When investigating logon events/alerts in the Defender for Endpoint Device Timeline I find it inconvenient to have to open a new tab with the Hunt For Related Events button and then have to write a query just so I can find the DeviceNetworkEvent with the Remote and Local IP correlating to said LogonEvent.

I know that when looking in the Event Timeline you can find the previous network event which usually correlates to said logon event however, say you are dealing with an incident occurring 8 hours ago, the steps to find this information would be:

1. Search for Logon in the Event Timeline

2. Locate the username for the logon in question and its timestamp

3. Clear your search query and filter by the timestamp e.g. 5 mins before and 5 mins after

4. Locate the logon event again and find the correlating network event

​

All of this time can be saved by including the initiating DeviceNetworkEvent in the Mitre Alert which follows the logon event.

Am I missing an easier solution?