KQL Search

Query Details

Exposure Management Device Activities

Query

# List Activities Compromised Device Can Perform as Source

### Sentinel
```KQL
// List activities device can do as source
let DeviceName = "laptop.test.com";
ExposureGraphEdges
| where SourceNodeLabel == "device"
| where SourceNodeName == DeviceName
| summarize Total = dcount(TargetNodeName), Details = make_set(TargetNodeName) by EdgeLabel, SourceNodeName
| project Source = SourceNodeName, Action = EdgeLabel, Details, Tota
```

Explanation

This query lists the activities that a compromised device named "laptop.test.com" can perform as the source. It shows the different actions the device can take and provides details about them.

Details

Bert-Jan Pals

Released: June 26, 2024

Tables

ExposureGraphEdges

Keywords

Activities,Device,Source,Compromised

Operators

letwheresummarizedcountmake_setbyproject

KQL Search

Exposure Management Device Activities

Query

Explanation

Details

Actions