KQL Search

Query Details

HomeAI ToolsDevice Query

1 List Of Critical Azure Resources In XSPM

Query

    let XspmCriticalAssets = ExposureGraphNodes
    | mv-expand EntityIds
    | extend EntityType = parse_json(EntityIds)
    | where EntityType["type"] == "AzureResourceId"
    | mv-expand CriticalityData = parse_json(NodeProperties)["rawData"]["criticalityLevel"]["ruleNames"]
    | extend CriticalityLevel = tostring(parse_json(NodeProperties)["rawData"]["criticalityLevel"]["criticalityLevel"])
    | extend RuleName = tostring(CriticalityData)
    | extend ResourceId = tolower(tostring(EntityType["id"]))
    | where isnotempty(CriticalityLevel)
    | project ResourceId, NodeId, NodeName, RuleName, CriticalityLevel;
    XspmCriticalAssets
    // Correlation with XDR Alerts
    | join kind=inner (
        AlertEvidence
        | where EntityType == @"CloudResource"
        | extend ResourceId = tolower(ResourceID)
        | project AlertTitle = Title, ServiceSource, ResourceId
    ) on ResourceId
    | summarize SecurityAlerts = make_set(AlertTitle), CriticalAssetTag = make_set(RuleName) by ResourceId

Explanation

This query is designed to identify critical Azure resources and correlate them with security alerts. Here's a simplified breakdown of what the query does:

  1. Extract Critical Azure Resources:

    • It starts by processing data from ExposureGraphNodes to identify Azure resources by expanding and parsing the EntityIds.
    • It filters these resources to only include those with a type of "AzureResourceId".
    • It further expands and parses NodeProperties to extract criticality information, specifically focusing on the criticality level and associated rule names.
    • It ensures that only resources with a non-empty criticality level are considered.
    • The result is a list of Azure resources along with their criticality levels and associated rule names.

  2. Correlate with Security Alerts:

    • The query then joins this list of critical Azure resources with data from AlertEvidence, which contains security alerts related to cloud resources.
    • It matches resources based on their ResourceId, ensuring case-insensitivity by converting IDs to lowercase.
    • For each resource, it collects the titles of associated security alerts and the criticality rule names into sets.

  3. Output:

    • The final output provides a summary for each resource, listing the associated security alerts and the criticality tags (rule names) that apply to it.

In essence, this query helps in identifying critical Azure resources and understanding what security alerts are associated with them, aiding in prioritizing security efforts.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: June 4, 2025

Tables

ExposureGraphNodesAlertEvidence

Keywords

ExposureGraphNodesAlertEvidenceAzureResourceIdCloudResourceResourceIdNodeIdNodeNameCriticalityLevelRuleNameAlertTitleServiceSourceSecurityAlertsCriticalAssetTag

Operators

letmv-expandextendparse_jsonwheretostringtolowerisnotemptyprojectjoinsummarizemake_set

Actions