Hunt Device Discovery Subnet Ranges
Query
// OPTIONAL - Device cap used to ignore network with less then X devices in them
let device_cap = 0;
DeviceNetworkInfo
| where Timestamp > ago(7d)
// Ignore empty networks
| where ConnectedNetworks != ""
// Get networks data
| extend ConnectedNetworksExp = parse_json(ConnectedNetworks)
| mv-expand bagexpansion = array ConnectedNetworks=ConnectedNetworksExp
| extend NetworkName = tostring(ConnectedNetworks ["Name"]), NetworkDescription = tostring(ConnectedNetworks ["Description"]), NetworkCategory = tostring(ConnectedNetworks ["Category"])
// Get subnet data for IPv4 Addresses
| extend IPAddressesExp = parse_json(IPAddresses)
| mv-expand bagexpansion = array IPAddresses=IPAddressesExp
| extend IPAddress = tostring(IPAddresses ["IPAddress"]), SubnetPrefix = tolong(IPAddresses ["SubnetPrefix"])
| extend NetworkAddress = format_ipv4(IPAddress, SubnetPrefix)
| extend SubnetRange = strcat(NetworkAddress, "/", SubnetPrefix)
// Exclude IPv6 and APIPPA
| where SubnetPrefix <= 32
| where IPAddress !startswith "169.254"
// Ignore unidentified networks
| where not(NetworkName has_any ("Unidentified", "Identifying..."))
// Provide list
| distinct DeviceId, NetworkName, IPv4Dhcp, SubnetRange
| summarize Devices = count(), SubnetRanges = make_set(SubnetRange) by NetworkName, IPv4Dhcp
// Ignore network with very low device count
| where Devices >= device_cap
| sort by Devices descAbout this query
Explanation
This KQL query is designed to help you identify and monitor the subnet ranges of networks that are being tracked by Microsoft Defender for Endpoint's Device Discovery feature. Here's a simplified breakdown of what the query does:
-
Time Frame: It looks at network data from the past 7 days.
-
Filter Out Empty Networks: It ignores any networks that don't have any connected devices.
-
Extract Network Information: The query parses the network data to extract details such as network name, description, and category.
-
Extract Subnet Data: It focuses on IPv4 addresses, extracting the IP address and subnet prefix to determine the subnet range.
-
Exclude Certain Networks:
- It excludes IPv6 addresses and addresses starting with "169.254" (which are typically self-assigned and not useful for monitoring).
- It also ignores networks that are unidentified or still being identified.
-
Summarize Results:
- It provides a list of distinct devices and their associated network names, DHCP information, and subnet ranges.
- It counts the number of devices per network and lists the subnet ranges for each network.
-
Filter by Device Count: It allows you to set a minimum number of devices required for a network to be included in the results, helping to focus on more significant networks.
-
Sort by Device Count: Finally, it sorts the networks by the number of devices in descending order, so you can easily see which networks have the most devices.
Overall, this query helps ensure that all relevant corporate networks are being monitored, reducing the risk of having an incomplete asset inventory in Defender XDR.
Details

Robbe Van den Daele
Released: March 19, 2025
Tables
Keywords
Operators