KQL Search

Query Details

HomeAI ToolsDevice Query

EASM Usage

Query

# Defender External Attack Surface Management - Usage

## Query Information

### Description

Use the below queries to retrieve Defender External Attack Surface Management usage information. 

#### References

- [Data Connectors for Azure Log Analytics and Data Explorer Now in Public Preview](https://techcommunity.microsoft.com/t5/microsoft-defender-external/data-connectors-for-azure-log-analytics-and-data-explorer-now-in/ba-p/3776898)

### Microsoft Sentinel

EASM Billable Data

```kql
union withsource= _TableName Easm*
| where TimeGenerated > ago(30)
| summarize
    Entries = count(), Size = sum(_BilledSize), GB = format_bytes(sum(_BilledSize),0,"GB") by _TableName
| project
    ['TableName'] = _TableName,
    ['Table Size'] = Size,
    ["GB"] = GB,
    ['Table Entries'] = Entries
```

Visualize EASM Table Usage over time

```kql
Usage
| where TimeGenerated > ago(30d)
| where DataType startswith "Easm"
| where StartTime >= startofday(ago(31d)) and EndTime < startofday(now())
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(StartTime, 1d), DataType
| render columnchart   
```

Last entries written to EASM Tables

```kql
union withsource= _TableName Easm*
| where TimeGenerated > ago(90d)
| summarize arg_max(TimeGenerated,*) by _TableName
| project _TableName, TimeGenerated
```

Explanation

The first query retrieves usage information for Defender External Attack Surface Management (EASM) tables, including the number of entries, table size, and size in GB.

The second query visualizes the usage of EASM tables over time, showing the amount of billable data in GB for each day.

The third query identifies the last entries written to EASM tables within the last 90 days.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 4, 2023

Tables

EASM

Keywords

Defender,External,Attack,Surface,Management,Usage,Data,Connectors,Azure,Log,Analytics,Explorer,Public,Preview,Microsoft,Sentinel,EASM,Billable,Visualize,Table,Time,DataType,StartTime,EndTime,Quantity,BillableDataGB,StartTime,DataType,Last,Entries,Written

Operators

unionwithsourcewhereTimeGeneratedagosummarizecount()sum()format_bytes()byprojectstartswith>=<bin()renderarg_max()

Actions