Defender External Attack Surface Management - Risky Assets
EASM Risky Assets
Query
EasmRisk_CL
| where AssetLastSeen_t >= ago(7d)
| where CategoryName_s == "High Severity"
| extend Rule = tostring(parse_json(AssetDiscoveryAuditTrail_s)[0].Rule)
| project TimeGenerated, AssetType_s, AssetName_s, CategoryName_s, RuleAbout this query
Defender External Attack Surface Management - Risky Assets
Query Information
Description
Use the below queries to find risky assets in Defender External Attack Surface Management
References
Microsoft Sentinel
List risky assets
List of all risky assets
EasmRisk_CL
| where TimeGenerated > ago(180d)
| extend Severity = CategoryName_s
| extend Description = MetricDisplayName_s
| extend AssetType = AssetType_s
| extend AssetName = AssetName_s
| extend IPAddress = iff(AssetType == 'IP_ADDRESS',AssetName_s,"")
| extend Host = iff(AssetType == 'HOST',AssetName_s,"")
| extend Page = iff(AssetType == 'PAGE',AssetName_s,"")
| extend Domain = iff(AssetType == 'DOMAIN',AssetName_s,"")
| extend SSLCert = iff(AssetType == 'SSL_CERT',AssetName_s,"")
| project TimeGenerated, Severity, Description, AssetType, AssetName, IPAddress,Host, Domain, SSLCert, Page, AssetUuid_g
Explanation
This KQL query is designed to identify and list risky assets within the Defender External Attack Surface Management system. Here's a simplified breakdown of what each part of the query does:
-
Finding High Severity Risky Assets (Last 7 Days):
- The first part of the query filters the
EasmRisk_CLtable to find assets that have been seen in the last 7 days (AssetLastSeen_t >= ago(7d)) and are categorized as "High Severity" (CategoryName_s == "High Severity"). - It then extracts the rule associated with each asset from the
AssetDiscoveryAuditTrail_sfield and converts it to a string. - Finally, it selects and displays the following columns:
TimeGenerated,AssetType_s,AssetName_s,CategoryName_s, and the extractedRule.
- The first part of the query filters the
-
Listing All Risky Assets (Last 180 Days):
- The second part of the query retrieves all risky assets from the
EasmRisk_CLtable that have been generated in the last 180 days (TimeGenerated > ago(180d)). - It extends the data with additional fields for clarity:
Severityis set to the value ofCategoryName_s.Descriptionis set to the value ofMetricDisplayName_s.AssetTypeandAssetNameare directly taken from their respective fields.- Depending on the
AssetType, it assigns theAssetNameto specific fields such asIPAddress,Host,Page,Domain, orSSLCert.
- The query then projects a list of columns to display:
TimeGenerated,Severity,Description,AssetType,AssetName,IPAddress,Host,Domain,SSLCert,Page, andAssetUuid_g.
- The second part of the query retrieves all risky assets from the
In summary, these queries help identify and list risky assets by their severity and type, providing detailed information about each asset's characteristics and when they were last seen or generated.
Details

Alex Verboon
Released: April 16, 2026
Tables
EasmRisk_CL
Keywords
DefenderExternalAttackSurfaceManagementRiskyAssetsMicrosoftSentinelTimeGeneratedAssetTypeAssetNameCategoryNameRuleSeverityDescriptionIPAddressHostDomainSSLCertPageAssetUuid
Operators
where>=ago==extendtostringparse_jsonproject>iff