Adversaries may be using unknown IP addresses to establish unauthorized access to devices, bypassing network monitoring controls. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or command-and-control activities.
KQL Query
DeviceLogonEvents
| where RemoteIPType == "Public"
| join kind=leftanti (
DeviceNetworkInfo
| project NetworkInfo = todynamic(IPAddresses )
| mvexpand NetworkInfo
| project IpAddress = tostring(parse_json(NetworkInfo).IPAddress)
| distinct IpAddress
) on $left.RemoteIP == $right.IpAddress // Removes any IP addresses assigned to a device
| join kind=leftanti (
IdentityLogonEvents
| where ISP != "INTERNAL_NETWORK"
) on $left.RemoteIP == $right.IPAddress // Remove any IP addresses identified as internal by Microsoft Cloud App Security
| summarize EarliestEvent = min(Timestamp), LatestEvent = max(Timestamp), Instances = count(), DistinctMachines = dcount(DeviceId) by AccountDomain, AccountName, LogonType, RemoteIP, ActionType
id: a6d76204-efb2-4ccd-a068-d5a9e6876236
name: Device Logons from Unknown IPs
description: |
Device Logons from Unknown IP Addresses.
This query identifies device logons from IP addresses not associated with any machine in Defender ATP.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceLogonEvents
- DeviceNetworkInfo
- IdentityLogonEvents
query: |
DeviceLogonEvents
| where RemoteIPType == "Public"
| join kind=leftanti (
DeviceNetworkInfo
| project NetworkInfo = todynamic(IPAddresses )
| mvexpand NetworkInfo
| project IpAddress = tostring(parse_json(NetworkInfo).IPAddress)
| distinct IpAddress
) on $left.RemoteIP == $right.IpAddress // Removes any IP addresses assigned to a device
| join kind=leftanti (
IdentityLogonEvents
| where ISP != "INTERNAL_NETWORK"
) on $left.RemoteIP == $right.IPAddress // Remove any IP addresses identified as internal by Microsoft Cloud App Security
| summarize EarliestEvent = min(Timestamp), LatestEvent = max(Timestamp), Instances = count(), DistinctMachines = dcount(DeviceId) by AccountDomain, AccountName, LogonType, RemoteIP, ActionType
| Sentinel Table | Notes |
|---|---|
DeviceLogonEvents | Ensure this data connector is enabled |
IdentityLogonEvents | Ensure this data connector is enabled |
Scenario: Scheduled system maintenance or updates using tools like PowerShell or Task Scheduler
Filter/Exclusion: Exclude IP addresses associated with internal management tools or known internal IP ranges used for automation (e.g., 10.0.0.0/8, 192.168.0.0/16).
Scenario: Logon events generated by Windows Event Log Collection Services or SIEM tools (e.g., Splunk, ELK Stack)
Filter/Exclusion: Exclude IP addresses from internal log collection servers or known SIEM infrastructure IPs.
Scenario: Remote Desktop Services (RDS) or Remote Assistance sessions initiated from internal IPs
Filter/Exclusion: Exclude IPs from internal RDS servers or known internal user workstations using IP whitelisting or user-based filtering.
Scenario: Defender ATP itself or Microsoft Defender for Endpoint performing internal health checks or data collection
Filter/Exclusion: Exclude IP addresses associated with Microsoft cloud services or internal Defender ATP management endpoints.
Scenario: Backup and Restore Jobs using tools like Veeam, Commvault, or Veritas
Filter/Exclusion: Exclude IPs from backup servers or internal storage systems that are known to initiate logon events during scheduled backups.