Querying Azure Defender with lokqlDx - NeilMacMullen/kusto-loco GitHub Wiki

Lokqldx can issue KQL queries to Azure Defender resources and render the results locally using the .defender command

.set tenantid 1eb4...

.defender $tenantid
SecurityResources
| where type =~ "microsoft.security/assessments/subassessments"
| summarize count() by type
| render columnchart

command format

.defender accepts an optional tenant id

Rendering

Although the Defender API does not accept the render operator, LokqlDx will process the render clause, remove it from the query before submission, and then use the visualization state to render locally.