![]() Here we expand the list so that each value gets a separate row. IPAddresses contains a list of the IP addresses configured on the network adapter, their subnets, and more. | where ComputerName = "" and NetworkAdapterStatus = "Up" Filter by machine name and select only adapters that are enabled and connected | where EventTime between (( datetime(T09:51)-15m). This query returns all IP addresses reported from a specific computer within a 30-minute period: MachineNetworkInfo // Query for reports sent +-15 minutes around the time we are interested in Scenario #1: Get the IP addresses assigned to a machineīy getting all the IP addresses used by a specific machine at a given point in time, you can pivot your investigations to firewall, IDS or network logs, which record events by IP address. When you’re ready, let’s explore some simple examples of how you can use this new set of data. With this comprehensive and up-to-date view of the network status of your machines, you can just imagine all the cool stuff you can do and how this data can enrich your hunting activities. The Windows Defender ATP sensor tracks this network configuration information on onboarded machines every 15 minutes. Sounds similar to ipconfig? Well, this is actually the intention. We would like to welcome a new table to the Windows Defender ATP Advanced hunting schema: MachineNetworkInfo.įor each network adapter seen on onboarded machines, this table provides the configured IP addresses, gateways, DNS servers, and more. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |