Devices In Subnet - IPAddressV6

Hunt Hypothesis

Devices in a specific IPv6 subnet may indicate lateral movement or unauthorized access within the network. SOC teams should proactively hunt for this behavior to identify potential compromise or reconnaissance activities in their Azure Sentinel environment.

KQL Query

// Specify the relevant subnet in IpV6Range
let IpV6Range = "2001:4898::1050:1050/127";
DeviceNetworkInfo
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand IPAddressEntry=todynamic(IPAddresses)
| extend IPAddress=tostring(IPAddressEntry.IPAddress)
| where ipv6_is_match(IPAddress, IpV6Range)

Analytic Rule Definition

id: 008f87b5-5b80-4487-9612-80032d931a69
name: Devices In Subnet - IPAddressV6
description: |
  This query surfaces devices that are in a specific IPAddressV6 subnet
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceInfo
tactics: []
relevantTechniques: []
query: |
  // Specify the relevant subnet in IpV6Range
  let IpV6Range = "2001:4898::1050:1050/127";
  DeviceNetworkInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | mv-expand IPAddressEntry=todynamic(IPAddresses)
  | extend IPAddress=tostring(IPAddressEntry.IPAddress)
  | where ipv6_is_match(IPAddress, IpV6Range)

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/Devices In Subnet - IPAddressV6.yaml)

False Positive Guidance

• Scenario: IPv6 Address Assignment via DHCPv6
  Description: A legitimate DHCPv6 server assigns IPv6 addresses to devices in the subnet, triggering the rule.
  Filter/Exclusion: Use ipv6.address field to exclude addresses assigned by known DHCPv6 servers (e.g., dhcp-server-ipv6 in Splunk or ipv6.dhcp.server in ELK).

• Scenario: Scheduled System Updates via IPv6
  Description: A scheduled job (e.g., Windows Server Update Services or Ansible playbook) runs IPv6-based updates, causing devices to appear in the subnet.
  Filter/Exclusion: Filter by process.name to exclude known update tools (e.g., wusa.exe, ansible, or yum).

• Scenario: Network Discovery Tool Scanning Subnet
  Description: A network discovery tool (e.g., Nmap, SolarWinds IP Network Manager) scans the IPv6 subnet, causing devices to be detected.
  Filter/Exclusion: Use process.name or process.args to exclude known network scanning tools (e.g., nmap, solarwinds).

• Scenario: IPv6 Tunnel Broker Usage
  Description: A device is using an IPv6 tunnel broker (e.g., Hurricane Electric, SixXS) to access IPv6 services, which may appear as part of the subnet.
  Filter/Exclusion: Filter by ipv6.address to exclude known tunnel broker ranges (e.g., 2001:4860:4860::/48 for Google DNS).

• Scenario: IPv6 Static Assignment for Management Interfaces
  Description: A device has a static IPv6 address assigned for management purposes (e.g., via ipconfig or ifconfig