Query Details

Microsoft Security Exposure Management - Storage Accounts

EEG Storage Accounts

Query

ExposureGraphNodes
| where NodeLabel == @"microsoft.storage/storageaccounts"
| extend StorageAccountName = NodeName
| extend Properties = parse_json(NodeProperties.rawData)
| extend Environment = parse_json(Properties).environmentName
| extend EnvironmentRegionName = parse_json(Properties).nativeEnvironmentRegionName
| extend InputString = tostring(parse_json((EntityIds)[0].id))
| parse InputString with "/subscriptions/" subscriptionId "/resourcegroups" * 
| parse InputString with "/subscriptions/" * "/resourcegroups/" resourceGroup "/providers" *
| project StorageAccountName, Environment, EnvironmentRegionName, subscriptionId, resourceGroup

About this query

Microsoft Security Exposure Management - Storage Accounts

Query Information

Description

Use the below queries to retrieve Azure Storage Accounts from the enterprise exposure graph.

References

Microsoft Defender XDR

Retrieve Azure - Storage Accounts data

Explanation

This query retrieves Azure Storage Accounts data from the enterprise exposure graph using Microsoft Defender XDR. It filters the data based on the NodeLabel "microsoft.storage/storageaccounts" and extracts information such as Storage Account Name, Environment, Environment Region Name, Subscription ID, and Resource Group.

Details

Alex Verboon profile picture

Alex Verboon

Released: March 26, 2024

Tables

ExposureGraphNodes

Keywords

AzureStorageAccountsExposureGraphNodesNodeLabelNodeNameNodePropertiesEnvironmentEnvironmentRegionNameEntityIdssubscriptionIdresourceGroupInputStringparseproject

Operators

ExposureGraphNodeswhereextendparse_jsonparseproject

Actions

GitHub