Forum Discussion
MDE Advanced Hunting - Device Network Events - Remote IP Details
Does anyone know of a way to query the MDE IP details through Advanced hunting? I am specifically looking to add an ASN column to my KQL search results for remote IP addresses.
3 Replies
Just wanted to bump this to see if there have been added any native way to do this with Microsoft's KQL.
One way to grab ASN data would be to create a lookup table via the https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/externaldata-operator?pivots=azuredataexplorer operator, then use the https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/ipv4-lookup-plugin plugin. Gyp the Cat has some nice https://firewalliplists.gypthecat.com/kusto-tables/kusto-asn-table/ laid out. The ASN data is sourced from GeoLite2 data created by MaxMind.
let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)
['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip%27]
with (ignoreFirstRecord=true));
DeviceNetworkEvents
| where RemoteIPType == "Public"
| limit 10
| evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=true)
| extend GeoIPData = geo_info_from_ip_address(RemoteIP)
- I don't see a way to do this, at first I thought maybe the /ip API but that only provides statistics on activity related to the IP. It may be like the virus total results for files, where MS has consciously chosen not to provide a bulk access to the data due to licensing concerns.
