KQL Search

Query Details

HomeAI ToolsDevice Query

ARP Poisoning

Query

//Looking for systems that have two different IP addresses that share the same MAC address for potential ARP Poisoning.
//Defender for Endpoint is required for the DeviceNetworkInfo table.

DeviceNetworkInfo
| where isnotempty(IPv4Dhcp)
| distinct IPv4Dhcp, MacAddress, NetworkAdapterName, DeviceName
| summarize Count=count() by IPv4Dhcp, MacAddress, NetworkAdapterName, DeviceName

Explanation

This query is looking for systems that have two different IP addresses but share the same MAC address, which could indicate potential ARP Poisoning. It requires the use of Defender for Endpoint and retrieves information from the DeviceNetworkInfo table. The query then filters out any empty IPv4Dhcp values and retrieves distinct values for IPv4Dhcp, MacAddress, NetworkAdapterName, and DeviceName. Finally, it summarizes the count of occurrences for each combination of IPv4Dhcp, MacAddress, NetworkAdapterName, and DeviceName.

Details

Rod Trent profile picture

Rod Trent

Released: August 31, 2021

Tables

DeviceNetworkInfo

Keywords

DeviceNetworkInfo,IPv4Dhcp,MacAddress,NetworkAdapterName,DeviceName,Count

Operators

whereisnotemptydistinctsummarizecount()

Actions