| title | description | search.appverid | ms.service | ms.subservice | f1.keywords | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.custom | ms.topic | ms.date | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
DeviceFromIP() function in advanced hunting for Microsoft Defender XDR |
Learn how to use the DeviceFromIP() function to get the devices that have been assigned a specific IP address |
met150 |
defender-xdr |
adv-hunting |
|
maccruz |
schmurky |
medium |
dansimp |
ITPro |
|
|
reference |
02/16/2024 |
[!INCLUDE Microsoft Defender XDR rebranding]
Applies to:
- Microsoft Defender XDR
[!INCLUDE Prerelease information]
Use the DeviceFromIP() function in your advanced hunting queries to quickly obtain the list of devices that have been assigned to a certain IP address at a given point in time.
This function returns a table with the following columns:
| Column | Data type | Description |
|---|---|---|
IP |
string |
IP address |
DeviceId |
string |
Unique identifier for the device in the service |
invoke DeviceFromIP()This function is invoked as part of a query.
- x—The first parameter is typically already a column in the query. In this case, it's the column named
IP, the IP address for which you want to see a list of devices that have been assigned to it. It should be a local IP address. External IP addresses aren't supported. - y—A second optional parameter is the
Timestamp, which instructs the function to obtain the most recent assigned devices from a specific time. If not specified, the function returns the latest available records.
DeviceNetworkEvents
| limit 100
| project IP = LocalIP
| invoke DeviceFromIP()