Want to experience Microsoft Defender XDR? Learn more about how you can evaluate and pilot Microsoft Defender XDR.
- Microsoft Defender XDR
AssignedIPAddresses() function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
This function returns a table with the following columns:
||Latest time when the device was observed using the IP address|
||IP address used by the device|
||Indicates whether the IP address is a public or private address|
||Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to this enumeration|
||Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet|
DeviceNamevalue identifying the device
Timestamp(datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.
Get the list of IP addresses used by a device 24 hours ago
Get IP addresses used by a device and find devices communicating with it
This query uses the
AssignedIPAddresses() function to get assigned IP addresses for the device (
example-device-name) on or before a specific date (
example-date). It then uses the IP addresses to find connections to the device initiated by other devices.
let Date = datetime(example-date); let DeviceName = "example-device-name"; // List IP addresses used on or before the specified date AssignedIPAddresses(DeviceName, Date) | project DeviceName, IPAddress, AssignedTime = Timestamp // Get all network events on devices with the assigned IP addresses as the destination addresses | join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP // Get only network events around the time the IP address was assigned | where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))
Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender XDR Tech Community.