Function: DeviceCommandLinePublicIPs()
Device Command Line Public I Ps
Query
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
// Returns all commandlines that contain a public IP addres from a specific device
let DeviceCommandLinePublicIPs = (DeviceName: string, IncludeSystemExecutions: bool){
DeviceProcessEvents
| where DeviceName == DeviceName
| extend IPAddress = extract(IPRegex, 0, ProcessCommandLine)
| where not(ipv4_is_private(IPAddress))
| where not(InitiatingProcessAccountSid == "S-1-5-18" and IncludeSystemExecutions == false)
| project TimeGenerated, ProcessCommandLine, IPAddress
| sort by TimeGenerated
};
// Example
DeviceCommandLinePublicIPs("devicename.tld", false)About this query
Explanation
This query is designed to find and list all public IPv4 addresses that appear in the command line inputs on a specific device. It works by searching through the device's process events to extract any public IP addresses found in the command line strings. Here's a simple breakdown of what the query does:
-
IP Address Pattern: It uses a regular expression to identify patterns that look like IPv4 addresses in the command line inputs.
-
Device Filtering: The query is focused on a specific device, identified by its name.
-
Public IPs Only: It filters out any private IP addresses, ensuring only public IPs are included in the results.
-
System Account Executions: By default, it excludes command lines initiated by the system account (identified by a specific account SID). However, you can choose to include these by setting the
IncludeSystemExecutionsparameter totrue. -
Output: The query outputs a list of timestamps, command lines, and the extracted public IP addresses, sorted by time.
The query is implemented in both Microsoft Defender XDR and Sentinel environments, with slight differences in the naming of the timestamp field (Timestamp vs. TimeGenerated).
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators