogonEvents
| where Timestamp > startTime
| where DeviceName =~ targetDevice
| project EventType = "Logon", Timestamp, DeviceName, AccountName,
          Primary = LogonType,
          Detail = ActionType,
          Source = RemoteDeviceName;
union processEvents, fileEvents, networkEvents, logonEvents
| order by Timestamp asc

How to read the timeline

The timeline is not just a list of events. It should explain sequence, cause and impact.
Look for the first suspicious eventFind the earliest unusual process, logon or file event that appears to start the chain.
Follow the parent processParent-child relationships help explain whether activity came from Office, a browser, a script host or remote access.
Match execution to communicationProcesses followed by outbound network activity often show download, staging or command-and-control behaviour.
Confirm impact with filesCreated or modified files help prove what the attacker placed, changed or removed from the endpoint.

Real-world investigation

The alertMicrosoft Defender XDR raises an alert for suspicious script execution on a workstation.
The processDeviceProcessEvents shows PowerShell launched by a document reader shortly after the user opened a file.
The downloadDeviceNetworkEvents shows the same PowerShell process contacting an unfamiliar external host.
The payloadDeviceFileEvents records a script and executable written into the user profile.
The logonDeviceLogonEvents shows the same account had an interactive session during the activity window.
The conclusionThe timeline proves suspicious execution, external communication and payload creation occurred on the same device within minutes.

Investigation checklist

Device identifiedConfirm the affected DeviceName and investigation window before collecting evidence.
Processes reviewedCheck suspicious command lines, parent processes and account context.
Files reviewedLook for payloads, scripts, archives, renamed files and unusual write locations.
Network reviewedIdentify remote URLs, IP addresses and the initiating process behind outbound traffic.
Logons reviewedUnderstand which user or remote source was active on the device.
Timeline completedPlace all evidence in chronological order and summarise what happened in plain language.

Related Agent Foskett Academy lessons

Investigating Lateral MovementUse logon and endpoint evidence to follow attacker movement across devices.
Investigating PowerShell AttacksAnalyse encoded commands, suspicious execution and parent process evidence.
Investigating Ransomware BehaviourIdentify mass file changes, encryption activity and suspicious endpoint behaviour.
Investigating Living Off The Land (LOLBins)Review legitimate Windows tools abused by attackers during endpoint investigations.
Correlating EmailEvents with DeviceProcessEventsDetermine what executed after suspicious email activity.
Correlating EmailEvents with DeviceNetworkEventsIdentify outbound connections after phishing activity.

Coming next

Lesson 86 — Investigating Credential TheftNext, Agent Foskett investigates credential theft by reviewing suspicious processes, browser data access, LSASS activity, logon anomalies and post-compromise behaviour.
Why this mattersA strong device timeline often reveals the moment credential theft began and what the attacker did immediately afterwards.

Final thought

A timeline turns scattered telemetry into an investigation story.
Agent Foskett mindsetDo not investigate events in isolation. Place them in order and let the sequence explain the attack.
The timeline told the storyWhen the evidence is ordered correctly, the incident becomes easier to understand, contain and report.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Building a Device Timeline in Microsoft Defender XDR

Agent Foskett Academy Lesson 85 teaches defenders how to build a complete device timeline in Microsoft Defender XDR.

Defender XDR device timeline investigation workflow

This lesson explains how DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents and DeviceLogonEvents help defenders reconstruct endpoint activity in chronological order during Microsoft Defender XDR investigations.