KQL Search

Query Details

HomeAI ToolsDevice Query

1 Overview Of Attack Paths

Query

securityresources
| where type == "microsoft.security/attackpaths"
| extend attackPathSteps = tolower(properties.attackPathSteps)
| where attackPathSteps has "has permissions to"
| extend graphComponent = properties.graphComponent
| mv-expand connection = graphComponent.connections
| extend connectionTitle = tostring(connection["title"])
| where connectionTitle == "has permissions to" // consider using set of definition keys
| extend sourceEntityInternalId = tostring(connection["sourceEntityInternalId"])
| mv-expand entity = graphComponent.entities
| extend entityInternalId = tostring(entity["entityInternalId"])
| where sourceEntityInternalId == entityInternalId
| extend entityType = tostring(entity.entityType)
| extend attackpath= tostring(properties.displayName), attackPathType = properties.attackPathType, attackPathId = properties.attackPathId
| extend refreshInterval = tostring(properties.refreshInterval)
| extend riskLevel = tostring(properties.riskLevel)
| extend riskFactors =  parse_json(properties.riskFactors)
| order by riskLevel asc
| project attackpath, subscriptionId, riskLevel, riskFactors, attackPathType, attackPathId, refreshInterval

Explanation

This KQL (Kusto Query Language) query is designed to analyze security resources related to attack paths in a Microsoft environment. Here's a simplified breakdown of what the query does:

  1. Filter for Attack Paths: It starts by selecting resources of the type "microsoft.security/attackpaths".

  2. Identify Relevant Attack Path Steps: It converts the attack path steps to lowercase and filters for those that include the phrase "has permissions to".

  3. Expand Graph Components: The query expands the graph components to examine individual connections within the attack paths.

  4. Filter Connections: It specifically looks for connections with the title "has permissions to".

  5. Match Source and Entity IDs: The query matches the source entity's internal ID with the entity's internal ID to ensure they are related.

  6. Extract and Extend Information: It extracts various details about the attack path, such as:

    • attackpath: The display name of the attack path.
    • attackPathType, attackPathId: Type and ID of the attack path.
    • refreshInterval: How often the attack path information is refreshed.
    • riskLevel: The risk level associated with the attack path.
    • riskFactors: Additional risk factors parsed as JSON.

  7. Sort and Project Results: Finally, it orders the results by risk level in ascending order and selects specific columns to display: attack path name, subscription ID, risk level, risk factors, attack path type, attack path ID, and refresh interval.

In summary, this query is used to identify and analyze attack paths with specific permissions-related connections, focusing on their risk levels and other relevant details.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: June 4, 2025

Tables

securityresources

Keywords

SecurityResources

Operators

whereextendtolowerhasmv-expandtostringparse_jsonorder byproject

Actions