KQL Search

Query Details

EV Hunt Expired Warranty Assets

Query

id: f6a7b8c9-d0e1-4f2a-3b4c-5d6e7f809112
name: EasyVista - Assets with Expired Warranty Linked to Incidents
description: |
  Hunts for assets that have expired warranties and have been involved in security incidents.
  These assets may lack vendor support for patching and represent increased risk.
requiredDataConnectors:
  - connectorId: EasyVistaITSM
    dataTypes:
      - EasyVista_Assets_CL
      - EasyVista_Tickets_CL
tactics:
  - Persistence
relevantTechniques:
  - T1190
query: |
  EasyVista_Assets_CL
  | where TimeGenerated > ago(30d)
  | where isnotempty(END_OF_WARANTY) and END_OF_WARANTY < now()
  | join kind=inner (
      EasyVista_Tickets_CL
      | where TimeGenerated > ago(30d)
      | where REQUEST_TYPE has_any ("Incident", "I")
      | summarize IncidentCount = count(), LastIncident = max(SUBMIT_DATE_UT), Tickets = make_set(RFC_NUMBER, 5) by ASSET_TAG
  ) on ASSET_TAG
  | project ASSET_TAG, ASSET_LABEL, SERIAL_NUMBER, END_OF_WARANTY, EMPLOYEE_NAME, DEPARTMENT_PATH, LOCATION_PATH, IncidentCount, LastIncident, Tickets
  | sort by IncidentCount desc

Explanation

This query is designed to identify assets with expired warranties that have been involved in security incidents within the last 30 days. Here's a simplified breakdown:

  1. Data Sources: The query uses data from EasyVista IT Service Management (ITSM), specifically focusing on asset and ticket information.

  2. Purpose: It aims to find assets whose warranties have expired and have been linked to security incidents. These assets might not receive vendor support for updates, increasing their risk.

  3. Process:

    • Filter Assets: It looks at assets recorded in the last 30 days, checking for those with expired warranties.
    • Filter Incidents: It examines tickets from the last 30 days, focusing on those classified as incidents.
    • Join Data: It combines the asset and incident data based on a common identifier (ASSET_TAG).
    • Summarize: For each asset, it counts the number of incidents, notes the date of the last incident, and lists up to five related ticket numbers.
    • Output: The results include details like asset tag, label, serial number, warranty end date, employee name, department, location, incident count, last incident date, and ticket numbers.
    • Sort: Finally, it sorts the assets by the number of incidents in descending order, highlighting those with the most incidents.

  4. Security Context: The query is related to the "Persistence" tactic and technique T1190, which involves exploiting vulnerabilities to maintain access to systems.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

EasyVista_Assets_CLEasyVista_Tickets_CL

Keywords

AssetsWarrantyIncidentsSecurityRiskVendorSupportPatchingTimeGeneratedEndOfWarrantyRequestTypeIncidentSubmitDateUtRfcNumberAssetTagAssetLabelSerialNumberEmployeeNameDepartmentPathLocationPathIncidentCountLastIncidentTickets

Operators

whereisnotempty<nowjoinkind=innerhas_anysummarizecountmaxmake_setbyonprojectsort bydesc

Actions