Microsoft Security Exposure Management - Critical Assets
EEG Critical Assets
Query
// Critical Identities
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend criticalityLevel = parse_json(NodeProperties.rawData.criticalityLevel.criticalityLevel)
| extend RuleNames = parse_json(NodeProperties.rawData.criticalityLevel.ruleNames)
| extend AccountUPN = tostring(NodeProperties.rawData.accountUpn);About this query
Microsoft Security Exposure Management - Critical Assets
Query Information
Description
Use the below queries to identify critical assets in Microsoft Security Exposure Management
References
Microsoft Defender XDR
// Critical Devices
ExposureGraphNodes
| where set_has_element(Categories, "compute")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend criticalityLevel = parse_json(NodeProperties.rawData.criticalityLevel.criticalityLevel)
| extend eDeviceRole = parse_json(NodeProperties.rawData.deviceRole)[0]
| extend Devicename = tostring(NodeProperties.rawData.deviceName);
Explanation
These queries help identify critical assets in Microsoft Security Exposure Management. The first query focuses on critical identities, while the second query focuses on critical devices. Both queries filter for assets with a criticality level less than 4 and extract additional information such as rule names, account UPN, device role, and device name.
Details

Alex Verboon
Released: March 26, 2024
Tables
ExposureGraphNodes
Keywords
DevicesIntuneUser
Operators
whereset_has_elementisnotnullextendparse_jsontostring