KQL Search

Query Details

HomeAI ToolsDevice Query

Defender XDR Advanced Hunting All In One IP Search

Query

// DefenderXDR Advanced Hunting All-In-One IP Search
// https://www.linkedin.com/pulse/defenderxdr-advanced-hunting-all-in-one-ip-search-steven-lim-a2j7c/

// This KQL query searches across these DefenderXDR log tables for the ip variable that is defined at the start:
// AADSignInEventsBeta, AADSignInEventsBeta, CloudAppEvents, IdentityLogonEvents, UrlClickEvents, DeviceNetworkInfo, CloudAuditEvents, DeviceFileEvents, AlertEvidence, BehaviorEntities, DeviceEvents, DeviceLogonEvents, DeviceNetworkEvents, EmailEvents, DeviceInfo and ExposureGraphNodes

let ip = "223.171.89.199"; // Sample Malicious IP
search in (AADSignInEventsBeta, AADSignInEventsBeta, CloudAppEvents, IdentityLogonEvents, CloudAuditEvents, UrlClickEvents, DeviceNetworkInfo, CloudAuditEvents, DeviceFileEvents, AlertEvidence, ExposureGraphNodes, BehaviorEntities, DeviceEvents, DeviceLogonEvents, DeviceNetworkEvents, EmailEvents, DeviceInfo)
Timestamp between (ago(7d) .. now())
and (
// AADSignInEventsBeta AADSpnSignInEventsBeta CloudAppEvents IdentityLogonEvents
// UrlClickEvents DeviceNetworkInfo CloudAuditEvents
IPAddress == ip
// DeviceFileEvents
or RequestSourceIP == ip
// AlertEvidence BehaviorEntities DeviceEvents DeviceLogonEvents DeviceNetworkEvents
or RemoteIP == ip
// DeviceEvents DeviceFileEvents
or FileOriginIP == ip
// EmailEvents
or SenderIPv4 == ip
// IdentityLogonEvents
or DestinationIPAddress == ip
// DeviceInfo
or PublicIP == ip
// AlertEvidence BehaviorEntities DeviceEvents DeviceNetworkEvents
or LocalIP == ip
// ExposureGraphNodes
or NodeProperties.rawData.publicIP == ip
)

Explanation

This KQL query is designed to search for a specific IP address across multiple log tables in Microsoft DefenderXDR. Here's a simplified breakdown:

  1. IP Address to Search: The query is looking for the IP address "223.171.89.199", which is considered a sample malicious IP.

  2. Log Tables: The query searches across various log tables, including:

    • AADSignInEventsBeta
    • CloudAppEvents
    • IdentityLogonEvents
    • UrlClickEvents
    • DeviceNetworkInfo
    • CloudAuditEvents
    • DeviceFileEvents
    • AlertEvidence
    • BehaviorEntities
    • DeviceEvents
    • DeviceLogonEvents
    • DeviceNetworkEvents
    • EmailEvents
    • DeviceInfo
    • ExposureGraphNodes

  3. Time Frame: The search is limited to events that occurred within the last 7 days.

  4. Search Conditions: The query checks if the specified IP address appears in various fields across the log tables, such as:

    • IPAddress
    • RequestSourceIP
    • RemoteIP
    • FileOriginIP
    • SenderIPv4
    • DestinationIPAddress
    • PublicIP
    • LocalIP
    • NodeProperties.rawData.publicIP

In summary, this query is a comprehensive search for a specific IP address across multiple DefenderXDR log tables within the past week, checking various fields where the IP might be recorded.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

AADSignInEventsBetaCloudAppEventsIdentityLogonEventsUrlClickEventsDeviceNetworkInfoCloudAuditEventsDeviceFileEventsAlertEvidenceBehaviorEntitiesDeviceEventsDeviceLogonEventsDeviceNetworkEventsEmailEventsDeviceInfoExposureGraphNodes

Keywords

DevicesIntuneUserCloudSecurityNetworkEmail

Operators

letsearchinbetweenagonowandor==

Actions