Seen IPv4 Network Subnets

Hunt Hypothesis

Adversaries may use observed IPv4 subnets to map network segments and identify potential targets within an Azure environment. Proactively hunting for unusual or unexpected subnet activity can help detect lateral movement or reconnaissance efforts early.

KQL Query

// 
DeviceNetworkInfo
| summarize arg_max(Timestamp, *) by DeviceId
| mv-expand todynamic(IPAddresses)
| where isnotempty( IPAddresses.SubnetPrefix) and isnotempty( IPAddresses.IPAddress)
| extend Subnet = format_ipv4_mask(tostring(IPAddresses.IPAddress), toint(IPAddresses.SubnetPrefix))
| summarize by Subnet

Analytic Rule Definition

id: 919047fa-f646-469a-bfeb-69a0dcbf44c0
name: Seen IPv4 Network Subnets
description: |
  This query uncovers seen IPAddressV4 network subnets
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceNetworkInfo
tactics: []
relevantTechniques: []
query: |
  // 
  DeviceNetworkInfo
  | summarize arg_max(Timestamp, *) by DeviceId
  | mv-expand todynamic(IPAddresses)
  | where isnotempty( IPAddresses.SubnetPrefix) and isnotempty( IPAddresses.IPAddress)
  | extend Subnet = format_ipv4_mask(tostring(IPAddresses.IPAddress), toint(IPAddresses.SubnetPrefix))
  | summarize by Subnet

References

• [Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Device Inventory/Seen IPv4 Network Subnets.yaml)

False Positive Guidance

• Scenario: Regular network discovery scans using Nmap or Masscan
  Filter/Exclusion: Exclude IP ranges used by network scanning tools (e.g., 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12) or add a condition to ignore traffic originating from known scanning tools.

• Scenario: Scheduled system updates using WSUS or Microsoft Endpoint Manager
  Filter/Exclusion: Exclude IP ranges associated with update servers (e.g., 10.10.0.0/24) or filter by source IP addresses known to be used by the update infrastructure.

• Scenario: Log collection from Splunk or ELK Stack using forwarders
  Filter/Exclusion: Exclude IP ranges used by log forwarders (e.g., 192.168.10.0/24) or filter by source IP addresses associated with the log collection infrastructure.

• Scenario: Internal DNS queries using Microsoft DNS Server or Bind9
  Filter/Exclusion: Exclude internal DNS server IP ranges (e.g., 10.20.0.0/24) or filter by source IP addresses of internal DNS clients.

• Scenario: Automated backup jobs using Veeam or Commvault
  Filter/Exclusion: Exclude IP ranges used by backup servers (e.g., 192.168.20.0/24) or filter by source IP addresses associated with backup operations.