>Sudo Savvy logo sudo-savvy:~$

~/tools/device-investigator

>Device Investigator

Triaging a potentially compromised endpoint? Enter its hostname or MDE device ID and, as your investigation progresses, add the IOCs you find (IPs, domains, file hashes, file names/paths). Every hunt below scopes to that device and narrows to your IOCs; add IOCs and a fleet-wide "which other devices touched this" sweep appears. Pick your platform — Microsoft Defender XDR (Advanced Hunting, Timestamp) or Microsoft Sentinel (Log Analytics, TimeGenerated). Every table here needs Microsoft Defender for Endpoint (in Sentinel, the MDE data connector must stream the Device* tables). Nothing is sent anywhere — this all runs in your browser. Powered by the >SudoTrace engine.

./configure --device
© 2026 >Sudo Savvy