| title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
AssignedIPAddresses() function in advanced hunting for Microsoft Defender XDR |
Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
04/03/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
Use the AssignedIPAddresses() function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
This function returns a table with the following columns:
| Column | Data type | Description |
|---|---|---|
Timestamp |
datetime |
Latest time when the device was observed using the IP address |
IPAddress |
string |
IP address used by the device |
IPType |
string |
Indicates whether the IP address is a public or private address |
NetworkAdapterType |
int |
Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to this enumeration |
ConnectedNetworks |
int |
Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet |
AssignedIPAddresses(x, y)- x—
DeviceIdorDeviceNamevalue identifying the device - y—
Timestamp(datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.
AssignedIPAddresses('example-device-name', ago(1d))This query uses the AssignedIPAddresses() function to get assigned IP addresses for the device (example-device-name) on or before a specific date (example-date). It then uses the IP addresses to find connections to the device initiated by other devices.
let Date = datetime(example-date);
let DeviceName = "example-device-name";
// List IP addresses used on or before the specified date
AssignedIPAddresses(DeviceName, Date)
| project DeviceName, IPAddress, AssignedTime = Timestamp
// Get all network events on devices with the assigned IP addresses as the destination addresses
| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
// Get only network events around the time the IP address was assigned
| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))