From 92a98a267c9554b3ceeeee0d60825e1d60767900 Mon Sep 17 00:00:00 2001
From: cgosec <147876916+cgosec@users.noreply.github.com>
Date: Mon, 1 Apr 2024 12:05:18 +0200
Subject: [PATCH] Update Defender365_Query.md

---
 parser/Defender365_Query.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/parser/Defender365_Query.md b/parser/Defender365_Query.md
index 76067b8..6333556 100644
--- a/parser/Defender365_Query.md
+++ b/parser/Defender365_Query.md
@@ -17,4 +17,15 @@
 
 Simply export it and upload it to Blauhaunt...
 
-(Likely you have to chunk by using the starttime and endtime variable since Denfender is limited to 10k lines of export *measly*
+(Likely you have to chunk by using the starttime and endtime variable since Denfender is limited to 10k lines of export *measly*)
+
+# IP to Host Mapping:
+        DeviceLogonEvents
+        | where RemoteDeviceName != ""
+        | where RemoteIP !startswith "127."
+        | where RemoteIP !in ("", "-")
+        | project RemoteDeviceName, RemoteIP
+        | summarize by RemoteDeviceName, RemoteIP
+
+Import this into last input field:
+![image](https://github.com/cgosec/Blauhaunt/assets/147876916/60983c02-e2e2-41f0-9b2c-d8953614b22d)