KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Assets From Mdeasm In Exposure Management That Match Ti

Query

# Identify assets from MDEASM in Exposure Management that match TI

## Description

The following query will help identify which IPs from Microsoft Defender External Attack Surface Management in the Advanced Hunting tables from Exposure Management match Threat Intelligence indicators and the ThreatIntelligenceIndicator table.

### References
- https://www.michalos.net/2025/07/31/breaking-down-the-microsoft-defender-external-attack-surface-management-opportunities-for-queries-in-advanced-hunting-log-analytics-workspace/

### Microsoft Defender XDR
```
let TIIPs = 
    ThreatIntelligenceIndicator
    | extend TIIPAddress = tostring(NetworkIP)
    | where isnotempty(TIIPAddress)
    | project TIIPAddress, ThreatType, Description, ConfidenceScore;
let EASMIPs = 
    ExposureGraphNodes
    | where NodeLabel == "IP address"
    | project EASPIPAdress = tostring(NodeName);
TIIPs
| join kind=inner (
    EASMIPs
) on $left.TIIPAddress == $right.EASPIPAdress
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 31/07/2025    | Initial publish                        |

Explanation

This query is designed to identify IP addresses from Microsoft Defender External Attack Surface Management (MDEASM) that match threat intelligence indicators. Here's a simple breakdown of what the query does:

  1. Threat Intelligence IPs (TIIPs):

    • It extracts IP addresses from the ThreatIntelligenceIndicator table.
    • It ensures that only non-empty IP addresses are considered.
    • It selects relevant columns: the IP address (TIIPAddress), the type of threat, a description, and a confidence score.

  2. Exposure Management IPs (EASMIPs):

    • It retrieves IP addresses from the ExposureGraphNodes table where the node is labeled as an "IP address."
    • It projects these IP addresses into a new column called EASPIPAdress.

  3. Matching IPs:

    • The query performs an inner join between the two sets of IP addresses (TIIPs and EASMIPs).
    • It matches IP addresses from the threat intelligence data with those from the exposure management data.

In summary, this query helps identify which IPs from your organization's external attack surface, as managed by Microsoft Defender, are also flagged in threat intelligence databases. This can be useful for prioritizing security efforts on assets that are both exposed and potentially compromised.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: July 31, 2025

Tables

ThreatIntelligenceIndicatorExposureGraphNodes

Keywords

ThreatIntelligenceIndicatorExposureGraphNodesMicrosoftDefenderExternalAttackSurfaceManagementAdvancedHuntingThreatIntelligence

Operators

letextendtostringwhereisnotemptyprojectjoinon

Actions