Microsoft Security Exposure Management - Storage Accounts
EEG Storage Accounts
Query
ExposureGraphNodes
| where NodeLabel == @"microsoft.storage/storageaccounts"
| extend StorageAccountName = NodeName
| extend Properties = parse_json(NodeProperties.rawData)
| extend Environment = parse_json(Properties).environmentName
| extend EnvironmentRegionName = parse_json(Properties).nativeEnvironmentRegionName
| extend InputString = tostring(parse_json((EntityIds)[0].id))
| parse InputString with "/subscriptions/" subscriptionId "/resourcegroups" *
| parse InputString with "/subscriptions/" * "/resourcegroups/" resourceGroup "/providers" *
| project StorageAccountName, Environment, EnvironmentRegionName, subscriptionId, resourceGroupAbout this query
Microsoft Security Exposure Management - Storage Accounts
Query Information
Description
Use the below queries to retrieve Azure Storage Accounts from the enterprise exposure graph.
References
Microsoft Defender XDR
Retrieve Azure - Storage Accounts data
Explanation
This query retrieves Azure Storage Accounts data from the enterprise exposure graph using Microsoft Defender XDR. It filters the data based on the NodeLabel "microsoft.storage/storageaccounts" and extracts information such as Storage Account Name, Environment, Environment Region Name, Subscription ID, and Resource Group.
Details

Alex Verboon
Released: March 26, 2024
Tables
ExposureGraphNodes
Keywords
AzureStorageAccountsExposureGraphNodesNodeLabelNodeNameNodePropertiesEnvironmentEnvironmentRegionNameEntityIdssubscriptionIdresourceGroupInputStringparseproject
Operators
ExposureGraphNodeswhereextendparse_jsonparseproject