ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett Academy • Lesson 35 • Investigating DeviceProcessEvents

Investigating DeviceProcessEvents in Microsoft Defender XDR

DeviceProcessEvents records process creation and execution activity from devices protected by Microsoft Defender for Endpoint.

This table helps defenders investigate executables, command lines, parent-child process relationships, user context and suspicious activity on endpoints.

In this lesson, you will learn how to use DeviceProcessEvents to follow execution evidence, review command lines and support Microsoft Defender XDR investigations.

Start Lesson 35 Back to Academy
Agent Foskett Academy lesson explaining DeviceProcessEvents in Microsoft Defender XDR
Lesson overview

Learn how DeviceProcessEvents helps defenders investigate process execution, command lines and parent-child process relationships.

Review process execution
Analyse command lines
Follow parent-child process chains
🎯 DeviceProcessEvents helps reveal what actually ran.
Use it when an investigation needs process names, command lines, parent processes, user context or execution timelines.
Review Lesson 34 →

Why DeviceProcessEvents matters

Almost every endpoint investigation eventually comes back to one question: what process ran?

Attackers may use PowerShell, CMD, Rundll32, MSHTA, WScript, Office processes or custom malware to execute commands and move through the environment.

DeviceProcessEvents helps defenders investigate execution activity and connect suspicious behaviour back to the device, user, command line and parent process.
Process executionInvestigate which executables ran, when they ran and on which devices.
Command-line evidenceReview ProcessCommandLine to understand what the process was instructed to do.
Parent-child chainsUse initiating process fields to understand what launched the suspicious process.

Investigation scenario

Agent Foskett is investigating a device that made an unusual outbound connection.

DeviceNetworkEvents showed where the device talked to, but the next question is more important: what process caused the connection?

By querying DeviceProcessEvents, the analyst can review the process name, command line, account context and parent process that led to the activity.

Step 1 — Review recent process activity

Start with recent DeviceProcessEvents activity and focus on fields that help explain what executed.
deviceprocessevents-recent-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceProcessEvents
| where Timestamp > ago(24h)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp desc

Step 2 — Find PowerShell activity

PowerShell is legitimate, but it is also commonly abused during attacks. Start by reviewing where it executed and what command line was used.
deviceprocessevents-powershell-activity.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp desc

Step 3 — Review parent-child relationships

Parent-child process evidence helps defenders understand how suspicious execution started.
deviceprocessevents-parent-child.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceProcessEvents
| where Timestamp > ago(7d)
| project Timestamp, DeviceName, FileName, InitiatingProcessFileName, ProcessCommandLine
| order by Timestamp desc

Examples of process chains to review

Office to PowerShellwinword.exe or excel.exe launching powershell.exe can indicate macro-driven execution.
Outlook to script hostoutlook.exe launching wscript.exe or mshta.exe deserves investigation.
Command shell chainscmd.exe launching living-off-the-land binaries can hide attacker behaviour inside trusted tools.

Step 4 — Look for encoded commands

Encoded PowerShell commands are often used to hide intent from casual review.
deviceprocessevents-encoded-commands.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-encodedcommand"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| order by Timestamp desc

How DeviceProcessEvents supports investigations

DeviceProcessEvents does not just show that a file ran.

It can show the account, command line, parent process, device and time of execution.
Execution evidenceIdentify what ran and when it ran during the investigation timeline.
Intent evidenceUse ProcessCommandLine to understand the action the process attempted to perform.
Launch evidenceUse InitiatingProcessFileName to understand what started the process.

Step 5 — Summarise process activity

Summarising by FileName can help identify high-volume processes or unusual executables across devices.
deviceprocessevents-summarise-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceProcessEvents
| where Timestamp > ago(7d)
| summarize ProcessCount = count() by FileName
| order by ProcessCount desc

Step 6 — Correlate with network activity

Join DeviceProcessEvents to DeviceNetworkEvents when you need to connect process execution with remote destinations.
deviceprocessevents-join-network-events.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
let SuspiciousProcesses = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "mshta.exe")
| project DeviceName, FileName, ProcessCommandLine;
DeviceNetworkEvents
| where Timestamp > ago(7d)
| join kind=inner SuspiciousProcesses on DeviceName
| project Timestamp, DeviceName, FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort
| order by Timestamp desc

Common investigation uses

PowerShell abuseReview scripts, encoded commands, download activity and suspicious command-line patterns.
LOLBIN investigationsInvestigate trusted Windows binaries being used in suspicious ways.
Malware execution tracingFollow process creation evidence to understand what ran before and after an alert.

Common mistakes

Looking only at FileNameAlways review ProcessCommandLine because the command line often reveals the real intent.
Ignoring parent processesUnderstanding what launched the process can explain how the activity started.
Not correlating evidenceProcess evidence becomes much stronger when connected to network, file and identity activity.

What you learned

DeviceProcessEvents records executionYou learned how to review process creation events in Microsoft Defender XDR.
Command lines reveal intentYou learned how ProcessCommandLine can explain what a process attempted to do.
Parent-child relationships matterYou learned how initiating process fields help defenders trace suspicious execution chains.
Next lesson: Investigating DeviceRegistryEvents in Microsoft Defender XDR
Now that you can investigate process execution, the next step is following file creation, modification and deletion evidence.
Back to Academy →

Related Agent Foskett Academy lessons

Investigating DeviceNetworkEvents Review how defenders investigate remote IPs, domains, ports and outbound network activity.
Connecting Tables with join Review how defenders connect process, network, email and identity evidence.

Continue learning with Building Investigation Timelines, KQL Threat Hunting Guide and Microsoft Security.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Investigating DeviceProcessEvents in Microsoft Defender XDR

Agent Foskett Academy Lesson 35 teaches defenders how to use DeviceProcessEvents to investigate process execution, command lines and parent-child process relationships.

Learn DeviceProcessEvents for Microsoft Defender XDR hunting

This lesson explains how DeviceProcessEvents supports Microsoft Defender XDR investigations by connecting process, user, command-line and network evidence.