Agent Foskett Academy • Lesson 42 • Investigating DeviceEvents

Investigating DeviceEvents in Microsoft Defender XDR

DeviceEvents records a wide range of endpoint activity inside Microsoft Defender XDR, including security control actions, device behaviour and other event signals that do not always appear in process, file, registry or network tables.

This table helps defenders understand what happened on a device, investigate ActionType values, and uncover security-relevant activity that may support a wider investigation.

In this lesson, you will learn how to use DeviceEvents to investigate endpoint actions, review security events and identify suspicious device activity.

Agent Foskett Academy lesson explaining DeviceEvents in Microsoft Defender XDR
Lesson overview

Learn how DeviceEvents helps defenders investigate broader endpoint actions and security events that sit around process, file, registry and network telemetry.

Review endpoint action types
Hunt for security control events
Pivot into deeper device telemetry

Why DeviceEvents matters

DeviceInfo tells you what the device is. DeviceEvents helps you see additional endpoint actions and security signals that may explain what happened.
Not every signal is a process eventSome important endpoint activity is recorded as a device action rather than a process, file, registry or network event.
ActionType gives the clueThe ActionType field helps defenders discover what kind of endpoint activity occurred and where to investigate next.
DeviceEvents supports pivotsOnce you identify an interesting action, you can pivot into DeviceProcessEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceNetworkEvents or AlertEvidence.

Investigation scenario

A device appeared in AlertEvidence after a suspicious alert. DeviceInfo explained what the endpoint was. DeviceEvents revealed additional security actions and device activity around the same timeframe.
The device was identifiedDeviceInfo showed the endpoint name, operating system and posture so the investigation had context.
The event table added behaviourDeviceEvents showed broader endpoint actions that were not obvious from the process tree alone.
The next step was deeper telemetryInteresting ActionType values became pivots into process, file, registry and network events.

Step 1 — Review recent DeviceEvents activity

Start with recent DeviceEvents records and keep the fields that help you understand when, where and what type of endpoint action occurred.
deviceevents-recent-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
DeviceEvents
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, ActionType, ReportId,
                            InitiatingProcessFileName, InitiatingProcessCommandLine,
                            InitiatingProcessAccountName, AdditionalFields
| order by Timestamp desc

Step 2 — Discover common ActionType values

DeviceEvents becomes easier to investigate once you understand which ActionType values are appearing in your environment.
deviceevents-actiontype-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
DeviceEvents
| where Timestamp > ago(30d)
| summarize Events = count(), Devices = dcount(DeviceName) by ActionType
| top 50 by Events desc

Step 3 — Focus on suspicious endpoint actions

Search for ActionType values that may indicate security controls, blocked activity, suspicious behaviour or investigation-worthy endpoint events.
deviceevents-suspicious-actions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
DeviceEvents
| where Timestamp > ago(14d)
| where ActionType has_any ("Blocked", "Detected", "Exploit", "Tamper", "Antivirus", "Protection")
| project Timestamp, DeviceName, ActionType,
                            InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields
| order by Timestamp desc

Step 4 — Investigate one device timeline

When an endpoint becomes interesting, focus on one device and build a timeline of DeviceEvents around the investigation window.
deviceevents-device-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
let TargetDevice = "replace-with-device-name";
DeviceEvents
| where Timestamp between (ago(24h) .. now())
| where DeviceName =~ TargetDevice
| project Timestamp, ActionType, InitiatingProcessFileName,
                            InitiatingProcessCommandLine, InitiatingProcessAccountName, AdditionalFields
| order by Timestamp asc

Step 5 — Join DeviceEvents with DeviceInfo

DeviceEvents tells you what happened. DeviceInfo tells you what kind of endpoint it happened on.
deviceevents-join-deviceinfo.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
let RecentDeviceInfo = DeviceInfo
| where Timestamp > ago(30d)
| summarize arg_max(Timestamp, *) by DeviceId
| project DeviceId, OSPlatform, ExposureLevel, RiskScore;
DeviceEvents
| where Timestamp > ago(7d)
| join kind=leftouter RecentDeviceInfo on DeviceId
| project Timestamp, DeviceName, OSPlatform, ExposureLevel, RiskScore, ActionType
| order by Timestamp desc

Common investigation uses

DeviceEvents is most useful when defenders use it to find additional endpoint signals around an alert, user, device or suspicious timeframe.
Review endpoint security actionsUse DeviceEvents to identify blocked, detected, protected or tamper-related activity that may not appear in the specialist tables.
Build device behaviour contextUse ActionType and initiating process fields to understand what was happening on the endpoint around the investigation time.
Find the next pivotUse DeviceEvents as a bridge into DeviceProcessEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceNetworkEvents and AlertEvidence.

Common mistakes

DeviceEvents is broad, so defenders need to avoid treating every event as equally important.
Ignoring ActionType varietyDeviceEvents can contain many different event types. Always summarise ActionType values before assuming what the table contains.
Stopping at DeviceEventsDeviceEvents often gives a clue, not the whole story. Pivot into process, file, registry and network telemetry to prove what happened.
Missing the initiating processThe initiating process fields can explain what caused the event and whether the activity was user-driven, system-driven or suspicious.
DeviceEvents is where endpoint clues often hide between the specialist tables.
Use it to find broader endpoint actions, then pivot into the raw telemetry that proves the story.
Back to Academy →

What you learned

DeviceEvents records broader endpoint actionsYou can use it to review security control events, device actions and supporting endpoint activity.
ActionType drives the investigationSummarising and filtering ActionType values helps defenders discover what kind of device events are present.
DeviceEvents supports endpoint pivotsInteresting events can lead into process, file, registry, network, alert and device posture telemetry.

Related Agent Foskett Academy lessons

Investigating DeviceInfoUnderstand the endpoint context before reviewing broader device activity.
Investigating DeviceProcessEventsPivot from device actions into process execution and command-line evidence.
Investigating DeviceFileEventsFollow suspicious events into file creation, modification and download activity.
Investigating DeviceRegistryEventsInvestigate registry changes and persistence-related activity.
Investigating DeviceNetworkEventsPivot from endpoint actions into outbound connections, remote URLs and IP addresses.
Investigating AlertEvidenceConnect alerts to the users, devices, files, URLs and entities involved.
Connecting Tables with joinJoin DeviceEvents with DeviceInfo and specialist endpoint telemetry.
Building Investigation TimelinesTurn device events into a clear timeline of endpoint activity.

Coming next

Lesson 43 — Investigating DeviceLogonEvents in Microsoft Defender XDR Next, Agent Foskett Academy will continue endpoint investigations with DeviceLogonEvents, helping defenders investigate local and remote logons, account usage, failed access and suspicious authentication activity on endpoints.
Why this matters After understanding device actions, defenders often need to know which accounts accessed the endpoint and whether the activity was expected, suspicious or part of a wider compromise.

Final thought

DeviceEvents is often the table that tells you something happened, even when the specialist tables only tell part of the story.
Agent Foskett mindsetDo not ignore the broad endpoint event table. Summarise the actions, find the unusual values, then pivot into the evidence tables that prove the timeline.
Develop IT. Protect IT.GEMXIT PTY LTD | GEMXIT UK LTD

Investigating DeviceEvents in Microsoft Defender XDR

Agent Foskett Academy Lesson 42 teaches defenders how to use DeviceEvents to investigate endpoint actions, security control events, behavioural signals and supporting activity in Microsoft Defender XDR.

Learn DeviceEvents for Microsoft Defender XDR hunting

This lesson explains how DeviceEvents supports Microsoft Defender XDR investigations by helping defenders review ActionType values, investigate endpoint events and pivot into process, file, registry, network and alert evidence.