advanced-hunting-devicefromip-function.md

title	DeviceFromIP() function in advanced hunting for Microsoft Defender XDR
description	Learn how to use the DeviceFromIP() function to get the devices that have been assigned a specific IP address
search.appverid	met150
ms.service	defender-xdr
ms.subservice	adv-hunting
f1.keywords	NOCSH
ms.author	pauloliveria
author	poliveria
ms.localizationpriority	medium
manager	dansimp
audience	ITPro
ms.collection	m365-security tier3
ms.custom	cx-ti cx-ah
appliesto	Microsoft Defender XDR Microsoft Sentinel in the Microsoft Defender portal
ms.topic	reference
ms.date	03/28/2025

DeviceFromIP()

[!INCLUDE Microsoft Defender XDR rebranding]

[!INCLUDE Prerelease information]

Use the DeviceFromIP() function in your advanced hunting queries to quickly obtain the list of devices that have been assigned to a certain IP address at a given point in time.

This function returns a table with the following columns:

Column	Data type	Description
IP	string	IP address
DeviceId	string	Unique identifier for the device in the service

Syntax

invoke DeviceFromIP()

Arguments

This function is invoked as part of a query.

• x—The first parameter is typically already a column in the query. In this case, it's the column named IP, the IP address for which you want to see a list of devices that have been assigned to it. It should be a local IP address. External IP addresses aren't supported.
• y—A second optional parameter is the Timestamp, which instructs the function to obtain the most recent assigned devices from a specific time. If not specified, the function returns the latest available records.

Example

Get the latest devices that have been assigned specific IP addresses

DeviceNetworkEvents 
| limit 100 
| project IP = LocalIP 
| invoke DeviceFromIP()

Related topics

• Advanced hunting overview
• Learn the query language
• Understand the schema [!INCLUDE Microsoft Defender XDR rebranding]