KQL Search

Query Details

HomeAI ToolsDevice Query

2 Custom Graph Query On Recommendations And Target

Query

ExposureGraphEdges
| make-graph SourceNodeId --> TargetNodeId with ExposureGraphNodes on NodeId
| graph-match cycles=none (Recommendation)-[affecting]->(azuredevopsrepository)-[actions*1..3]->(Resource)
    where Recommendation.NodeLabel == "mdcManagementRecommendation"
    and affecting.EdgeLabel == "affecting"
    and all(actions, EdgeLabel == "provisions")
    and Resource.NodeLabel == "microsoft.storage/storageaccounts"
    project 
        RecommendationName = Recommendation.NodeName, 
        Severity = tostring(Recommendation.NodeProperties.rawData.severity),
        RepoName = azuredevopsrepository.NodeName,
        Resource = Resource.NodeName

Explanation

This query is analyzing a graph of nodes and edges to identify specific relationships between recommendations, Azure DevOps repositories, and storage account resources. Here's a simplified breakdown:

  1. Data Source: The query starts with a dataset called ExposureGraphEdges and uses another dataset ExposureGraphNodes to provide additional context.

  2. Graph Construction: It constructs a graph where each edge represents a connection from a SourceNodeId to a TargetNodeId.

  3. Pattern Matching: The query looks for a specific pattern in the graph:

    • A node labeled as "mdcManagementRecommendation" (representing a management recommendation) that affects an "azuredevopsrepository" node.
    • The "azuredevopsrepository" node can have 1 to 3 "provisions" actions leading to a "microsoft.storage/storageaccounts" node (representing a storage account resource).

  4. Conditions: It ensures:

    • The edge between the recommendation and the repository is labeled "affecting".
    • All actions between the repository and the resource are labeled "provisions".
    • The final node is specifically a storage account resource.

  5. Output: The query projects (or selects) the following information:

    • The name of the recommendation.
    • The severity level of the recommendation.
    • The name of the Azure DevOps repository.
    • The name of the storage account resource.

In essence, this query is identifying and listing management recommendations that affect Azure DevOps repositories, which in turn provision storage account resources, along with their severity and involved entities.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: June 4, 2025

Tables

ExposureGraphEdgesExposureGraphNodes

Keywords

ExposureGraphEdgesExposureGraphNodesRecommendationAzureDevOpsRepositoryResourceMicrosoftStorageStorageAccounts

Operators

make-graphgraph-matchcycles=nonewhere==andallproject=tostring

Actions