An adversary may use a machine’s IP address to pivot and access other systems, leveraging network-based reconnaissance to identify potential targets. SOC teams should proactively hunt for this behavior to detect lateral movement and early-stage network exploration in their Azure Sentinel environment.
KQL Query
// Query #3: get machines that have used a given *public* IP address at a given time - as seen in their communications with the WDATP cloud
let pivotTimeParam = datetime(2018-07-15 19:51:00);
let ipAddressParam = "192.168.1.5";
DeviceInfo
| where Timestamp between ((pivotTimeParam-15m) .. 30m) and PublicIP == ipAddressParam
| project DeviceName, LoggedOnUsers, Timestamp, TimeDifference=abs(Timestamp-pivotTimeParam)
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc
id: a6208585-9910-4855-b847-dfd49ff9beb1
name: Machine info from IP address (2)
description: |
The following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users.
To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What-s-New/Advanced-hunting-now-includes-network-adapters-information/m-p/224402#M74.
Query #1: get machines that have used a given local IP address at a given time - as configured on their network adapters.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
query: |
// Query #3: get machines that have used a given *public* IP address at a given time - as seen in their communications with the WDATP cloud
let pivotTimeParam = datetime(2018-07-15 19:51:00);
let ipAddressParam = "192.168.1.5";
DeviceInfo
| where Timestamp between ((pivotTimeParam-15m) .. 30m) and PublicIP == ipAddressParam
| project DeviceName, LoggedOnUsers, Timestamp, TimeDifference=abs(Timestamp-pivotTimeParam)
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs on a machine and queries its own IP address as part of a routine health check or configuration update.
Filter/Exclusion: Exclude events where the source IP matches the machine’s own IP address (source_ip = machine_ip) or filter by task name (task_name = "System Maintenance").
Scenario: User-Initiated Remote Desktop Connection (RDP)
Description: A user connects to a machine via RDP, and the system logs the IP address of the remote client. The rule may falsely flag this as a machine info lookup.
Filter/Exclusion: Exclude events where the source IP is associated with a known RDP client or filter by user context (user_principal_name = "domain\user").
Scenario: PowerShell Script for Network Diagnostics
Description: A system administrator runs a PowerShell script (e.g., Test-NetConnection) to check network connectivity, which includes querying the machine’s IP address.
Filter/Exclusion: Exclude events where the process name is powershell.exe and the command line includes network diagnostic tools (process_name = "powershell.exe" AND command_line LIKE "%Test-NetConnection%").
Scenario: Windows Update or Patching Job
Description: A Windows Update or patching job runs on a machine and logs information about the machine’s IP address as part of the update process.
Filter/Exclusion: Exclude events related to Windows Update (event_id = 6006 or event_id = 6008) or filter by process name (process_name = "wuauclt.exe").
Scenario: Logon Event with IP Address Lookup
Description: A logon event occurs, and the system logs the IP address of the machine from which the