Query Details
EEG Managed Identity
Query
# Microsoft Security Exposure Management - Managed Identity ## Query Information ### Description Use the below queries to retrieve Entra ID managed Identity from the enterprise exposure graph. #### References - [Introducing Microsoft Security Exposure Management](https://techcommunity.microsoft.com/t5/security-compliance-and-identity/introducing-microsoft-security-exposure-management/ba-p/4080907) - [Query the enterprise exposure graph](https://learn.microsoft.com/en-us/security-exposure-management/query-enterprise-exposure-graph) ### Microsoft Defender XDR Retrieve Entra ID - Managed Identity data ```kql ExposureGraphNodes | where NodeLabel == @"managedidentity" | extend Type = tostring(type = parse_json(NodeProperties).rawData.managedIdentityMetadata.type) | extend name = tostring(parse_json(NodeProperties).rawData.identityMetadata.data.name) | extend accountType = tostring(parse_json(NodeProperties).rawData.managedIdentityMetadata.data.accountType) | extend AadObjectId = NodeName | extend attachedResourceId = parse_json(NodeProperties).rawData.managedIdentityMetadata.data.attachedResourceId | project Type, name, accountType, attachedResourceId, AadObjectId ```
Explanation
This query retrieves Entra ID managed Identity data from the enterprise exposure graph in Microsoft Security Exposure Management. It filters the ExposureGraphNodes for NodeLabel "managedidentity" and extracts information like Type, name, accountType, attachedResourceId, and AadObjectId.
Details
Alex Verboon
Released: March 14, 2024
Tables
ExposureGraphNodes
Keywords
ExposureGraphNodes,NodeLabel,Type,name,accountType,AadObjectId,attachedResourceId
Operators
ExposureGraphNodeswhereextendtostringparse_jsonproject