Agent Foskett Academy • Lesson 78 • Cross-Table Investigation

Correlating EmailEvents with DeviceProcessEvents in Microsoft Defender XDR.

The phishing email looked convincing.

The attachment appeared harmless.

Several users received the message.

One employee opened the attachment.

The email investigation confirmed delivery, but Agent Foskett knew emails do not execute malware.

Processes do.

To determine whether the attachment launched suspicious activity, he correlated EmailEvents with DeviceProcessEvents.

Agent Foskett Academy lesson correlating EmailEvents with DeviceProcessEvents in Microsoft Defender XDR
Lesson overview

Learn how to correlate EmailEvents with DeviceProcessEvents to determine what executed on a device after a phishing email was delivered or an attachment was opened.

Identify delivered phishing emails
Pivot from recipient to endpoint activity
Find suspicious Office child processes
Build email-to-process timelines

Why this correlation matters

A phishing email is only the start of the story. DeviceProcessEvents helps defenders understand whether suspicious execution followed delivery or user interaction.
EmailEvents shows what arrivedEmailEvents helps defenders identify the sender, recipient, subject, delivery status and message identifiers involved in the email investigation.
DeviceProcessEvents shows what ranDeviceProcessEvents records process execution, command lines, parent processes and user context on the endpoint.
The timeline connects the incidentBy comparing email delivery with process execution, defenders can identify suspicious activity that occurred shortly after the message was received or opened.

The fields used in this lesson

RecipientEmailAddressThe mailbox that received the suspicious email.
SubjectThe email subject used to identify the lure or campaign theme.
NetworkMessageIdA Microsoft 365 message identifier useful when connecting email evidence across Defender XDR tables.
AccountUpnThe user account associated with endpoint process activity.
FileNameThe executable or process name recorded on the endpoint.
ProcessCommandLineThe command line used by the process, often one of the most important sources of endpoint evidence.

Step 1 — Review recent email deliveries

Start by identifying recently delivered emails and the users who received them.
review-email-deliveries.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
EmailEvents
| where Timestamp > ago(24h)
| project Timestamp,
          RecipientEmailAddress,
          SenderFromAddress,
          Subject,
          NetworkMessageId,
          DeliveryAction
| order by Timestamp desc

Step 2 — Review recent process execution

Review process execution across endpoints during the same investigation window.
review-device-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
DeviceProcessEvents
| where Timestamp > ago(24h)
| project Timestamp,
          DeviceName,
          AccountUpn,
          FileName,
          InitiatingProcessFileName,
          ProcessCommandLine
| order by Timestamp desc

Step 3 — Correlate by user and timeline

Join email recipients to endpoint process activity and look for execution shortly after delivery.
email-to-process-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
EmailEvents
| where Timestamp > ago(24h)
| project EmailTime = Timestamp,
          RecipientEmailAddress,
          Subject,
          NetworkMessageId
| join kind=inner (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | project ProcessTime = Timestamp,
              AccountUpn,
              DeviceName,
              FileName,
              InitiatingProcessFileName,
              ProcessCommandLine
) on $left.RecipientEmailAddress == $right.AccountUpn
| where ProcessTime between (EmailTime .. EmailTime + 30m)
| project EmailTime,
          ProcessTime,
          RecipientEmailAddress,
          DeviceName,
          Subject,
          FileName,
          InitiatingProcessFileName,
          ProcessCommandLine
| order by EmailTime asc

Step 4 — Hunt for suspicious Office child processes

Office applications spawning PowerShell, Command Prompt or script engines can indicate attachment-based execution.
office-child-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
DeviceProcessEvents
| where InitiatingProcessFileName in~ (
    "WINWORD.EXE",
    "EXCEL.EXE",
    "POWERPNT.EXE",
    "OUTLOOK.EXE"
)
| where FileName in~ (
    "powershell.exe",
    "cmd.exe",
    "wscript.exe",
    "cscript.exe",
    "mshta.exe",
    "rundll32.exe"
)
| project Timestamp,
          DeviceName,
          AccountUpn,
          InitiatingProcessFileName,
          FileName,
          ProcessCommandLine
| order by Timestamp desc

Step 5 — Focus on risky command lines

Command lines often reveal download cradles, encoded commands, script execution and suspicious child processes.
risky-command-lines.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any (
    "powershell",
    "-enc",
    "downloadstring",
    "invoke-webrequest",
    "iwr",
    "mshta",
    "rundll32"
)
| project Timestamp,
          DeviceName,
          AccountUpn,
          FileName,
          InitiatingProcessFileName,
          ProcessCommandLine
| order by Timestamp desc

Step 6 — Build an email-to-process investigation timeline

Combine delivery and process evidence into a single timeline so the sequence is easier to explain.
email-process-investigation-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
EmailEvents
| where Timestamp > ago(24h)
| project EventTime = Timestamp,
          EventType = "EmailDelivered",
          Account = RecipientEmailAddress,
          Detail = Subject
| union (
    DeviceProcessEvents
    | where Timestamp > ago(24h)
    | project EventTime = Timestamp,
              EventType = "ProcessExecuted",
              Account = AccountUpn,
              Detail = strcat(FileName, " | ", ProcessCommandLine)
)
| order by EventTime asc

How to read the results

Do not assume an email caused a process simply because the timestamps are close. Use timing, account, device, parent process and command-line evidence together.
Timing mattersProcesses that start shortly after delivery or attachment opening deserve closer review, especially when the process tree looks unusual.
Parent process mattersOffice applications spawning script interpreters or shells are often more suspicious than ordinary user-launched activity.
Command line mattersThe command line can reveal encoded commands, external downloads, suspicious scripts or attacker-controlled infrastructure.

Common investigation uses

Attachment executionDetermine whether an attachment led to suspicious process activity on a user device.
Payload investigationIdentify PowerShell, script engines, command shells or unusual child processes after email delivery.
Compromised endpoint scopingFind which device and account were involved after a phishing email was opened.
Timeline reconstructionBuild a clear sequence from email delivery through to endpoint execution.

Common mistakes

Assuming delivery means executionA delivered email does not prove malware ran. DeviceProcessEvents is needed to confirm execution evidence.
Ignoring the parent processThe process name alone is not enough. Always review the initiating process and full command line.
Using a time window that is too wideLarge time windows create false correlation. Start narrow, then expand only when needed.

What you learned

Email telemetry starts the storyEmailEvents explains what message arrived and who received it.
Endpoint telemetry proves executionDeviceProcessEvents helps determine whether suspicious code or processes actually ran.
Correlation creates the investigationJoining delivery, user and process evidence creates a reliable timeline for Defender XDR investigations.

Related Agent Foskett Academy lessons

Investigating DeviceProcessEventsReview process execution, command lines and parent-child relationships inside Microsoft Defender XDR.
Correlating EmailEvents and UrlClickEventsConnect email delivery with user click behaviour during phishing investigations.
Advanced UrlClickEvents InvestigationsInvestigate user clicks, Safe Links behaviour and URL activity.
Investigating IsClickedThroughDetermine whether users continued beyond Safe Links protection.
Investigating NetworkMessageIdConnect the same message across Defender email, URL, click and attachment telemetry.
Investigating RecipientEmailAddressIdentify which mailbox received the suspicious message.

Coming next

Lesson 79 — Correlating EmailEvents with DeviceNetworkEventsNext, Agent Foskett Academy follows the investigation beyond process execution by correlating EmailEvents with DeviceNetworkEvents to identify outbound connections made after a phishing email was opened or malicious code executed.
Why this mattersDeviceProcessEvents shows what executed. DeviceNetworkEvents helps reveal whether the device then connected to suspicious infrastructure, command-and-control servers or payload delivery locations.

Final thought

EmailEvents explains what was delivered. DeviceProcessEvents explains what executed. Together, they help defenders determine whether a phishing email became an endpoint compromise.
Agent Foskett mindsetDo not stop at the inbox. Follow the evidence from email delivery into endpoint execution.
Follow the process treeThe parent process, child process and command line often reveal what really happened after the user interacted with the email.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Correlating EmailEvents with DeviceProcessEvents in Microsoft Defender XDR

Agent Foskett Academy Lesson 78 teaches defenders how to correlate EmailEvents with DeviceProcessEvents during Microsoft Defender XDR investigations.

Learn email to endpoint process investigation in Defender XDR

This lesson explains how EmailEvents, DeviceProcessEvents, RecipientEmailAddress, AccountUpn, FileName, InitiatingProcessFileName and ProcessCommandLine help defenders investigate whether suspicious endpoint execution followed phishing email delivery.