Query Details

Defender External Attack Surface Management - Usage

EASM Usage

Query

union withsource= _TableName Easm*
| where TimeGenerated > ago(30d)
| summarize
    Entries = count(), Size = sum(_BilledSize), GB = format_bytes(sum(_BilledSize),0,"GB") by _TableName
| project
    ['TableName'] = _TableName,
    ['Table Size'] = Size,
    ["GB"] = GB,
    ['Table Entries'] = Entries

About this query

Defender External Attack Surface Management - Usage

Query Information

Description

Use the below queries to retrieve Defender External Attack Surface Management usage information.

References

Microsoft Sentinel

EASM Billable Data

Visualize EASM Table Usage over time

Usage
| where TimeGenerated > ago(30d)
| where DataType startswith "Easm"
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType
| render columnchart   

Last entries written to EASM Tables

union withsource= _TableName Easm*
| where TimeGenerated > ago(90d)
| summarize arg_max(TimeGenerated,*) by _TableName
| project _TableName, TimeGenerated

Explanation

This KQL query set is designed to help you analyze the usage of Microsoft Defender External Attack Surface Management (EASM) data within Microsoft Sentinel. Here's a simple breakdown of what each part of the query does:

  1. EASM Billable Data:

    • This query combines data from all tables that start with "Easm" and have been generated in the last 30 days.
    • It calculates the total number of entries and the total size of the data in bytes, converting it to gigabytes (GB) for easier understanding.
    • The results are displayed with the table name, the size of the table in bytes, the size in GB, and the number of entries.
  2. Visualize EASM Table Usage Over Time:

    • This query focuses on the "Usage" table, filtering data from the last 30 days where the data type starts with "Easm."
    • It aggregates the billable data size in gigabytes per day and per data type.
    • The results are visualized as a column chart, showing how much data is being used over time.
  3. Last Entries Written to EASM Tables:

    • This query looks at all "Easm" tables for entries generated in the last 90 days.
    • It identifies the most recent entry for each table, showing the table name and the time the last entry was generated.

Overall, these queries help you monitor and visualize the usage and billing data for EASM, providing insights into data consumption and recent activity within your Microsoft Sentinel environment.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

Easm*Usage

Keywords

DefenderExternalAttackSurfaceManagementUsageInformationDataConnectorsAzureLogAnalyticsExplorerMicrosoftSentinelEASMTableEntriesSizeGBTimeGeneratedDataTypeStartTimeEndTimeQuantity

Operators

unionwithsourcewhereagosummarizecountsumformat_bytesbyprojectstartswithstartofdaynowbinrendercolumnchartarg_max

Actions

GitHub