Skip to content

advanced-hunting-assignedipaddresses-function.md

Latest commit

 

History

History
81 lines (66 loc) · 3.49 KB

advanced-hunting-assignedipaddresses-function.md

File metadata and controls

81 lines (66 loc) · 3.49 KB
title AssignedIPAddresses() function in advanced hunting for Microsoft Defender XDR
description Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
search.appverid met150
ms.service defender-xdr
ms.subservice adv-hunting
f1.keywords
NOCSH
ms.author pauloliveria
author poliveria
ms.localizationpriority medium
manager dansimp
audience ITPro
ms.collection
m365-security
tier3
ms.custom
cx-ti
cx-ah
appliesto
Microsoft Defender XDR
Microsoft Sentinel in the Microsoft Defender portal
ms.topic reference
ms.date 03/28/2025

AssignedIPAddresses()

[!INCLUDE Microsoft Defender XDR rebranding]

Use the AssignedIPAddresses() function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.

This function returns a table with the following columns:

Column Data type Description
Timestamp datetime Latest time when the device was observed using the IP address
IPAddress string IP address used by the device
IPType string Indicates whether the IP address is a public or private address
NetworkAdapterType int Network adapter type used by the device that has been assigned the IP address. For the possible values, refer to this enumeration
ConnectedNetworks int Networks that the adapter with the assigned IP address is connected to. Each JSON array contains the network name, category (public, private, or domain), a description, and a flag indicating if it's connected publicly to the internet

Syntax

AssignedIPAddresses(x, y)

Arguments

  • xDeviceId or DeviceName value identifying the device
  • yTimestamp (datetime) value instructing the function to obtain the most recent assigned IP addresses from a specific time. If not specified, the function returns the latest IP addresses.

Examples

Get the list of IP addresses used by a device 24 hours ago

AssignedIPAddresses('example-device-name', ago(1d))

Get IP addresses used by a device and find devices communicating with it

This query uses the AssignedIPAddresses() function to get assigned IP addresses for the device (example-device-name) on or before a specific date (example-date). It then uses the IP addresses to find connections to the device initiated by other devices.

let Date = datetime(example-date);
let DeviceName = "example-device-name";
// List IP addresses used on or before the specified date
AssignedIPAddresses(DeviceName, Date)
| project DeviceName, IPAddress, AssignedTime = Timestamp 
// Get all network events on devices with the assigned IP addresses as the destination addresses
| join kind=inner DeviceNetworkEvents on $left.IPAddress == $right.RemoteIP
// Get only network events around the time the IP address was assigned
| where Timestamp between ((AssignedTime - 1h) .. (AssignedTime + 1h))

Related topics