Agent Foskett Academy • Lesson 39 • Investigating AlertInfo

Investigating AlertInfo in Microsoft Defender XDR

AlertInfo records alert-level information generated by Microsoft Defender XDR and connected Microsoft security services.

This table helps defenders understand what Microsoft detected, how severe the alert is, which product raised it, and where the investigation should begin.

In this lesson, you will learn how to use AlertInfo to review recent alerts, prioritise high severity detections, identify noisy alert categories, and prepare for deeper evidence correlation with AlertEvidence and other Defender XDR tables.

Agent Foskett Academy lesson explaining AlertInfo in Microsoft Defender XDR
Lesson overview

Learn how AlertInfo helps defenders investigate Microsoft Defender XDR alerts, severity, category, service source and detection context.

Review recent Defender XDR alerts
Prioritise high severity detections
Prepare for AlertEvidence correlation

Why AlertInfo matters

Raw telemetry shows what happened. AlertInfo shows what Microsoft Defender XDR decided was suspicious enough to raise as a detection.
Alerts provide investigation starting pointsAlertInfo gives defenders a focused place to begin when Microsoft Defender XDR has detected suspicious behaviour.
Severity helps prioritise workHigh and medium severity alerts can guide triage when many signals are competing for attention.
AlertInfo connects to evidenceThe AlertId becomes the pivot point for moving from the alert summary into AlertEvidence and supporting telemetry.

Investigation scenario

A high severity alert appeared overnight. The alert title suggested account compromise, but the analyst still needed to understand the source, category and supporting evidence.
The alert was the doorwayAlertInfo showed the title, severity and service source, but not the complete story behind the detection.
The category shaped the investigationAn identity alert required a different path from an endpoint, email or cloud app alert.
The next step was evidenceThe AlertId became the key used to pivot into AlertEvidence and then into identity, endpoint and email telemetry.

Step 1 — Review recent alerts

Start by reviewing recent alerts and keeping the key triage fields visible.
alertinfo-recent-alerts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
AlertInfo
| where Timestamp > ago(7d)
| project Timestamp, AlertId, Title,
                            Severity, Category, ServiceSource
| order by Timestamp desc

Step 2 — Focus on high severity alerts

High severity alerts should usually be reviewed first, especially when they involve identity, endpoint or email compromise.
alertinfo-high-severity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
AlertInfo
| where Timestamp > ago(30d)
| where Severity =~ "High"
| project Timestamp, AlertId, Title,
                            Severity, Category, ServiceSource
| order by Timestamp desc

Step 3 — Search for identity-related alerts

When an account is under investigation, search alert titles and categories for identity-focused language.
alertinfo-identity-alerts.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
AlertInfo
| where Timestamp > ago(30d)
| where Title has_any (
                            "user", "account", "identity", "sign-in", "login")
| project Timestamp, AlertId, Title,
                            Severity, Category, ServiceSource
| order by Timestamp desc

Step 4 — Summarise alert categories

Summarising categories helps defenders understand what types of detections are appearing most often.
alertinfo-category-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
AlertInfo
| where Timestamp > ago(30d)
| summarize AlertCount = count()
                            by Category, Severity
| order by AlertCount desc

Step 5 — Review alert sources

ServiceSource shows which Microsoft security product generated the alert, helping defenders choose the next telemetry table.
alertinfo-service-source-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
AlertInfo
| where Timestamp > ago(30d)
| summarize AlertCount = count()
                            by ServiceSource, Severity
| order by AlertCount desc

Step 6 — Prepare AlertInfo for evidence correlation

Once interesting alerts are identified, keep the AlertId ready for joining into AlertEvidence.
alertinfo-alertid-pivot.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
let InterestingAlerts =
AlertInfo
| where Timestamp > ago(7d)
| where Severity in~ ("High", "Medium")
| project AlertId, AlertTime = Timestamp, Title, Severity, ServiceSource;
InterestingAlerts
| order by AlertTime desc

Common investigation uses

AlertInfo becomes useful when it is treated as the alert index for the wider investigation, not the complete investigation by itself.
Alert triageReview titles, severity and categories to decide which alerts need immediate investigation.
Detection source reviewIdentify whether alerts are coming from endpoint, identity, email, cloud app or other Microsoft security services.
Evidence pivotsUse AlertId to move from the alert summary into AlertEvidence and related Defender XDR telemetry.

Common mistakes

Alert investigations can go wrong when the alert is treated as the entire incident rather than the beginning of the story.
Stopping at the alert titleThe title is useful, but it does not replace checking evidence, timelines and affected entities.
Ignoring service sourceThe product that generated the alert often tells you where to pivot next.
Missing repeated alertsMultiple alerts against the same user, device or mailbox may reveal a wider attack chain.
The alert is not the investigation. It is the doorway.
Use AlertInfo to identify what Microsoft Defender XDR detected, then follow the evidence.
Back to Academy →

What you learned

AlertInfo records alert summariesYou can use it to review alert titles, severity, categories, service sources and detection timing.
Alerts require prioritisationSeverity, category and source help defenders decide what to investigate first.
AlertId is the pivotThe AlertId connects AlertInfo to AlertEvidence and helps reconstruct the broader Defender XDR incident timeline.

Related Agent Foskett Academy lessons

Investigating IdentityLogonEventsReview identity activity before and after alerts involving users or accounts.
Investigating IdentityDirectoryEventsConnect identity alerts to group changes, account modifications and directory activity.
Building Investigation TimelinesPlace alerts, logons, endpoint events and email activity into one investigation timeline.
Connecting Tables with joinPrepare to join AlertInfo with AlertEvidence and supporting telemetry tables.
Investigating DeviceProcessEventsFollow endpoint alerts into process execution and suspicious command-line activity.
Investigating DeviceNetworkEventsReview outbound network activity connected to endpoint detections.
Investigating EmailEventsFollow email alerts into sender, recipient, delivery and authentication evidence.
Using let Statements to Reuse EvidenceStore alert IDs, users and devices for reuse across multiple investigation queries.

Coming next

AlertInfo tells you what was detected. AlertEvidence shows the users, devices, files, mailboxes, URLs and other entities connected to the detection.
Lesson 40 — Investigating AlertEvidenceThe next lesson will show how to use AlertEvidence to move from alert summary into the entities involved in the detection.
Why this mattersAlertEvidence is where Defender XDR investigations become practical, because it reveals what the alert was actually about.
Investigator mindsetStart with AlertInfo, pivot with AlertId, then rebuild the attack chain from supporting evidence.

Final thought

AlertInfo is the front door of many Defender XDR investigations. It tells you what Microsoft detected, but the real work begins when you follow the alert into evidence.
Agent Foskett mindsetDo not just ask what alert fired. Ask why it fired, what evidence supports it, and what happened before and after.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating AlertInfo in Microsoft Defender XDR

Agent Foskett Academy Lesson 39 teaches defenders how to use AlertInfo to investigate Microsoft Defender XDR alerts, severity, categories, service sources and detection context.

Learn AlertInfo for Microsoft Defender XDR hunting

This lesson explains how AlertInfo supports Microsoft Defender XDR investigations by helping analysts prioritise alerts and pivot into AlertEvidence, identity, endpoint and email telemetry.