Query Details

EasyVista - Assets with Expired Warranty Linked to Incidents

EV Hunt Expired Warranty Assets

Query

EasyVista_Assets_CL
| where TimeGenerated > ago(30d)
| where isnotempty(END_OF_WARANTY) and END_OF_WARANTY < now()
| join kind=inner (
    EasyVista_Tickets_CL
    | where TimeGenerated > ago(30d)
    | where REQUEST_TYPE has_any ("Incident", "I")
    | summarize IncidentCount = count(), LastIncident = max(SUBMIT_DATE_UT), Tickets = make_set(RFC_NUMBER, 5) by ASSET_TAG
) on ASSET_TAG
| project ASSET_TAG, ASSET_LABEL, SERIAL_NUMBER, END_OF_WARANTY, EMPLOYEE_NAME, DEPARTMENT_PATH, LOCATION_PATH, IncidentCount, LastIncident, Tickets
| sort by IncidentCount desc

Explanation

This query is designed to identify assets with expired warranties that have been involved in security incidents within the last 30 days. Here's a simplified breakdown:

  1. Data Sources: The query uses data from EasyVista IT Service Management (ITSM), specifically focusing on asset and ticket information.

  2. Purpose: It aims to find assets whose warranties have expired and have been linked to security incidents. These assets might not receive vendor support for updates, increasing their risk.

  3. Process:

    • Filter Assets: It looks at assets recorded in the last 30 days, checking for those with expired warranties.
    • Filter Incidents: It examines tickets from the last 30 days, focusing on those classified as incidents.
    • Join Data: It combines the asset and incident data based on a common identifier (ASSET_TAG).
    • Summarize: For each asset, it counts the number of incidents, notes the date of the last incident, and lists up to five related ticket numbers.
    • Output: The results include details like asset tag, label, serial number, warranty end date, employee name, department, location, incident count, last incident date, and ticket numbers.
    • Sort: Finally, it sorts the assets by the number of incidents in descending order, highlighting those with the most incidents.
  4. Security Context: The query is related to the "Persistence" tactic and technique T1190, which involves exploiting vulnerabilities to maintain access to systems.

Details

David Alonso profile picture

David Alonso

Released: April 16, 2026

Tables

EasyVista_Assets_CLEasyVista_Tickets_CL

Keywords

AssetsWarrantyIncidentsSecurityRiskVendorSupportPatchingTimeGeneratedEndOfWarrantyRequestTypeIncidentSubmitDateUtRfcNumberAssetTagAssetLabelSerialNumberEmployeeNameDepartmentPathLocationPathIncidentCountLastIncidentTickets

Operators

whereisnotempty<nowjoinkind=innerhas_anysummarizecountmaxmake_setbyonprojectsort bydesc

Tactics

Persistence

MITRE Techniques

Actions

GitHub