Agent Foskett Academy • Lesson 41 • Investigating DeviceInfo

Investigating DeviceInfo in Microsoft Defender XDR

DeviceInfo provides important endpoint context inside Microsoft Defender XDR advanced hunting, including device names, operating systems, onboarding state, sensor health, exposure level, risk score and other device posture details.

This table helps defenders understand the device behind an alert, logon, process, file event or network connection. Before you decide how serious an endpoint investigation is, you need to know what kind of device you are looking at and whether it is healthy, onboarded and exposed.

In this lesson, you will learn how to use DeviceInfo to investigate endpoint context, identify risky devices, review onboarding and sensor health, and enrich Microsoft Defender XDR investigations with device posture evidence.

Agent Foskett Academy lesson explaining DeviceInfo in Microsoft Defender XDR
Lesson overview

Learn how DeviceInfo helps defenders understand endpoint identity, health, exposure and risk during Microsoft Defender XDR investigations.

Review endpoint context
Check sensor and onboarding state
Enrich endpoint investigations

Why DeviceInfo matters

AlertInfo and AlertEvidence show what was detected and which entities were involved. DeviceInfo helps you understand the endpoint itself.
Device context changes the investigationA suspicious process on a domain controller, server, kiosk or unmanaged laptop does not carry the same risk. DeviceInfo helps you understand the system involved.
Health and onboarding matterSensor health, onboarding status and endpoint coverage help defenders understand whether Microsoft Defender for Endpoint telemetry can be trusted.
Risk and exposure guide priorityExposure level and risk score help defenders decide which devices need urgent follow-up during triage and threat hunting.

Investigation scenario

An alert named a device, but the alert alone did not explain whether the endpoint was healthy, exposed or properly onboarded. DeviceInfo gave the missing context.
The alert named the endpointAlertEvidence showed the DeviceName involved in the detection.
DeviceInfo showed the postureThe device had a high exposure level and needed deeper review before the alert could be closed.
The next step was endpoint telemetryThe device context became the pivot into DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents and DeviceLogonEvents.

Step 1 — Review recent device inventory

Start by reviewing devices seen recently and keeping fields that explain device posture and Defender coverage.
deviceinfo-recent-inventory.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
DeviceInfo
| where Timestamp > ago(7d)
| summarize LatestSeen = max(Timestamp) by DeviceId, DeviceName, OSPlatform, OSVersion,
                            OnboardingStatus, SensorHealthState, ExposureLevel, RiskScore
| order by LatestSeen desc

Step 2 — Focus on one device

When an alert or investigation names a device, use DeviceName or DeviceId to pull the latest known endpoint context.
deviceinfo-specific-device.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
let TargetDevice = "replace-with-device-name";
DeviceInfo
| where Timestamp > ago(30d)
| where DeviceName == TargetDevice
| project Timestamp, DeviceId, DeviceName, OSPlatform, OSVersion,
                            OnboardingStatus, SensorHealthState, ExposureLevel, RiskScore
| order by Timestamp desc

Step 3 — Find exposed or high risk devices

Exposure level and risk score help defenders prioritise endpoint reviews and identify devices that should not be ignored.
deviceinfo-exposure-risk.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
DeviceInfo
| where Timestamp > ago(30d)
| summarize LatestSeen = max(Timestamp) by DeviceId, DeviceName, ExposureLevel, RiskScore, OSPlatform
| where ExposureLevel in ("High", "Medium")
                            or RiskScore in ("High", "Medium")
| order by ExposureLevel asc, RiskScore asc

Step 4 — Check onboarding and sensor health

A device involved in an incident is more concerning if it is unhealthy, inactive or not fully onboarded.
deviceinfo-sensor-health.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceInfo
| where Timestamp > ago(14d)
| summarize LatestSeen = max(Timestamp) by DeviceId, DeviceName, OnboardingStatus, SensorHealthState, OSPlatform
| where OnboardingStatus != "Onboarded"
                            or SensorHealthState != "Active"
| order by LatestSeen desc

Step 5 — Join DeviceInfo to process activity

Joining DeviceInfo to DeviceProcessEvents lets defenders add endpoint posture to process execution investigations.
deviceinfo-deviceprocessevents-join.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
let DevicePosture =
DeviceInfo
| where Timestamp > ago(7d)
| summarize arg_max(Timestamp, OSPlatform, ExposureLevel, RiskScore, SensorHealthState) by DeviceId, DeviceName;
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("powershell", "encodedcommand", "rundll32")
| join kind=leftouter DevicePosture on DeviceId
| project Timestamp, DeviceName, FileName, ProcessCommandLine, OSPlatform, ExposureLevel, RiskScore, SensorHealthState

Step 6 — Summarise devices by operating system and posture

A simple summary helps defenders spot where exposed devices are concentrated across operating systems or device groups.
deviceinfo-posture-summary.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceInfo
| where Timestamp > ago(30d)
| summarize LatestSeen = max(Timestamp) by DeviceId, DeviceName, OSPlatform, ExposureLevel, RiskScore
| summarize Devices = count() by OSPlatform, ExposureLevel, RiskScore
| order by Devices desc

Common investigation uses

DeviceInfo becomes valuable when defenders use it to enrich alerts and endpoint telemetry, not just as a device list.
Understand affected endpointsUse DeviceInfo to see the operating system, device identity, health and posture of the endpoint involved in an alert.
Prioritise exposed devicesUse exposure and risk fields to decide which endpoint investigations require urgent attention.
Validate Defender coverageCheck onboarding and sensor health before assuming the available telemetry tells the full story.

Common mistakes

DeviceInfo gives context, but defenders still need to validate activity in the event tables.
Assuming every device is healthyIf sensor health is poor, you may be missing important endpoint telemetry.
Ignoring device exposureA low-noise alert on a highly exposed device may deserve more attention than the alert title suggests.
Stopping at inventory dataDeviceInfo explains the device. DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents and DeviceLogonEvents explain what happened on it.
The alert names the device. DeviceInfo tells you what kind of device it really is.
Use DeviceInfo to add endpoint health, risk and exposure context before making investigation decisions.
Back to Academy →

What you learned

DeviceInfo provides endpoint contextYou can use it to understand device identity, operating system, onboarding status, sensor health, exposure and risk.
Device posture supports triageHigh exposure, poor sensor health or questionable onboarding can change the urgency of an investigation.
DeviceInfo enriches event tablesJoining DeviceInfo to process, file, network and logon telemetry gives defenders a more complete investigation view.

Related Agent Foskett Academy lessons

Investigating AlertInfoStart with alert metadata, severity, categories and detection source before reviewing devices.
Investigating AlertEvidenceUse evidence entities to identify the device involved in an alert.
Investigating DeviceProcessEventsFollow device context into process execution and command-line activity.
Investigating DeviceFileEventsReview file creation, modification and deletion activity on the endpoint.
Investigating DeviceNetworkEventsInvestigate outbound connections, remote URLs and IP addresses from the device.
Investigating DeviceRegistryEventsLook for persistence and registry changes connected to the endpoint.
Investigating IdentityLogonEventsConnect endpoint context back to identity activity and authentication events.
Connecting Tables with joinJoin DeviceInfo to other Defender XDR telemetry for richer investigations.

Coming next

Lesson 42 — Investigating DeviceEvents in Microsoft Defender XDR Next, Agent Foskett Academy will continue endpoint investigations with DeviceEvents, helping defenders review general endpoint events, security actions, behavioural signals and activity that does not always fit neatly into process, file, registry or network tables.
Why this matters After understanding the endpoint with DeviceInfo, defenders can use DeviceEvents to investigate broader endpoint activity and additional signals generated by Microsoft Defender for Endpoint.

Investigating DeviceInfo in Microsoft Defender XDR

Agent Foskett Academy Lesson 41 teaches defenders how to use DeviceInfo to investigate endpoint context, onboarding status, sensor health, exposure level, risk score and device posture in Microsoft Defender XDR.

Learn DeviceInfo for Microsoft Defender XDR hunting

This lesson explains how DeviceInfo supports Microsoft Defender XDR investigations by connecting endpoint alerts and telemetry to device health, operating system details, Defender onboarding state and risk context.