Devices in a specific IPv4 subnet may indicate lateral movement or unauthorized access within the network. SOC teams should proactively hunt for this behavior to identify potential compromise or reconnaissance activities in their Azure Sentinel environment.
KQL Query
// Specify the relevant subnet in IpV4Range
let IpV4Range = "172.22.138.0/24";
DeviceNetworkInfo
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand IPAddressEntry=todynamic(IPAddresses)
| extend IPAddress=tostring(IPAddressEntry.IPAddress)
| where ipv4_is_in_range(IPAddress, IpV4Range)id: 7f4a9010-4948-4e0c-b668-7a2f603c7dc8
name: Devices In Subnet - IPAddressV4
description: |
This query surfaces devices that are in a specific IPAddressV4 subnet
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
tactics: []
relevantTechniques: []
query: |
// Specify the relevant subnet in IpV4Range
let IpV4Range = "172.22.138.0/24";
DeviceNetworkInfo
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand IPAddressEntry=todynamic(IPAddresses)
| extend IPAddress=tostring(IPAddressEntry.IPAddress)
| where ipv4_is_in_range(IPAddress, IpV4Range)Scenario: Scheduled System Backup Job
Description: A backup job runs nightly and temporarily connects to a remote server in a different subnet.
Filter/Exclusion: Exclude IP addresses associated with backup tools like Veeam, Commvault, or Veritas NetBackup during scheduled maintenance windows.
Scenario: Network Discovery Tool Scanning
Description: A network discovery tool like SolarWinds IP Address Manager or Nmap is actively scanning the subnet for inventory purposes.
Filter/Exclusion: Exclude IP addresses used by network discovery tools or add a time-based filter to exclude scans during known discovery windows.
Scenario: Remote Administration Task
Description: An admin is performing a remote administration task using Microsoft PowerShell Remoting or SSH to a device in the subnet.
Filter/Exclusion: Exclude IP addresses associated with admin accounts or use a user-based filter to exclude known admin users or groups.
Scenario: Virtual Machine Migration
Description: A virtual machine is being migrated between hosts, temporarily appearing in a different subnet during the process.
Filter/Exclusion: Exclude IP addresses associated with VMware vMotion, Microsoft Hyper-V Live Migration, or KVM live migration tools.
Scenario: DNS Server Querying
Description: A DNS server is querying devices in the subnet to resolve hostnames, which can trigger the rule.
Filter/Exclusion: Exclude IP addresses of DNS servers like Microsoft DNS, Bind9, or PowerDNS using a source IP filter.