Skip to main content

Workflow Template: QuickAction - Query Device Timeline on MS Defender for Endpoint

Enables security analysts to search and investigate device timeline events across 8 Defender Advanced Hunting tables.

Updated today

The "QuickAction - Query Device Timeline on MS Defender for Endpoint" workflow template empowers security analysts to efficiently investigate device timeline events across eight Microsoft 365 Defender Advanced Hunting tables. By providing a search term, timeframe, device, and selecting tables to query, analysts can generate a comprehensive HTML timeline report. This tool is essential for identifying suspicious user activity and conducting thorough threat hunting, enhancing incident response capabilities.

Take Me to the Template

Use Cases

Suspicious User Activity , Threat Hunting

Workflow Breakdown

  1. Interact Trigger: search term, timeframe, device selection and table selection.

  2. Date calculation: JQ converts preset/custom timeframe to start/end datetimes.

  3. Device resolution: reads Sensor ID from case custom fields; falls back to manual input.

  4. Table queries: runs KQL against each selected table.

  5. Report generation: Merges all results, sorts by Timestamp, builds HTML report.

Vendors

Scripting, Utils, Microsoft 365, Torq Cases

Workflow Output

HTML report to be used in an Interact Operator or download it to a file for further reference,

Related Articles
Workflow Template: Threat Hunt for a Specified SHA1 Signature in SingularityXDR
Workflow Template: QuickAction - Isolate or Release a Device on MS Defender Endpoint
Workflow Template: QuickAction - Scan Device on MS Defender for Endpoint
Workflow Template: QuickAction - Fetch a File from Device on MS Defender Endpoint
Workflow Template: QuickAction - Run a command on a device with MS Defender Endpoint
Did this answer your question?