MDE Advanced Hunting - Device Network Events - Remote IP Details

Copper Contributor

Does anyone know of a way to query the MDE IP details through Advanced hunting? I am specifically looking to add an ASN column to my KQL search results for remote IP addresses.

 

 
 

cyberchef_2-1682356541051.png

 

2 Replies
I don't see a way to do this, at first I thought maybe the /ip API but that only provides statistics on activity related to the IP. It may be like the virus total results for files, where MS has consciously chosen not to provide a bulk access to the data due to licensing concerns.

@cyberchef 

One way to grab ASN data would be to create a lookup table via the ⁠externaldata operator, then use the ipv4_lookup() plugin. Gyp the Cat has some nice ⁠examples laid out. The ASN data is sourced from GeoLite2 data created by MaxMind.

 

let CIDRASN = (externaldata (CIDR:string, CIDRASN:int, CIDRASNName:string)

['https://firewalliplists.gypthecat.com/lists/kusto/kusto-cidr-asn.csv.zip']

with (ignoreFirstRecord=true));

DeviceNetworkEvents

| where RemoteIPType == "Public"

| limit 10

| evaluate ipv4_lookup(CIDRASN, RemoteIP, CIDR, return_unmatched=true)

| extend GeoIPData = geo_info_from_ip_address(RemoteIP)