KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Cves In Mdeasm Web Pages Through Exposure Management

Query

# Identify CVEs in MDEASM web pages through Exposure Management

## Description

The following query will help identify CVEs associated with web pages from MDEASM in the Advanced Hunting tables from Exposure Management.

### References
- https://www.michalos.net/2025/07/31/breaking-down-the-microsoft-defender-external-attack-surface-management-opportunities-for-queries-in-advanced-hunting-log-analytics-workspace/

### Microsoft Defender XDR
```
let WebPages = ExposureGraphNodes
| where NodeLabel == "web-page"
| project NodeId, NodeName;
WebPages
| join kind=inner (
    ExposureGraphEdges
    | where EdgeLabel == "affecting"
    | where SourceNodeLabel == "Cve"
    | project SourceNodeId, TargetNodeId, SourceNodeName
) on $left.NodeId == $right.TargetNodeId
| project Node=TargetNodeId, NodeName, VulnerabilityCVE=SourceNodeName
| order by NodeName
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 31/07/2025    | Initial publish                        |

Explanation

This query is designed to identify Common Vulnerabilities and Exposures (CVEs) associated with web pages in Microsoft Defender External Attack Surface Management (MDEASM) using the Advanced Hunting feature. Here's a simple breakdown of what the query does:

  1. Select Web Pages: It starts by filtering nodes labeled as "web-page" from the ExposureGraphNodes table, selecting their IDs and names.

  2. Join with CVEs: It then performs an inner join with the ExposureGraphEdges table to find connections where the edge label is "affecting" and the source node is labeled as "Cve". This helps in identifying which CVEs are linked to the web pages.

  3. Project Results: The query projects the results to show the node ID, node name (web page), and the associated CVE name.

  4. Order the Results: Finally, it orders the results by the web page name for easier readability.

In summary, this query helps security analysts quickly identify which web pages in their external attack surface are affected by specific vulnerabilities, aiding in exposure management and prioritization of security efforts.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: July 31, 2025

Tables

ExposureGraphNodesExposureGraphEdges

Keywords

ExposureManagementCVEsWebPagesMDEASMAdvancedHunting

Operators

let|where==projectjoinkind=inneron==order by

Actions