Important
The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.
Applies to:
- Microsoft 365 Defender
Important
Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Use the DeviceFromIP()
function in your advanced hunting queries to quickly obtain the list of devices that have been assigned to a certain IP address at a given point in time.
This function returns a table with the following columns:
Column | Data type | Description |
---|---|---|
IP |
string |
IP address |
DeviceId |
string |
Unique identifier for the device in the service |
Syntax
invoke DeviceFromIP()
Arguments
This function is invoked as part of a query.
- x—The first parameter is typically already a column in the query. In this case, it is the column named
IP
, the IP address for which you want to see a list of devices that have been assigned to it. It should be a local IP address. External IP addresses are not supported. - y—A second optional parameter is the
Timestamp
, which instructs the function to obtain the most recent assigned devices from a specific time. If not specified, the function returns the latest available records.
Example
Get the latest devices that have been assigned specific IP addresses
DeviceNetworkEvents
| limit 100
| project IP = LocalIP
| invoke DeviceFromIP()