The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender


Some information relates to prereleased product which may be substantially modified before it’s commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Use the DeviceFromIP() function in your advanced hunting queries to quickly obtain the list of devices that have been assigned to a certain IP address at a given point in time.

This function returns a table with the following columns:

Column Data type Description
IP string IP address
DeviceId string Unique identifier for the device in the service



invoke DeviceFromIP()


This function is invoked as part of a query.

  • x—The first parameter is typically already a column in the query. In this case, it is the column named IP, the IP address for which you want to see a list of devices that have been assigned to it. It should be a local IP address. External IP addresses are not supported.
  • y—A second optional parameter is the Timestamp, which instructs the function to obtain the most recent assigned devices from a specific time. If not specified, the function returns the latest available records.


Get the latest devices that have been assigned specific IP addresses


| limit 100 
| project IP = LocalIP 
| invoke DeviceFromIP()

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.