geo_info_from_ip_address not available in MDE AH

Bert-JanP / Hunting-Queries-Detection-Rules

KQL Queries. Defender For Endpoint and Azure Sentinel Hunting and Detection Queries in KQL. Out of the box KQL queries for: Advanced Hunting, Custom Detection, Analytics Rules & Hunting Rules.

https://kqlquery.com

BSD 3-Clause "New" or "Revised" License

1.14k stars 213 forks source link

geo_info_from_ip_address not available in MDE AH #17

Closed mezzofix closed 10 months ago

mezzofix commented 10 months ago

[New LOLBIN with external connection](https://github.com/Bert-JanP/Hunting-Queries-Detection-Rules/blob/main/Defender%20For%20Endpoint/Living%20Off%20The%20Land/NewLOLBinExternalConnection.md#new-lolbin-with-external-connection) is referencing the KQL geo_info_from_ip_address function, but it looks like it isn't supported in Defender for Endpoints Advanced Hunting:

Bert-JanP commented 10 months ago

Hi, thank you for the concern. This is supported eventough it does not seem like it. The queries will run without any error.