An adversary may use a machine’s IP address to pivot and access other systems, leveraging network connectivity to move laterally within the environment. SOC teams should proactively hunt for this behavior to identify potential lateral movement and unauthorized network traversal in their Azure Sentinel environment.
KQL Query
// Query #4: Get machines that have used a given IP address, looking up on both local and external addresses.
// This includes IP addresses seen locally in their network adapters configuration or ones used to access the WDATP cloud.
let pivotTimeParam = datetime(2018-07-15 19:51:00);
let ipAddressParam = "192.168.1.5";
DeviceNetworkInfo
| where Timestamp between ((pivotTimeParam-15m) ..30m) and IPAddresses contains strcat("\"", ipAddressParam, "\"") and NetworkAdapterStatus == "Up"
| project DeviceName, Timestamp, Source="NetworkAdapterInfo"
| union (DeviceInfo | where Timestamp between ((pivotTimeParam-15m) .. 30m) and PublicIP == ipAddressParam | project DeviceName, Timestamp, Source="Public IP address")
| extend TimeDifference=abs(Timestamp-pivotTimeParam)
| sort by TimeDifference asc
id: e10dd84f-e4d6-4b21-a9da-816699de0ba8
name: Machine info from IP address (3)
description: |
The following queries pivot from an IP address assigned to a machine to the relevant machine or logged-on users.
To read more about it, check out this post: https://techcommunity.microsoft.com/t5/What-s-New/Advanced-hunting-now-includes-network-adapters-information/m-p/224402#M74.
Query #1: get machines that have used a given local IP address at a given time - as configured on their network adapters.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkInfo
- DeviceInfo
query: |
// Query #4: Get machines that have used a given IP address, looking up on both local and external addresses.
// This includes IP addresses seen locally in their network adapters configuration or ones used to access the WDATP cloud.
let pivotTimeParam = datetime(2018-07-15 19:51:00);
let ipAddressParam = "192.168.1.5";
DeviceNetworkInfo
| where Timestamp between ((pivotTimeParam-15m) ..30m) and IPAddresses contains strcat("\"", ipAddressParam, "\"") and NetworkAdapterStatus == "Up"
| project DeviceName, Timestamp, Source="NetworkAdapterInfo"
| union (DeviceInfo | where Timestamp between ((pivotTimeParam-15m) .. 30m) and PublicIP == ipAddressParam | project DeviceName, Timestamp, Source="Public IP address")
| extend TimeDifference=abs(Timestamp-pivotTimeParam)
| sort by TimeDifference asc
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs on a machine and queries system information via IP address, such as during Windows Update or disk cleanup.
Filter/Exclusion: Exclude processes associated with schtasks.exe or Task Scheduler using the ProcessName field. Example filter: ProcessName != "schtasks.exe"
Scenario: Network Discovery via PowerShell
Description: An admin uses PowerShell to gather machine information across the network for inventory or compliance purposes.
Filter/Exclusion: Exclude PowerShell scripts that use Test-Connection or Get-NetNeighbor by checking the ProcessName field for powershell.exe and filtering out known admin scripts or paths.
Scenario: Remote Management via Windows Admin Center
Description: A system administrator uses Windows Admin Center to manage multiple machines, which may involve querying machine info via IP address.
Filter/Exclusion: Exclude connections made from the Windows Admin Center by checking the SourceIP against known admin IP ranges or using the ProcessName field for WindowsAdminCenter.exe.
Scenario: DNS Resolution or IP Lookup by Security Tools
Description: A security tool or SIEM system performs IP-to-machine lookups as part of threat intelligence or log analysis.
Filter/Exclusion: Exclude events from known security tools like Microsoft Defender for Endpoint or Splunk by checking the Product or Source field, or by filtering out IP lookups that do not involve user interaction.
Scenario: Internal Monitoring Tool Polling Machines
Description: An internal monitoring tool (e.g., PRTG, Nagios, or Zabbix) polls machines for status or performance metrics, which may involve IP-based lookups.
Filter/Exclusion: Exclude traffic