Updates from: 01/01/2021 04:08:34
Category Microsoft Docs article Related commit history on GitHub Change details
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-devicefromip-function https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/advanced-hunting-devicefromip-function.md new file mode 100644
@@ -0,0 +1,74 @@
+title: DeviceFromIP() function in advanced hunting for Microsoft 365 Defender
+description: Learn how to use the DeviceFromIP() function to get the devices that have been assigned a specific IP address
+keywords: advanced hunting, threat hunting, cyber threat hunting, microsoft threat protection, microsoft 365, mtp, m365, search, query, telemetry, schema reference, kusto, device, devicefromIP, function, enrichment
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: microsoft-365-enterprise
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: maccruz
+author: schmurky
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+- M365-security-compliance
+- m365initiative-m365-defender
+ms.topic: article
+# DeviceFromIP()
+[!INCLUDE [Microsoft 365 Defender rebranding](../includes/microsoft-defender.md)]
+**Applies to:**
+- Microsoft 365 Defender
+[!INCLUDE [Prerelease information](../includes/prerelease.md)]
+Use the `DeviceFromIP()` function in your [advanced hunting](advanced-hunting-overview.md) queries to quickly obtain the list of devices that have been assigned to a certain IP address at a given point in time.
+This function returns a table with the following columns:
+| Column | Data type | Description |
+| `IP` | string | IP address |
+| `DeviceId` | string | Unique identifier for the device in the service |
+## Syntax
+invoke DeviceFromIP()
+## Arguments
+This function is invoked as part of a query.
+- **x**ΓÇöThe first parameter is typically already a column in the query. In this case, it is the column named `IP`, the IP address for which you want to see a list of devices that have been assigned to it. It should be a local IP address. External IP addresses are not supported.
+- **y**ΓÇöA second optional parameter is the `Timestamp`, which instructs the function to obtain the most recent assigned devices from a specific time. If not specified, the function returns the latest available records.
+## Example
+### Get the latest devices that have been assigned specific IP addresses
+| limit 100
+| project IP = LocalIP
+| invoke DeviceFromIP()
+## Related topics
+- [Advanced hunting overview](advanced-hunting-overview.md)
+- [Learn the query language](advanced-hunting-query-language.md)
+- [Understand the schema](advanced-hunting-schema-tables.md)
security https://docs.microsoft.com/en-us/microsoft-365/security/mtp/preview https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security/mtp/preview.md
@@ -59,4 +59,6 @@ The following features and enhancements are currently available on preview:
- **[Microsoft 365 Defender APIs](api-overview.md)** - The lop-level Microsoft 365 Defender APIs will enable you to automate workflows based on the shared incident and advanced hunting tables. - **[Take action in advanced hunting](advanced-hunting-take-action.md)**ΓÇöQuickly contain threats or address compromised assets that you find in [advanced hunting](advanced-hunting-overview.md). - **[In-portal schema reference](advanced-hunting-schema-tables.md#get-schema-information-in-the-security-center)**ΓÇöGet information about advanced hunting schema tables directly in the security center. In addition to table and column descriptions, this reference includes supported event types (`ActionType` values) and sample queries.
+- **[DeviceFromIP() function](advanced-hunting-devicefromip-function.md)**ΓÇöGet information about which devices have been assigned a specific IP address or addresses at a given time range.