EasyVista - Assets with Expired Warranty Linked to Incidents
EV Hunt Expired Warranty Assets
Query
EasyVista_Assets_CL
| where TimeGenerated > ago(30d)
| where isnotempty(END_OF_WARANTY) and END_OF_WARANTY < now()
| join kind=inner (
EasyVista_Tickets_CL
| where TimeGenerated > ago(30d)
| where REQUEST_TYPE has_any ("Incident", "I")
| summarize IncidentCount = count(), LastIncident = max(SUBMIT_DATE_UT), Tickets = make_set(RFC_NUMBER, 5) by ASSET_TAG
) on ASSET_TAG
| project ASSET_TAG, ASSET_LABEL, SERIAL_NUMBER, END_OF_WARANTY, EMPLOYEE_NAME, DEPARTMENT_PATH, LOCATION_PATH, IncidentCount, LastIncident, Tickets
| sort by IncidentCount descExplanation
This query is designed to identify assets with expired warranties that have been involved in security incidents within the last 30 days. Here's a simplified breakdown:
-
Data Sources: The query uses data from EasyVista IT Service Management (ITSM), specifically focusing on asset and ticket information.
-
Purpose: It aims to find assets whose warranties have expired and have been linked to security incidents. These assets might not receive vendor support for updates, increasing their risk.
-
Process:
- Filter Assets: It looks at assets recorded in the last 30 days, checking for those with expired warranties.
- Filter Incidents: It examines tickets from the last 30 days, focusing on those classified as incidents.
- Join Data: It combines the asset and incident data based on a common identifier (ASSET_TAG).
- Summarize: For each asset, it counts the number of incidents, notes the date of the last incident, and lists up to five related ticket numbers.
- Output: The results include details like asset tag, label, serial number, warranty end date, employee name, department, location, incident count, last incident date, and ticket numbers.
- Sort: Finally, it sorts the assets by the number of incidents in descending order, highlighting those with the most incidents.
-
Security Context: The query is related to the "Persistence" tactic and technique T1190, which involves exploiting vulnerabilities to maintain access to systems.
Details

David Alonso
Released: April 16, 2026
Tables
Keywords
Operators
Tactics
MITRE Techniques