Investigate machines in the Microsoft Defender ATP Machines list

Applies to:

Want to experience Microsoft Defender ATP? Sign up for a free trial.

Investigate the details of an alert raised on a specific machine to identify other behaviors or events that might be related to the alert or the potential scope of the breach.

You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas:

When you investigate a specific machine, you'll see:

  • Machine details
  • Response actions
  • Cards (active alerts, logged on users, security assessment)
  • Tabs (alerts, timeline, security recommendations, software inventory, discovered vulnerabilities)

Image of machine view

Machine details

The machine details section provides information such as the domain, OS, and health state of the machine. If there's an investigation package available on the machine, you'll see a link that allows you to download the package.

Response actions

Response actions run along the top of a specific machine page and include:

  • Manage tags
  • Initiate automated investigation
  • Initiate Live Response Session
  • Collect investigation package
  • Run antivirus scan
  • Restrict app execution
  • Isolate machine
  • Consult a threat expert
  • Action center

You can take response actions in the Action center, in a specific machine page, or in a specific file page.

For more information on how to take action on a machine, see Take response action on a machine.

For more information, see Investigate user entities.


Active alerts

The Azure Advanced Threat Protection card will display a high-level overview of alerts related to the machine and their risk level, if you have enabled the Azure ATP feature, and there are any active alerts. More information is available in the "Alerts" drill down.

Image of active alerts card


You'll need to enable the integration on both Azure ATP and Microsoft Defender ATP to use this feature. In Microsoft Defender ATP, you can enable this feature in advanced features. For more information on how to enable advanced features, see Turn on advanced features.

Logged on users

The Logged on users card shows how many users have logged on in the past 30 days, along with the most and least frequent users. Selecting the "See all users" link opens the details pane, which displays information such as user type, log on type, and when the user was first and last seen. For more information, see Investigate user entities.

Image of user details pane

Security assessments

The Security assessments card shows the overall exposure level, security recommendations, installed software, and discovered vulnerabilities. A machine's exposure level is determined by the cumulative impact of its pending security recommendations.

Image of security assessments card


The five tabs under the cards section show relevant security and threat prevention information related to the machine. In each tab, you can customize the columns that are shown by selecting Customize columns from the bar above the column headers.


The Alerts section provides a list of alerts that are associated with the machine. This list is a filtered version of the Alerts queue, and shows a short description of the alert, severity (high, medium, low, informational), status in the queue (new, in progress, resolved), classification (not set, false alert, true alert), investigation state, category of alert, who is addressing the alert, and last activity. You can also filter the alerts.

Image of alerts related to the machine

When the circle icon to the left of an alert is selected, a fly-out appears. From this panel you can manage the alert and view more details such as incident number and related machines. Multiple alerts can be selected at a time.

To see a full page view of an alert including incident graph and process tree, select the title of the alert.


The Timeline section provides a chronological view of the events and associated alerts that have been observed on the machine. This can help you correlate any events, files, and IP addresses in relation to the machine.

The timeline also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. To further control your view, you can filter by event groups or customize the columns.


For firewall events to be displayed, you'll need to enable the audit policy, see Audit Filtering Platform connection. Firewall covers the following events

  • 5025 - firewall service stopped
  • 5031 - application blocked from accepting incoming connections on the network
  • 5157 - blocked connection

Image of machine timeline with events

Some of the functionality includes:

  • Search for specific events
    • Use the search bar to look for specific timeline events.
  • Filter events from a specific date
    • Select the calendar icon in the upper left of the table to display events in the past day, week, 30 days, or custom range. By default, the machine timeline is set to display the events from the past 30 days.
    • Use the timeline to jump to a specific moment in time by highlighting the section. The arrows on the timeline pinpoint automated investigations
  • Export detailed machine timeline events
    • Export the machine timeline for the current date or a specified date range up to seven days.

More details about certain events are provided in the Additional information section. These details vary depending on the type of event, for example:

  • Contained by Application Guard - the web browser event was restricted by an isolated container
  • Active threat detected - the threat detection occurred while the threat was running
  • Remediation unsuccessful - an attempt to remediate the detected threat was invoked but failed
  • Remediation successful - the detected threat was stopped and cleaned
  • Warning bypassed by user - the Windows Defender SmartScreen warning was dismissed and overridden by a user
  • Suspicious script detected - a potentially malicious script was found running
  • The alert category - if the event led to the generation of an alert, the alert category ("Lateral Movement", for example) is provided

You can also use the Artifact timeline feature to see the correlation between alerts and events on a specific machine.

Security recommendations

Security recommendations are generated from Microsoft Defender ATP's Threat & Vulnerability Management capability. Selecting a recommendation will show a panel where you can view relevant details such as description of the recommendation and the potential risks associated with not enacting it. See Security recommendation for details.

Image of security recommendations tab

Software inventory

The Software inventory section lets you view software on the device, along with any weaknesses or threats. Selecting the name of the software will take you to the software details page where you can view security recommendations, discovered vulnerabilities, installed machines, and version distribution. See Software inventory for details

Image of software inventory tab

Discovered vulnerabilities

The Discovered vulnerabilities section shows the name, severity, and threat insights of discovered vulnerabilities on the device. Selecting specific vulnerabilities will show a description and details.

Image of discovered vulnerabilities tab