An adversary may use a machine’s IP address to pivot and access other systems, leveraging network-based reconnaissance to identify potential targets. SOC teams should proactively hunt for this behavior to detect early signs of lateral movement or unauthorized network exploration in their Azure Sentinel environment.
KQL Query
// Query #2:
// same as query #1 (get machines that have used a given local IP address at a given time), but also query for the logged on user
let pivotTimeParam = datetime(2018-07-15 19:51:00);
let ipAddressParam = "192.168.1.5";
let matchingMachines =
DeviceNetworkInfo
| where Timestamp between ((pivotTimeParam-15m) ..30m) and IPAddresses contains strcat("\"", ipAddressParam, "\"") and NetworkAdapterStatus == "Up"
//// Optional - add filters to make sure machine is part of the relevant network (and not using that IP address as part of another private network).
//// For example:
// and ConnectedNetworks contains "corp.contoso.com"
// and IPv4Dhcp == "10.164.3.12"
// and DefaultGateways contains "\"10.164.3.1\""
| project DeviceName, Timestamp, IPAddresses, TimeDifference=abs(Timestamp-pivotTimeParam);
DeviceInfo
| where Timestamp between ((pivotTimeParam-15m) ..30m)
| project DeviceName, Timestamp, LoggedOnUsers
| join kind=inner (matchingMachines) on DeviceName, Timestamp
| project Timestamp, DeviceName, LoggedOnUsers, TimeDifference, IPAddresses
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc
id: 49cf658e-f446-476e-a7da-30909caaa3e3
name: Machine info from IP address (1)
description: |
The following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users.
To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What-s-New/Advanced-hunting-now-includes-network-adapters-information/m-p/224402#M74.
Query #1: get machines that have used a given local IP address at a given time - as configured on their network adapters.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkInfo
- DeviceInfo
query: |
// Query #2:
// same as query #1 (get machines that have used a given local IP address at a given time), but also query for the logged on user
let pivotTimeParam = datetime(2018-07-15 19:51:00);
let ipAddressParam = "192.168.1.5";
let matchingMachines =
DeviceNetworkInfo
| where Timestamp between ((pivotTimeParam-15m) ..30m) and IPAddresses contains strcat("\"", ipAddressParam, "\"") and NetworkAdapterStatus == "Up"
//// Optional - add filters to make sure machine is part of the relevant network (and not using that IP address as part of another private network).
//// For example:
// and ConnectedNetworks contains "corp.contoso.com"
// and IPv4Dhcp == "10.164.3.12"
// and DefaultGateways contains "\"10.164.3.1\""
| project DeviceName, Timestamp, IPAddresses, TimeDifference=abs(Timestamp-pivotTimeParam);
DeviceInfo
| where Timestamp between ((pivotTimeParam-15m) ..30m)
| project DeviceName, Timestamp, LoggedOnUsers
| join kind=inner (matchingMachines) on DeviceName, Timestamp
| project Timestamp, DeviceName, LoggedOnUsers, TimeDifference, IPAddresses
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc
Scenario: A system administrator is using PowerShell to query machine information via IP address as part of routine system inventory or asset management.
Filter/Exclusion: Exclude processes initiated by PowerShell.exe with the user context of a known admin account (e.g., Administrator or Domain Admins).
Scenario: A scheduled job runs nightly to collect machine details from IP addresses for log correlation or monitoring purposes.
Filter/Exclusion: Exclude processes associated with a known scheduled task (e.g., Task Scheduler or a specific task name like DailySystemInventory).
Scenario: A remote management tool like Microsoft Intune or System Center Configuration Manager (SCCM) is querying machine info via IP address to manage endpoints.
Filter/Exclusion: Exclude IP addresses associated with known management services or tools (e.g., 10.0.0.0/8 for internal management networks).
Scenario: A network discovery tool (e.g., Nmap, Advanced IP Scanner) is being used by the IT team to map the internal network and identify machines.
Filter/Exclusion: Exclude IP addresses from the internal network range (e.g., 192.168.0.0/16) or processes associated with known network discovery tools.
Scenario: A user is logged in remotely using Remote Desktop Services (RDS) and the system is querying machine info via IP address for session management or user tracking.
Filter/Exclusion: Exclude IP addresses that match the internal RDS network or processes initiated by the logged-on user session.