ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett Academy • Lesson 33 • Investigating DeviceNetworkEvents

Investigating DeviceNetworkEvents in Microsoft Defender XDR

DeviceNetworkEvents records network connections made by devices protected by Microsoft Defender for Endpoint.

This table helps defenders investigate remote IPs, domains, ports, protocols and suspicious outbound activity.

In this lesson, you will learn how to use DeviceNetworkEvents to follow network evidence, identify unusual connections and support Microsoft Defender XDR investigations.

Start Lesson 33 Back to Academy
Agent Foskett Academy lesson explaining DeviceNetworkEvents in Microsoft Defender XDR
Lesson overview

Learn how DeviceNetworkEvents helps defenders investigate outbound connections, remote IPs, domains and ports.

Review network connections
Identify remote IPs and domains
Follow suspicious outbound activity
🎯 DeviceNetworkEvents helps reveal where devices are talking.
Use it when an investigation needs remote IPs, domains, ports, protocols or suspicious outbound activity.
Review Lesson 32 →

Why DeviceNetworkEvents matters

Many attacks leave network traces before they become obvious alerts.

A device may connect to a suspicious IP, contact an unusual domain, communicate over an unexpected port or repeatedly reach out after a malicious process runs.

DeviceNetworkEvents helps defenders investigate those connections and connect network activity back to devices, users and processes.
Remote destinationsInvestigate remote IP addresses, domains, URLs and connection destinations.
Ports and protocolsReview remote ports, local ports and protocol behaviour that may indicate unusual traffic.
Process contextLink network activity to the process, device and account involved in the connection.

Investigation scenario

Agent Foskett is investigating a workstation that triggered a suspicious PowerShell alert.

The process activity is important, but the next question is simple: what did the device connect to?

By querying DeviceNetworkEvents, the analyst can review outbound connections, remote destinations and the process context around the network activity.

Step 1 — Review recent network connections

Start with recent DeviceNetworkEvents activity and focus on useful investigation fields.
devicenetworkevents-recent-connections.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceNetworkEvents
| where Timestamp > ago(24h)
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, ActionType
| order by Timestamp desc

Step 2 — Find connections from suspicious processes

Filter for common scripting and command-line tools that should be reviewed when they make outbound network connections.
devicenetworkevents-suspicious-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "mshta.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, ActionType
| order by Timestamp desc

Step 3 — Summarise remote destinations

Group network activity by remote IP, URL and port to quickly identify high-volume or repeated destinations.
devicenetworkevents-summarise-destinations.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceNetworkEvents
| where Timestamp > ago(7d)
| summarize ConnectionCount = count(), FirstSeen = min(Timestamp), LastSeen = max(Timestamp) by RemoteIP, RemoteUrl, RemotePort
| order by ConnectionCount desc

How DeviceNetworkEvents supports investigations

DeviceNetworkEvents does not just show that a connection occurred.

It can show the device, user context, initiating process, remote destination and action taken by Defender.
Device evidenceIdentify which endpoint made the connection and when the activity occurred.
Destination evidenceReview RemoteIP, RemoteUrl and RemotePort to understand where the device connected.
Process evidenceUse initiating process fields to understand what caused the network activity.

Step 4 — Focus on unusual remote ports

Remote ports can help defenders quickly separate normal web traffic from traffic that deserves closer review.
devicenetworkevents-unusual-ports.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort !in (80, 443, 53)
| summarize ConnectionCount = count() by DeviceName, RemoteIP, RemoteUrl, RemotePort, InitiatingProcessFileName
| order by ConnectionCount desc

Step 5 — Correlate with suspicious process activity

Join DeviceProcessEvents to DeviceNetworkEvents when you need process details and network destinations in the same investigation view.
devicenetworkevents-join-process-events.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
let SuspiciousProcesses = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "mshta.exe")
| project DeviceName, ProcessTimestamp = Timestamp, FileName, ProcessCommandLine;
DeviceNetworkEvents
| where Timestamp > ago(7d)
| join kind=inner SuspiciousProcesses on DeviceName
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc

Common investigation uses

Command-and-control reviewLook for repeated outbound connections to unusual IP addresses, domains or ports.
Phishing follow-upReview whether a clicked link led to endpoint network activity after delivery or user interaction.
Suspicious process huntingFind network connections initiated by PowerShell, scripts, Office processes or living-off-the-land tools.

Common mistakes

Looking only at RemoteIPReview RemoteUrl, RemotePort, ActionType and initiating process fields as well.
Ignoring process contextA connection is more meaningful when you know which process created it.
Assuming one connection is enoughUse summarize to find repeated patterns, bursts and high-volume destinations.

What you learned

DeviceNetworkEvents shows network evidenceYou learned how to review outbound connections, remote IPs, URLs and ports.
Process context mattersYou learned how initiating process fields help explain why a connection occurred.
Summaries reveal patternsYou learned how to group remote destinations to identify repeated or suspicious activity.
Next lesson: Investigating DeviceProcessEvents in Microsoft Defender XDR
Now that you can investigate network activity, the next step is following process creation, command lines and parent-child execution evidence.
Back to Academy →

Related Agent Foskett Academy lessons

Investigating UrlClickEvents Review how defenders investigate Safe Links clicks and suspicious URL activity.
Connecting Tables with join Review how defenders connect network, process, email and identity evidence.

Continue learning with Building Investigation Timelines, KQL Threat Hunting Guide and Microsoft Security.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Investigating DeviceNetworkEvents in Microsoft Defender XDR

Agent Foskett Academy Lesson 33 teaches defenders how to use DeviceNetworkEvents to investigate remote IPs, domains, ports and suspicious outbound network activity.

Learn DeviceNetworkEvents for Microsoft Defender XDR hunting

This lesson explains how DeviceNetworkEvents supports Microsoft Defender XDR investigations by connecting device, process and remote destination evidence.