Query Details
EASM Risky Assets
Query
# Defender External Attack Surface Management - Risky Assets ## Query Information ### Description Use the below queries to find risky assets in Defender External Attack Surface Management #### References - [Tweet from @ellishlomo](https://twitter.com/ellishlomo/status/1668507719794319362?s=20) ### Microsoft Sentinel List risky assets ```kql EasmRisk_CL | where AssetLastSeen_t >= ago(7d) | where CategoryName_s == "High Severity" | extend Rule = tostring(parse_json(AssetDiscoveryAuditTrail_s)[0].Rule) | project TimeGenerated, AssetType_s, AssetName_s, CategoryName_s, Rule ```
Explanation
The query is used to find risky assets in Defender External Attack Surface Management. It filters the assets based on their last seen time within the past 7 days and their category being "High Severity". It also extracts the rule associated with each asset and projects the time generated, asset type, asset name, category name, and rule.
Details
Alex Verboon
Released: June 13, 2023
Tables
EasmRisk_CL
Keywords
EasmRisk_CL,AssetLastSeen_t,CategoryName_s,Rule,TimeGenerated,AssetType_s,AssetName_s
Operators
EasmRisk_CLwhere>=ago7dCategoryName_s=="High Severity"extendRule=tostringparse_jsonAssetDiscoveryAuditTrail_s[0].projectTimeGeneratedAssetType_sAssetName_sCategoryName_sRule