Forum Discussion

cyberchef's avatar
cyberchef
Copper Contributor
Apr 24, 2023

MDE Advanced Hunting - Device Network Events - Remote IP Details

Does anyone know of a way to query the MDE IP details through Advanced hunting? I am specifically looking to add an ASN column to my KQL search results for remote IP addresses.

 

 
 

 

  • jbmartin6's avatar
    jbmartin6
    Iron Contributor
    I don't see a way to do this, at first I thought maybe the /ip API but that only provides statistics on activity related to the IP. It may be like the virus total results for files, where MS has consciously chosen not to provide a bulk access to the data due to licensing concerns.
  • StephenMcc's avatar
    StephenMcc
    Brass Contributor

    cyberchef 

    One way to grab ASN data would be to create a lookup table via the ⁠externaldata operator, then use the ipv4_lookup() plugin. Gyp the Cat has some nice ⁠examples laid out. The ASN data is sourced from GeoLite2 data created by MaxMind.

     

    let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)

    ['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']

    with (ignoreFirstRecord=true));

    DeviceNetworkEvents

    | where RemoteIPType == "Public"

    | limit 10

    | evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=true)

    | extend GeoIPData = geo_info_from_ip_address(RemoteIP)

Resources