Microsoft Defender for Endpoint (MDE)

m365-azureExecution EvidenceEDR TelemetrySIEM / Log Aggregator

Location

Microsoft 365 Defender Portal > Advanced Hunting (or Microsoft Graph Security API)

Description

Endpoint detection and response platform providing Advanced Hunting tables including DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, and DeviceImageLoadEvents with 30 days of queryable telemetry.

Forensic Value

MDE Advanced Hunting provides the richest endpoint telemetry available in Microsoft environments. DeviceProcessEvents captures every process execution with full command lines, parent processes, and hashes. DeviceNetworkEvents records process-level network connections to correlate C2 communication with specific malware. DeviceFileEvents tracks file creation, modification, and deletion with SHA256 hashes. KQL queries across these tables enable rapid threat hunting and incident scoping across the entire fleet.

Tools Required

Microsoft 365 Defender PortalKQL (Kusto Query Language)Microsoft Graph Security APIPowerShell

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical