1 List Of Critical Azure Resources In XSPM
Query
let XspmCriticalAssets = ExposureGraphNodes
| mv-expand EntityIds
| extend EntityType = parse_json(EntityIds)
| where EntityType["type"] == "AzureResourceId"
| mv-expand CriticalityData = parse_json(NodeProperties)["rawData"]["criticalityLevel"]["ruleNames"]
| extend CriticalityLevel = tostring(parse_json(NodeProperties)["rawData"]["criticalityLevel"]["criticalityLevel"])
| extend RuleName = tostring(CriticalityData)
| extend ResourceId = tolower(tostring(EntityType["id"]))
| where isnotempty(CriticalityLevel)
| project ResourceId, NodeId, NodeName, RuleName, CriticalityLevel;
XspmCriticalAssets
// Correlation with XDR Alerts
| join kind=inner (
AlertEvidence
| where EntityType == @"CloudResource"
| extend ResourceId = tolower(ResourceID)
| project AlertTitle = Title, ServiceSource, ResourceId
) on ResourceId
| summarize SecurityAlerts = make_set(AlertTitle), CriticalAssetTag = make_set(RuleName) by ResourceIdExplanation
This query is designed to identify critical Azure resources and correlate them with security alerts. Here's a simplified breakdown of what the query does:
-
Extract Critical Azure Resources:
- It starts by processing data from
ExposureGraphNodesto identify Azure resources by expanding and parsing theEntityIds. - It filters these resources to only include those with a type of "AzureResourceId".
- It further expands and parses
NodePropertiesto extract criticality information, specifically focusing on the criticality level and associated rule names. - It ensures that only resources with a non-empty criticality level are considered.
- The result is a list of Azure resources along with their criticality levels and associated rule names.
- It starts by processing data from
-
Correlate with Security Alerts:
- The query then joins this list of critical Azure resources with data from
AlertEvidence, which contains security alerts related to cloud resources. - It matches resources based on their
ResourceId, ensuring case-insensitivity by converting IDs to lowercase. - For each resource, it collects the titles of associated security alerts and the criticality rule names into sets.
- The query then joins this list of critical Azure resources with data from
-
Output:
- The final output provides a summary for each resource, listing the associated security alerts and the criticality tags (rule names) that apply to it.
In essence, this query helps in identifying critical Azure resources and understanding what security alerts are associated with them, aiding in prioritizing security efforts.
Details

Thomas Naunheim
Released: June 4, 2025
Tables
ExposureGraphNodesAlertEvidence
Keywords
ExposureGraphNodesAlertEvidenceAzureResourceIdCloudResourceResourceIdNodeIdNodeNameCriticalityLevelRuleNameAlertTitleServiceSourceSecurityAlertsCriticalAssetTag
Operators
letmv-expandextendparse_jsonwheretostringtolowerisnotemptyprojectjoinsummarizemake_set