Query Details

Defender External Attack Surface Management - Risky Assets

EASM Risky Assets

Query

EasmRisk_CL
| where AssetLastSeen_t >= ago(7d)
| where CategoryName_s == "High Severity"
| extend Rule = tostring(parse_json(AssetDiscoveryAuditTrail_s)[0].Rule)
| project TimeGenerated, AssetType_s, AssetName_s, CategoryName_s, Rule

About this query

Defender External Attack Surface Management - Risky Assets

Query Information

Description

Use the below queries to find risky assets in Defender External Attack Surface Management

References

Microsoft Sentinel

List risky assets

List of all risky assets

EasmRisk_CL 
| where TimeGenerated > ago(180d)
| extend Severity = CategoryName_s
| extend Description = MetricDisplayName_s
| extend AssetType = AssetType_s
| extend AssetName = AssetName_s
| extend IPAddress = iff(AssetType == 'IP_ADDRESS',AssetName_s,"")
| extend Host = iff(AssetType == 'HOST',AssetName_s,"")
| extend Page = iff(AssetType == 'PAGE',AssetName_s,"")
| extend Domain = iff(AssetType == 'DOMAIN',AssetName_s,"")
| extend SSLCert = iff(AssetType == 'SSL_CERT',AssetName_s,"")
| project TimeGenerated, Severity, Description, AssetType, AssetName, IPAddress,Host, Domain, SSLCert, Page, AssetUuid_g

Explanation

This KQL query is designed to identify and list risky assets within the Defender External Attack Surface Management system. Here's a simplified breakdown of what each part of the query does:

  1. Finding High Severity Risky Assets (Last 7 Days):

    • The first part of the query filters the EasmRisk_CL table to find assets that have been seen in the last 7 days (AssetLastSeen_t >= ago(7d)) and are categorized as "High Severity" (CategoryName_s == "High Severity").
    • It then extracts the rule associated with each asset from the AssetDiscoveryAuditTrail_s field and converts it to a string.
    • Finally, it selects and displays the following columns: TimeGenerated, AssetType_s, AssetName_s, CategoryName_s, and the extracted Rule.
  2. Listing All Risky Assets (Last 180 Days):

    • The second part of the query retrieves all risky assets from the EasmRisk_CL table that have been generated in the last 180 days (TimeGenerated > ago(180d)).
    • It extends the data with additional fields for clarity:
      • Severity is set to the value of CategoryName_s.
      • Description is set to the value of MetricDisplayName_s.
      • AssetType and AssetName are directly taken from their respective fields.
      • Depending on the AssetType, it assigns the AssetName to specific fields such as IPAddress, Host, Page, Domain, or SSLCert.
    • The query then projects a list of columns to display: TimeGenerated, Severity, Description, AssetType, AssetName, IPAddress, Host, Domain, SSLCert, Page, and AssetUuid_g.

In summary, these queries help identify and list risky assets by their severity and type, providing detailed information about each asset's characteristics and when they were last seen or generated.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

EasmRisk_CL

Keywords

DefenderExternalAttackSurfaceManagementRiskyAssetsMicrosoftSentinelTimeGeneratedAssetTypeAssetNameCategoryNameRuleSeverityDescriptionIPAddressHostDomainSSLCertPageAssetUuid

Operators

where>=ago==extendtostringparse_jsonproject>iff

Actions

GitHub