List Activities Compromised Device Can Perform as Source
Exposure Management Device Activities
Query
// List activities device can do as source
let DeviceName = "laptop.test.com";
ExposureGraphEdges
| where SourceNodeLabel == "device"
| where SourceNodeName == DeviceName
| summarize Total = dcount(TargetNodeName), Details = make_set(TargetNodeName) by EdgeLabel, SourceNodeName
| project Source = SourceNodeName, Action = EdgeLabel, Details, TotaAbout this query
List Activities Compromised Device Can Perform as Source
Sentinel
Explanation
This KQL query is designed to identify and summarize the activities that a specific device, identified by its name "laptop.test.com," can perform as a source within a network. Here's a simple breakdown of what the query does:
-
Define the Device: The query starts by specifying the device of interest, which is "laptop.test.com."
-
Filter for Device Activities: It searches through the
ExposureGraphEdgesdata to find entries where the device is the source of an activity. This is done by checking if theSourceNodeLabelis "device" and if theSourceNodeNamematches the specified device name. -
Summarize Activities: For each type of activity (represented by
EdgeLabel), the query counts how many unique target nodes (other entities or devices) the specified device can interact with. It also compiles a list of these target nodes. -
Output the Results: The results are presented with the following columns:
- Source: The name of the device, which is "laptop.test.com."
- Action: The type of activity or action the device can perform.
- Details: A list of target nodes (other devices or entities) that the device can interact with for each action.
- Total: The total number of unique target nodes for each action.
In summary, this query provides a list of actions that "laptop.test.com" can perform as a source, along with the details of which other devices or entities it can interact with for each action.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators