Find device information by internal IP API

Applies to:

Want to experience Microsoft Defender for Endpoint? Sign up for a free trial.


If you are a US Government customer, please use the URIs listed in Microsoft Defender for Endpoint for US Government customers.


For better performance, you can use server closer to your geo location:


Find a device by internal IP.


The timestamp must be within the last 30 days.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Microsoft Defender for Endpoint APIs

Permission type Permission Permission display name
Application Machine.Read.All 'Read all machine profiles'
Application Machine.ReadWrite.All 'Read and write all machine information'

HTTP request

GET /api/machines/find(timestamp={time},key={IP})

Request headers

Name Type Description
Authorization String Bearer {token}. Required.

Request body



If successful and machine exists - 200 OK. If no machine found - 404 Not Found.


Request example

Here's an example of the request.

Content-type: application/json

Response example

Here's an example of the response.

The response will return a list of all devices that reported this IP address within 16 minutes prior and after the timestamp.

HTTP/1.1 200 OK
Content-type: application/json
    "@odata.context": "$metadata#Machines",
    "value": [
            "id": "04c99d46599f078f1c3da3783cf5b95f01ac61bb",
            "computerDnsName": "",
            "firstSeen": "2017-07-06T01:25:04.9480498Z",
            "osPlatform": "Windows10",


Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.