KQL Search

Query Details

HomeAI ToolsDevice Query

Identify Ip Assets From Mdeasm In Exposure Management That Match Ti

Query

# Identify IP assets from MDEASM in Exposure Management that match TI

## Description

The following query will help identify which IPs from Microsoft Defender External Attack Surface Management in the Advanced Hunting tables from Exposure Management match Threat Intelligence indicators and the ThreatIntelIndicators table.

### References
- https://www.michalos.net/2025/07/31/breaking-down-the-microsoft-defender-external-attack-surface-management-opportunities-for-queries-in-advanced-hunting-log-analytics-workspace/

### Microsoft Defender XDR
```
let TIIPs = 
    ThreatIntelligenceIndicator
    | extend TIIPAddress = tostring(NetworkIP)
    | where isnotempty(TIIPAddress)
    | project TIIPAddress, ThreatType, Description, ConfidenceScore;
let EASMIPs = 
    ExposureGraphNodes
    | where NodeLabel == "IP address"
    | project EASPIPAdress = tostring(NodeName);
TIIPs
| join kind=inner (
    EASMIPs
) on $left.TIIPAddress == $right.EASPIPAdress
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 31/07/2025    | Initial publish                        |

Explanation

This query is designed to identify IP addresses from Microsoft Defender External Attack Surface Management (MDEASM) that match threat intelligence indicators. Here's a simple breakdown of what the query does:

  1. Collect Threat Intelligence IPs:

    • It retrieves IP addresses from the ThreatIntelligenceIndicator table, along with associated threat types, descriptions, and confidence scores.
    • These IPs are stored in a temporary dataset called TIIPs.

  2. Collect Exposure Management IPs:

    • It gathers IP addresses labeled as "IP address" from the ExposureGraphNodes table.
    • These IPs are stored in another temporary dataset called EASMIPs.

  3. Find Matching IPs:

    • The query performs an inner join between the TIIPs and EASMIPs datasets.
    • It matches IP addresses from both datasets to find common IPs that are present in both threat intelligence data and exposure management data.

In summary, this query helps security analysts identify IP addresses that are both part of their organization's external attack surface and flagged in threat intelligence, allowing for better prioritization of potential threats.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: August 5, 2025

Tables

ThreatIntelligenceIndicatorExposureGraphNodes

Keywords

ThreatIntelligenceIndicatorExposureGraphNodesNetworkIPNodeLabelNodeName

Operators

letextendtostringwhereisnotemptyprojectjoinon

Actions