Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
255 questions
How to load the Azure IP address list for east us 2 into the hunting query "Detect Azure RemoteIP"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 36%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
AustinBits
0
Reputation points
in the Defender dashboard in Azure, under Hunding , advanced Hunting, Queries, General Queries, Detect Azure RemoteIP
I downloaded the .json file that is the list of all IP address ranges. I copied the ip address list for east us 2 and pasted it into the section (DeviceNetworkEvents | take 10000) as stated in the top instructions of : "replace the demo portion of the query (DeviceNetworkEvents | take 10000) with your query with the column name of the IP address"
This query fails after pasting in the ip address list from the json file.
It is giving the error of expecting a semicolon in "line 3, position 4" but line 3 is setting a variable let AzureSubnets = toscalar (
Or if it means the third line in the ip address list after the note //begin sample query// is just another ip address in the list, see bottom 2 pics. anyone have an idea where this semicolon can be inserted?
Microsoft Defender for Identity
Sign in to answer