KQL Search

Query Details

HomeAI ToolsDevice Query

MDXDR Critical Assets

Query

# Microsoft Defender XDR - Critical Assets

![KQL](https://img.shields.io/badge/language-KQL-blue.svg)
![Status: Stable](https://img.shields.io/badge/status-stable-brightgreen.svg)

## Query Information

### Description

The below queries retrieve Defender XDR Critical Asset Information. 

#### References

- [Overview of critical asset management](https://learn.microsoft.com/en-us/security-exposure-management/critical-asset-management)
- [Critical assets protection in Microsoft Defender for Cloud](https://learn.microsoft.com/en-us/azure/defender-for-cloud/critical-assets-protection)

### Author

- **Alex Verboon**

### Credits

- **Nicola Suter**

## Defender XDR

Retrieve Defender XDR - Identities with Criticality Information

```kql
IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| extend CriticalityLabel = case(
    CriticalityLevel == 0, "Very High",
    CriticalityLevel == 1, "High",
    CriticalityLevel == 2, "Medium",
    CriticalityLevel == 3, "Low",
    CriticalityLevel == 4, "Not defined",
    "Unknown"
)
| project AccountName,AccountUpn, AccountDisplayName, CriticalityLabel, Type
| sort by Type
```

All Assets

```kql
ExposureGraphNodes 
| where isnotempty(NodeProperties.rawData.criticalityLevel.criticalityLevel)
| mv-expand RuleName = NodeProperties.rawData.criticalityLevel.ruleNames
| extend RuleBasedCriticalityLevel = NodeProperties.rawData.criticalityLevel.ruleBasedCriticalityLevel
| extend CriticalityLevel = NodeProperties.rawData.criticalityLevel.criticalityLevel
| extend isSensitive = NodeProperties.rawData.tags has "Sensitive"
| extend CriticalityLabel = case(
    CriticalityLevel == 0, "Very High",
    CriticalityLevel == 1, "High",
    CriticalityLevel == 2, "Medium",
    CriticalityLevel == 3, "Low",
    "Not Defined"
)
| extend RuleBasedCriticalityLabel = case(
    RuleBasedCriticalityLevel == 0, "Very High",
    RuleBasedCriticalityLevel == 1, "High",
    RuleBasedCriticalityLevel == 2, "Medium",
    RuleBasedCriticalityLevel == 3, "Low",
    "Not Defined"
)
| project NodeName, NodeLabel, RuleName, RuleBasedCriticalityLevel, RuleBasedCriticalityLabel, CriticalityLevel, CriticalityLabel, isSensitive
| sort by NodeLabel
```

Assets where the Criticality Level is assigned manually

```kql
ExposureGraphNodes 
| where isnotempty(NodeProperties.rawData.criticalityLevel.criticalityLevel)
| mv-expand RuleName = NodeProperties.rawData.criticalityLevel.ruleNames
| extend RuleBasedCriticalityLevel = NodeProperties.rawData.criticalityLevel.ruleBasedCriticalityLevel
| extend CriticalityLevel = NodeProperties.rawData.criticalityLevel.criticalityLevel
| extend isSensitive = NodeProperties.rawData.tags has "Sensitive"
| extend CriticalityLabel = case(
    CriticalityLevel == 0, "Very High",
    CriticalityLevel == 1, "High",
    CriticalityLevel == 2, "Medium",
    CriticalityLevel == 3, "Low",
    "Not Defined"
)
| extend RuleBasedCriticalityLabel = case(
    RuleBasedCriticalityLevel == 0, "Very High",
    RuleBasedCriticalityLevel == 1, "High",
    RuleBasedCriticalityLevel == 2, "Medium",
    RuleBasedCriticalityLevel == 3, "Low",
    "Not Defined"
)
| project NodeName, NodeLabel, RuleName, RuleBasedCriticalityLevel, RuleBasedCriticalityLabel, CriticalityLevel, CriticalityLabel, isSensitive
| sort by NodeLabel
| where RuleName == "Manually Assigned"
```

Explanation

This document provides a summary of KQL (Kusto Query Language) queries used to retrieve critical asset information from Microsoft Defender XDR. The queries are designed to identify and categorize assets based on their criticality levels.

Query Breakdown

  1. Identities with Criticality Information:

    • This query retrieves identity information from the IdentityInfo table.
    • It selects the most recent entry for each identity using arg_max.
    • It assigns a human-readable label to each identity based on its criticality level (e.g., "Very High", "High").
    • The results include account details and are sorted by type.

  2. All Assets:

    • This query extracts data from the ExposureGraphNodes table.
    • It focuses on assets with a defined criticality level.
    • The query expands on rule names associated with each asset and determines if an asset is marked as sensitive.
    • It assigns labels to both the criticality level and rule-based criticality level.
    • The results include node details and are sorted by node label.

  3. Assets with Manually Assigned Criticality:

    • Similar to the previous query, this one also pulls data from ExposureGraphNodes.
    • It specifically filters for assets where the criticality level is manually assigned.
    • The query follows the same process of expanding rule names and labeling criticality levels.
    • The results are sorted by node label and only include assets with the "Manually Assigned" rule name.

These queries help in managing and protecting critical assets by providing insights into their criticality and sensitivity, allowing for better security management and prioritization.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

IdentityInfoExposureGraphNodes

Keywords

IdentityInfoAccountObjectIdAccountNameAccountUpnAccountDisplayNameCriticalityLabelTypeExposureGraphNodesNodePropertiesRawDataCriticalityLevelRuleNamesRuleBasedCriticalityLevelIsSensitiveNodeNameNodeLabelRuleNameManuallyAssigned

Operators

summarizearg_maxextendcaseprojectsortwhereisnotemptymv-expandhas

Actions