2 Custom Graph Query On Recommendations And Target
Query
ExposureGraphEdges
| make-graph SourceNodeId --> TargetNodeId with ExposureGraphNodes on NodeId
| graph-match cycles=none (Recommendation)-[affecting]->(azuredevopsrepository)-[actions*1..3]->(Resource)
where Recommendation.NodeLabel == "mdcManagementRecommendation"
and affecting.EdgeLabel == "affecting"
and all(actions, EdgeLabel == "provisions")
and Resource.NodeLabel == "microsoft.storage/storageaccounts"
project
RecommendationName = Recommendation.NodeName,
Severity = tostring(Recommendation.NodeProperties.rawData.severity),
RepoName = azuredevopsrepository.NodeName,
Resource = Resource.NodeNameExplanation
This query is analyzing a graph of nodes and edges to identify specific relationships between recommendations, Azure DevOps repositories, and storage account resources. Here's a simplified breakdown:
-
Data Source: The query starts with a dataset called
ExposureGraphEdgesand uses another datasetExposureGraphNodesto provide additional context. -
Graph Construction: It constructs a graph where each edge represents a connection from a
SourceNodeIdto aTargetNodeId. -
Pattern Matching: The query looks for a specific pattern in the graph:
- A node labeled as "mdcManagementRecommendation" (representing a management recommendation) that affects an "azuredevopsrepository" node.
- The "azuredevopsrepository" node can have 1 to 3 "provisions" actions leading to a "microsoft.storage/storageaccounts" node (representing a storage account resource).
-
Conditions: It ensures:
- The edge between the recommendation and the repository is labeled "affecting".
- All actions between the repository and the resource are labeled "provisions".
- The final node is specifically a storage account resource.
-
Output: The query projects (or selects) the following information:
- The name of the recommendation.
- The severity level of the recommendation.
- The name of the Azure DevOps repository.
- The name of the storage account resource.
In essence, this query is identifying and listing management recommendations that affect Azure DevOps repositories, which in turn provision storage account resources, along with their severity and involved entities.
Details

Thomas Naunheim
Released: June 4, 2025
Tables
Keywords
Operators