MDE Advanced Hunting - Device Network Events - Remote IP Details

Copper Contributor

Does anyone know of a way to query the MDE IP details through Advanced hunting? I am specifically looking to add an ASN column to my KQL search results for remote IP addresses.





2 Replies
I don't see a way to do this, at first I thought maybe the /ip API but that only provides statistics on activity related to the IP. It may be like the virus total results for files, where MS has consciously chosen not to provide a bulk access to the data due to licensing concerns.


One way to grab ASN data would be to create a lookup table via the ⁠externaldata operator, then use the ipv4_lookup() plugin. Gyp the Cat has some nice ⁠examples laid out. The ASN data is sourced from GeoLite2 data created by MaxMind.


let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)


with (ignoreFirstRecord=true));


| where RemoteIPType == "Public"

| limit 10

| evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=true)

| extend GeoIPData = geo_info_from_ip_address(RemoteIP)