Query Details

Microsoft Security Exposure Management - Critical Assets

EEG Critical Assets

Query

// Critical Identities
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend criticalityLevel = parse_json(NodeProperties.rawData.criticalityLevel.criticalityLevel)
| extend RuleNames = parse_json(NodeProperties.rawData.criticalityLevel.ruleNames)
| extend AccountUPN = tostring(NodeProperties.rawData.accountUpn);

About this query

Microsoft Security Exposure Management - Critical Assets

Query Information

Description

Use the below queries to identify critical assets in Microsoft Security Exposure Management

References

Microsoft Defender XDR

// Critical Devices
ExposureGraphNodes
| where set_has_element(Categories, "compute")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend criticalityLevel = parse_json(NodeProperties.rawData.criticalityLevel.criticalityLevel)
| extend eDeviceRole = parse_json(NodeProperties.rawData.deviceRole)[0]
| extend Devicename = tostring(NodeProperties.rawData.deviceName);

Explanation

These queries help identify critical assets in Microsoft Security Exposure Management. The first query focuses on critical identities, while the second query focuses on critical devices. Both queries filter for assets with a criticality level less than 4 and extract additional information such as rule names, account UPN, device role, and device name.

Details

Alex Verboon profile picture

Alex Verboon

Released: March 26, 2024

Tables

ExposureGraphNodes

Keywords

DevicesIntuneUser

Operators

whereset_has_elementisnotnullextendparse_jsontostring

Actions

GitHub