Effective Advanced Hunting query to search all host in specifiyed subnetwork

%3CLINGO-SUB%20id%3D%22lingo-sub-1469248%22%20slang%3D%22en-US%22%3EEffective%20Advanced%20Hunting%20query%20to%20search%20all%20host%20in%20specifiyed%20subnetwork%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1469248%22%20slang%3D%22en-US%22%3E%3CP%3EDear%20folks%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20help%20me%20to%20create%20a%20AH%20query%20in%20WDATP.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20search%20all%20host%20in%20sub-network.%20For%20example%20I%20would%20like%20to%20find%20all%20hosts%20in%20192.168.20.64%2F27%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473858%22%20slang%3D%22en-US%22%3ERe%3A%20Effective%20Advanced%20Hunting%20query%20to%20search%20all%20host%20in%20specifiyed%20subnetwork%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473858%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F308434%22%20target%3D%22_blank%22%3E%40mparpaley%3C%2FA%3Eyou%20can%20get%20the%20local%20IP%20address%20via%20DeviceNetworkInfo%2C%20so%20maybe%20something%20the%20code%26nbsp%3B%20will%20help%20you.%3C%2FP%3E%3CP%3EBecause%20the%20%22ipAddresses%22%20are%20a%20string%20it%20is%20difficult%20to%20say%20startwith%20or%20endwith%2C%20so%20I%20took%20just%20the%20contains%20of%20%22192.168.20%22%20and%20not%20exactly%20your%20subnet.%20Hope%20this%20brings%20you%20closer%20to%20your%20goal.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3Elet%20ipAddressParam%20%3D%20%22192.168.20%22%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EDeviceNetworkInfo%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20where%20IPAddresses%20contains%20strcat(ipAddressParam)%20and%20NetworkAdapterStatus%20%3D%3D%20%22Up%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20project%20DeviceName%2C%20Timestamp%2C%20IPAddresses%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20summarize%20arg_max(Timestamp%2C%20*)%20by%20DeviceName%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
New Contributor

Dear folks,

 

Could you please help me to create a AH query in WDATP.

 

I need to search all host in sub-network. For example I would like to find all hosts in 192.168.20.64/27

 

Regards

1 Reply

@mparpaleyyou can get the local IP address via DeviceNetworkInfo, so maybe something the code  will help you.

Because the "ipAddresses" are a string it is difficult to say startwith or endwith, so I took just the contains of "192.168.20" and not exactly your subnet. Hope this brings you closer to your goal.

 

let ipAddressParam = "192.168.20";
DeviceNetworkInfo
| where IPAddresses contains strcat(ipAddressParam) and NetworkAdapterStatus == "Up"
| project DeviceName, Timestamp, IPAddresses
| summarize arg_max(Timestamp, *) by DeviceName