Identify Assets From Mdeasm In Exposure Management That Match Ti
Query
let TIIPs =
ThreatIntelligenceIndicator
| extend TIIPAddress = tostring(NetworkIP)
| where isnotempty(TIIPAddress)
| project TIIPAddress, ThreatType, Description, ConfidenceScore;
let EASMIPs =
ExposureGraphNodes
| where NodeLabel == "IP address"
| project EASPIPAdress = tostring(NodeName);
TIIPs
| join kind=inner (
EASMIPs
) on $left.TIIPAddress == $right.EASPIPAdressAbout this query
Identify assets from MDEASM in Exposure Management that match TI
Description
The following query will help identify which IPs from Microsoft Defender External Attack Surface Management in the Advanced Hunting tables from Exposure Management match Threat Intelligence indicators and the ThreatIntelligenceIndicator table.
References
Microsoft Defender XDR
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 31/07/2025 | Initial publish |
Explanation
This query is designed to identify IP addresses from Microsoft Defender External Attack Surface Management (MDEASM) that match threat intelligence indicators. Here's a simple breakdown of what the query does:
-
Threat Intelligence IPs (TIIPs):
- It extracts IP addresses from the
ThreatIntelligenceIndicatortable. - It ensures that only non-empty IP addresses are considered.
- It selects relevant columns: the IP address (
TIIPAddress), the type of threat, a description, and a confidence score.
- It extracts IP addresses from the
-
Exposure Management IPs (EASMIPs):
- It retrieves IP addresses from the
ExposureGraphNodestable where the node is labeled as an "IP address." - It projects these IP addresses into a new column called
EASPIPAdress.
- It retrieves IP addresses from the
-
Matching IPs:
- The query performs an inner join between the two sets of IP addresses (
TIIPsandEASMIPs). - It matches IP addresses from the threat intelligence data with those from the exposure management data.
- The query performs an inner join between the two sets of IP addresses (
In summary, this query helps identify which IPs from your organization's external attack surface, as managed by Microsoft Defender, are also flagged in threat intelligence databases. This can be useful for prioritizing security efforts on assets that are both exposed and potentially compromised.
Details

Michalis Michalos
Released: July 31, 2025
Tables
Keywords
Operators