Query Details

Microsoft Defender XDR - Critical Assets

MDXDR Critical Assets

Query

IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| extend CriticalityLabel = case(
    CriticalityLevel == 0, "Very High",
    CriticalityLevel == 1, "High",
    CriticalityLevel == 2, "Medium",
    CriticalityLevel == 3, "Low",
    CriticalityLevel == 4, "Not defined",
    "Unknown"
)
| project AccountName,AccountUpn, AccountDisplayName, CriticalityLabel, Type
| sort by Type

About this query

Explanation

This document provides a summary of KQL (Kusto Query Language) queries used to retrieve critical asset information from Microsoft Defender XDR. The queries are designed to identify and categorize assets based on their criticality levels.

Query Breakdown

  1. Identities with Criticality Information:

    • This query retrieves identity information from the IdentityInfo table.
    • It selects the most recent entry for each identity using arg_max.
    • It assigns a human-readable label to each identity based on its criticality level (e.g., "Very High", "High").
    • The results include account details and are sorted by type.
  2. All Assets:

    • This query extracts data from the ExposureGraphNodes table.
    • It focuses on assets with a defined criticality level.
    • The query expands on rule names associated with each asset and determines if an asset is marked as sensitive.
    • It assigns labels to both the criticality level and rule-based criticality level.
    • The results include node details and are sorted by node label.
  3. Assets with Manually Assigned Criticality:

    • Similar to the previous query, this one also pulls data from ExposureGraphNodes.
    • It specifically filters for assets where the criticality level is manually assigned.
    • The query follows the same process of expanding rule names and labeling criticality levels.
    • The results are sorted by node label and only include assets with the "Manually Assigned" rule name.

These queries help in managing and protecting critical assets by providing insights into their criticality and sensitivity, allowing for better security management and prioritization.

Details

Alex Verboon profile picture

Alex Verboon

Released: April 16, 2026

Tables

IdentityInfoExposureGraphNodes

Keywords

IdentityInfoAccountObjectIdNameUpnDisplayCriticalityLabelTypeExposureGraphNodesNodePropertiesRawDataLevelRuleNamesBasedIsSensitiveManuallyAssigned

Operators

summarizearg_maxextendcaseprojectsortwhereisnotemptymv-expandhas

Actions

GitHub