Forum Discussion
MDE Advanced Hunting - Device Network Events - Remote IP Details
Does anyone know of a way to query the MDE IP details through Advanced hunting? I am specifically looking to add an ASN column to my KQL search results for remote IP addresses.
- jbmartin6Iron ContributorI don't see a way to do this, at first I thought maybe the /ip API but that only provides statistics on activity related to the IP. It may be like the virus total results for files, where MS has consciously chosen not to provide a bulk access to the data due to licensing concerns.
- StephenMccBrass Contributor
One way to grab ASN data would be to create a lookup table via the externaldata operator, then use the ipv4_lookup() plugin. Gyp the Cat has some nice examples laid out. The ASN data is sourced from GeoLite2 data created by MaxMind.
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']
with (ignoreFirstRecord=true));
DeviceNetworkEvents
| where RemoteIPType == "Public"
| limit 10
| evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=true)
| extend GeoIPData = geo_info_from_ip_address(RemoteIP)