Microsoft Security Exposure Management - Azure Virtual Machines
EEG Azure Virtual Machines
Query
ExposureGraphNodes
| where NodeLabel == @"microsoft.compute/virtualmachines"
| extend DeviceName = NodeName
| extend deviceType = parse_json(NodeProperties).rawData.deviceType
| extend lastSeen = parse_json(NodeProperties).rawData.lastSeen
| extend onboardingStatus = parse_json(NodeProperties).rawData.onboardingStatus
| extend osPlatform = parse_json(NodeProperties).rawData.osPlatform
| extend publicIP = parse_json(NodeProperties).rawData.publicIP
| extend rdpStatus_allowConnections = parse_json(NodeProperties).rawData.rdpStatus.allowConnections
| extend environmentName = parse_json(NodeProperties).rawData.environmentName
| project DeviceName, lastSeen, onboardingStatus, osPlatform, publicIP, environmentName, rdpStatus_allowConnectionsAbout this query
Microsoft Security Exposure Management - Azure Virtual Machines
Query Information
Description
Use the below queries to Azure Virtual Machine information from the enterprise exposure graph.
References
Microsoft Defender XDR
Retrieve Azure Virtual Machine information
Explanation
This query retrieves information about Azure Virtual Machines from the enterprise exposure graph in Microsoft Defender XDR. It includes details such as device name, last seen timestamp, onboarding status, OS platform, public IP address, environment name, and RDP connection status.
Details

Alex Verboon
Released: March 26, 2024
Tables
ExposureGraphNodes
Keywords
AzureVirtualMachinesExposureGraphNodesNodeLabelDeviceNamedeviceTypelastSeenonboardingStatusosPlatformpublicIPrdpStatus_allowConnectionsenvironmentName.
Operators
ExposureGraphNodeswhereextendparse_jsonNodeLabelNodeNameNodePropertiesproject