1
0
Форкнуть 0
Microsoft-365-Defender-Hunt.../General queries/Network info of machine.txt

15 строки
1.2 KiB
Plaintext
Исходник Обычный вид История

2018-07-17 22:35:36 +03:00
// Get information about the netwotk adapters of the given computer in the given time.
// This could include the configured IP addresses, DHCP servers, DNS servers, and more.
let DeviceIdParam = "c0bfefec0bfefec0bfefec0bfefec0bfefecafe";
2018-07-17 22:35:36 +03:00
let pivotTimeParam = datetime(2018-07-15T19:51);
DeviceNetworkInfo
2018-07-17 22:35:36 +03:00
// Query for reports sent +-15 minutes around the time we are interested in
| where Timestamp between ((pivotTimeParam-15m) .. 30m) and DeviceId == DeviceIdParam and NetworkAdapterStatus == "Up"
2018-07-17 22:35:36 +03:00
// IPAddresses contains a list of the IP addresses configured on the network adapter, their subnets, and more.
// Here we expand the list so that each value gets a separate row. All the other columns in the row, such as MacAddress, are duplicated.
| mvexpand parse_json(IPAddresses)
| project IPAddress=IPAddresses.IPAddress, AddressType=IPAddresses.AddressType, NetworkAdapterType, TunnelType, MacAddress,
ConnectedNetworks, Timestamp, TimeDifference=abs(Timestamp-pivotTimeParam)
2018-07-17 22:35:36 +03:00
// In case multiple machines have reported from that IP address arround that time, start with the ones reporting closest to pivotTimeParam
| sort by TimeDifference asc, NetworkAdapterType, MacAddress