EXPLORE
Sign In
← Back to Explore
kqlHunting

List Activities Compromised Device Can Perform as Source

```KQL

Detection Query

// List activities device can do as source
let DeviceName = "laptop.test.com";
ExposureGraphEdges
| where SourceNodeLabel == "device"
| where SourceNodeName == DeviceName
| summarize Total = dcount(TargetNodeName), Details = make_set(TargetNodeName) by EdgeLabel, SourceNodeName
| project Source = SourceNodeName, Action = EdgeLabel, Details, Tota

Platforms

azure-sentinel

Tags

dfir
Raw Content
# List Activities Compromised Device Can Perform as Source

## Sentinel
```KQL
// List activities device can do as source
let DeviceName = "laptop.test.com";
ExposureGraphEdges
| where SourceNodeLabel == "device"
| where SourceNodeName == DeviceName
| summarize Total = dcount(TargetNodeName), Details = make_set(TargetNodeName) by EdgeLabel, SourceNodeName
| project Source = SourceNodeName, Action = EdgeLabel, Details, Tota
```