Agent Foskett Academy • Lesson 40 • Investigating AlertEvidence

Investigating AlertEvidence in Microsoft Defender XDR

AlertEvidence records the entities connected to Microsoft Defender XDR alerts, including users, devices, files, URLs, IP addresses, mailboxes and other evidence objects.

This table helps defenders move from an alert title into the actual evidence behind the detection, showing which accounts, endpoints, files and network indicators were involved.

In this lesson, you will learn how to use AlertEvidence to investigate supporting alert entities, pivot from alerts to evidence, and connect detections back to real Microsoft Defender XDR telemetry.

Agent Foskett Academy lesson explaining AlertEvidence in Microsoft Defender XDR
Lesson overview

Learn how AlertEvidence helps defenders identify the users, devices, files, URLs and other entities connected to Defender XDR alerts.

Review alert entities
Pivot from AlertId to evidence
Join alerts to supporting telemetry

Why AlertEvidence matters

AlertInfo tells you what Microsoft Defender XDR detected. AlertEvidence helps you understand who and what was involved.
Evidence identifies affected entitiesAlertEvidence can show the users, devices, files, URLs, IP addresses and other objects associated with a detection.
Alerts need contextAn alert title is only the beginning. Evidence fields help defenders decide where to investigate next.
Evidence creates pivotsOnce you know the user, device, file or URL involved, you can pivot into the source telemetry and reconstruct the full attack timeline.

Investigation scenario

A high severity alert appeared overnight. AlertInfo showed the detection, but AlertEvidence revealed the affected user, device and suspicious URL involved in the incident.
The alert gave the starting pointThe AlertId provided a reliable pivot from the alert metadata into the supporting evidence.
The evidence named the entitiesAlertEvidence showed the account, endpoint and URL that needed deeper investigation.
The next step was telemetryThe evidence values became pivots into IdentityLogonEvents, DeviceProcessEvents, DeviceNetworkEvents, EmailEvents and UrlClickEvents.

Step 1 — Review recent alert evidence

Start by reviewing recent evidence entities and keeping the fields that help you pivot quickly.
alertevidence-recent-evidence.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
AlertEvidence
| where Timestamp > ago(7d)
| project Timestamp, AlertId, EntityType, EvidenceRole,
                            AccountName, DeviceName, RemoteUrl,
                            RemoteIP, FileName, SHA256
| order by Timestamp desc

Step 2 — Focus on one AlertId

Once an alert becomes interesting, use the AlertId to pull every evidence object connected to that detection.
alertevidence-specific-alertid.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
let TargetAlertId = "replace-with-alert-id";
AlertEvidence
| where Timestamp > ago(30d)
| where AlertId == TargetAlertId
| project Timestamp, EntityType, EvidenceRole,
                            AccountName, DeviceName, RemoteUrl, RemoteIP, FileName
| order by Timestamp asc

Step 3 — Summarise evidence entity types

Summarising evidence types helps you understand whether alerts are mostly identity, device, file, email, URL or network related.
alertevidence-entity-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
AlertEvidence
| where Timestamp > ago(30d)
| summarize EvidenceCount = count()
                            by EntityType, EvidenceRole
| order by EvidenceCount desc

Step 4 — Find users repeatedly appearing in alerts

Repeated evidence involving the same account can indicate a compromised user, targeted account or noisy detection area.
alertevidence-user-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
AlertEvidence
| where Timestamp > ago(30d)
| where isnotempty(AccountName)
| summarize AlertCount = dcount(AlertId),
                            EvidenceCount = count() by AccountName
| order by AlertCount desc

Step 5 — Review files, URLs and IP addresses

Alert evidence often contains indicators that can be reused in endpoint, email and network hunting queries.
alertevidence-indicators.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
AlertEvidence
| where Timestamp > ago(30d)
| where isnotempty(RemoteUrl)
                            or isnotempty(RemoteIP)
                            or isnotempty(SHA256)
| project Timestamp, AlertId, EntityType,
                            RemoteUrl, RemoteIP, FileName, SHA256
| order by Timestamp desc

Step 6 — Join AlertInfo to AlertEvidence

The most useful alert investigations combine detection metadata from AlertInfo with supporting entities from AlertEvidence.
alertinfo-alertevidence-join.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
AlertInfo
| where Timestamp > ago(7d)
| project AlertId, AlertTime = Timestamp, Title, Severity, Category
| join kind=leftouter (
                            AlertEvidence
                            | where Timestamp > ago(7d)
                            | project AlertId, EntityType, EvidenceRole, AccountName, DeviceName, RemoteUrl
) on AlertId
| order by AlertTime desc

Common investigation uses

AlertEvidence becomes powerful when defenders treat every entity as a pivot point.
Identify affected users and devicesUse evidence entities to quickly understand who and what was involved in the alert.
Collect indicators for huntingPull URLs, IP addresses, file names and hashes from evidence and reuse them in wider hunting queries.
Connect alerts to raw telemetryUse evidence values to pivot into identity, endpoint, email and network tables for a fuller investigation.

Common mistakes

Alert evidence is useful, but it should not be treated as the full investigation by itself.
Stopping at the alert pageThe alert summary may be correct, but the real story often sits in the telemetry behind each evidence entity.
Ignoring EvidenceRoleEvidenceRole can help distinguish between the primary entity involved and supporting context.
Not validating the pivotA user, device or URL in AlertEvidence should be checked against raw events before the investigation conclusion is written.
The alert tells you there is smoke. The evidence tells you where to look for fire.
Use AlertEvidence as the bridge between Defender detections and the telemetry that proves what happened.
Back to Academy →

What you learned

AlertEvidence records supporting entitiesYou can use it to identify the users, devices, files, URLs, IP addresses and other objects linked to alerts.
Evidence creates investigation pivotsEach evidence value can become a starting point for deeper hunting across Microsoft Defender XDR tables.
AlertInfo and AlertEvidence work togetherAlertInfo explains the detection. AlertEvidence explains the entities involved. Together they support better triage.

Related Agent Foskett Academy lessons

Investigating AlertInfoStart with alert metadata, severity, categories and detection source before reviewing evidence.
Connecting Tables with joinJoin alert metadata to supporting evidence and source telemetry.
Building Investigation TimelinesTurn alert evidence into a clear sequence of activity across users, devices and services.
Investigating IdentityLogonEventsFollow account evidence into authentication and logon activity.
Investigating DeviceProcessEventsFollow device evidence into process execution and command-line activity.
Investigating DeviceNetworkEventsUse URL and IP evidence to investigate network connections.
Investigating EmailEventsFollow email-related evidence into message delivery and authentication telemetry.
Investigating UrlClickEventsUse URL evidence to investigate Safe Links clicks and user behaviour.

Coming next

Lesson 41 — Investigating DeviceInfo in Microsoft Defender XDR Next, Agent Foskett Academy will move into endpoint investigations using DeviceInfo, helping defenders understand device risk, exposure levels, operating systems, onboarding status and endpoint context during Microsoft Defender XDR investigations.
Why this matters After reviewing alerts and evidence, defenders often need to understand the affected endpoint. DeviceInfo provides critical context about device risk, exposure, operating system details and overall security posture.

Final thought

AlertEvidence turns an alert from a headline into an investigation map. It shows the entities worth following.
Agent Foskett mindsetDo not just ask what the alert was called. Ask which users, devices, files, URLs and IP addresses were connected to it, then prove the story in the raw telemetry.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating AlertEvidence in Microsoft Defender XDR

Agent Foskett Academy Lesson 40 teaches defenders how to use AlertEvidence to investigate users, devices, files, URLs, IP addresses and supporting entities connected to Microsoft Defender XDR alerts.

Learn AlertEvidence for Microsoft Defender XDR hunting

This lesson explains how AlertEvidence supports Microsoft Defender XDR investigations by connecting alerts to evidence entities, affected accounts, endpoints, indicators and source telemetry.