3.9 Device Investigation Page

50 minutes · Module 3 · Free

Device Investigation Page

When an incident involves a compromised endpoint, the device investigation page in Defender for Endpoint is where you reconstruct what happened. It provides a 30-day timeline of every process, network connection, file operation, and registry change on the device — the complete forensic record without needing to collect a disk image.

Navigating to the device page

From an incident, click any device entity. Alternatively, navigate to Assets → Devices and search by device name or IP. The device page opens with an overview showing the device’s health, risk level, exposure score, logged-on users, and recent alerts.

The device timeline

The timeline is the core of endpoint investigation. It shows events in chronological order:

Process events — every process that executed, with command line, parent process, user context, and hash
Network events — every connection, with destination IP, port, domain, and URL
File events — file creation, modification, deletion, with path and hash
Registry events — registry key and value changes
Logon events — local and remote logon activity
Alert events — alerts generated on this device, inline with the activity that triggered them

Figure 3.9: The device timeline shows every event type inline. Colour-coded event types make it possible to scan for specific activity patterns.

Reading the timeline — what to look for

Reconnaissance: Processes like whoami, net user, nltest, ipconfig /all, systeminfo executed in sequence suggest an attacker enumerating the environment.

Credential access: LSASS memory access, registry access to SAM/SECURITY hives, or Mimikatz-like tool execution.

Lateral movement: Remote logon events from unusual source devices. RDP connections from workstations that do not normally connect to this device.

Persistence: New services, scheduled tasks, registry Run key modifications, or startup folder changes.

Data staging and exfiltration: Bulk file copy operations, archive creation (7z, zip, rar), or large network transfers to unfamiliar IPs.

Response actions from the device page

The device page provides direct access to all endpoint response actions:

Isolate device — cut network access while maintaining the management channel
Run antivirus scan — trigger a full scan immediately
Restrict app execution — limit the device to Microsoft-signed executables only
Collect investigation package — download a forensic data package (running processes, network connections, autorun entries)
Initiate automated investigation — let AIR assess the device

Investigation package before containment

If you plan to isolate or wipe a device, collect the investigation package first. Once isolated, some forensic data becomes harder to collect. Once wiped, it is gone. The investigation package captures the current state — running processes, open network connections, scheduled tasks — which is exactly what you need for post-incident analysis.

Try it yourself

Navigate to Assets → Devices in the Defender portal. Pick any device and open its timeline. Filter to "Process events" only and scan the last 24 hours. Can you identify any administrative commands (cmd.exe, powershell.exe, net.exe)? What context were they run in — which user, which parent process?

In a typical environment, you will see background processes (svchost, Windows Update, antivirus scans) dominating the timeline. Administrative commands are less common and should stand out. Check the parent process — powershell.exe spawned by explorer.exe means a user opened PowerShell manually. powershell.exe spawned by winword.exe means a Word macro executed PowerShell — a strong malware indicator.

Check your understanding

1. What is the investigation significance of powershell.exe spawned by winword.exe in the device timeline?

Normal user behaviour — users run PowerShell from Word

A scheduled task running correctly

A strong malware indicator — Word macros executing PowerShell is a classic malware delivery technique

The parent-child process relationship is one of the most important indicators in endpoint investigation. Office applications spawning scripting engines (PowerShell, cmd.exe, wscript.exe) is the signature of macro-based malware delivery. This is exactly what ASR rules (Module 1.1) are designed to block.

2. Why should you collect an investigation package before isolating a device?

Isolation changes the device state — some forensic data (active network connections, running processes) is only available while the device is connected. Collect first, then contain.

The investigation package cannot be collected after isolation

It is required by Microsoft before isolation is allowed

Active network connections and some running process data are lost when the device is isolated. The investigation package captures the current live state. After isolation, the management channel remains, but the device's network context has changed. Best practice: collect the package, then isolate.

3.8 Email Investigation with Threat Explorer →