KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Assets From Mdeasm In Exposure Management

Query

# Identify assets from MDEASM in Exposure Management

## Description

The following query will help identify which assets are available from Microsoft Defender External Attack Surface Management in the Advanced Hunting tables from Exposure Management.

### References
- https://www.michalos.net/2025/07/31/breaking-down-the-microsoft-defender-external-attack-surface-management-opportunities-for-queries-in-advanced-hunting-log-analytics-workspace/

### Microsoft Defender XDR
```
ExposureGraphNodes
| extend deepLinkInfo = parse_json(NodeProperties)["rawData"]["deepLink"]
| where deepLinkInfo startswith "https://portal.azure.com/#view/Microsoft_Azure_EASM/"
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 31/07/2025    | Initial publish                        |

Explanation

This query is designed to identify assets from Microsoft Defender External Attack Surface Management (MDEASM) within the Exposure Management Advanced Hunting tables. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the ExposureGraphNodes table, which contains information about various nodes (or assets) related to exposure management.

  2. Data Processing:

    • It extracts a specific piece of information called deepLinkInfo from the NodeProperties column. This is done by parsing the JSON data within NodeProperties to access the rawData and then the deepLink.

  3. Filtering:

    • The query filters the results to only include those assets whose deepLinkInfo starts with the URL https://portal.azure.com/#view/Microsoft_Azure_EASM/. This URL pattern indicates that the asset is associated with Microsoft Defender External Attack Surface Management.

In summary, the query helps you find and list assets that are managed by Microsoft Defender External Attack Surface Management by looking for specific links in the data that point to the Azure portal's EASM view.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: July 31, 2025

Tables

ExposureGraphNodes

Keywords

Assets

Operators

extendparse_jsonwherestartswith

Actions