KQL Search

Query Details

HomeAI ToolsDevice Query

3 Finding Sensitive Roles With CSPM Posture And Used By O Auth

Query

WorkloadIdentityInfoXdr
| mv-expand parse_json(AssignedAzureRoles)
| where parse_json(AssignedAzureRoles)["RoleIsPrivileged"] == 'true'
| where parse_json(AssignedAzureRoles)["IsOverProvisioned"] == 'true' or parse_json(AssignedAzureRoles)["IsIdentityInactive"] == 'true'

Explanation

This query is analyzing data from the WorkloadIdentityInfoXdr table. Here's a simple breakdown of what it does:

  1. Expand Assigned Azure Roles: It takes each entry in the AssignedAzureRoles field, which is in JSON format, and expands it so that each role can be analyzed individually.

  2. Filter Privileged Roles: It filters the roles to only include those where the RoleIsPrivileged property is set to 'true'. This means it focuses on roles with elevated permissions.

  3. Filter Over-Provisioned or Inactive Identities: It further filters these privileged roles to find cases where either:

    • The role is over-provisioned (IsOverProvisioned is 'true'), meaning the role has more permissions than necessary.
    • The identity associated with the role is inactive (IsIdentityInactive is 'true').

In summary, the query identifies privileged roles that are either over-provisioned or associated with inactive identities.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: June 4, 2025

Tables

WorkloadIdentityInfoXdr

Keywords

WorkloadIdentityInfoXdrAssignedAzureRolesRoleIsPrivilegedIsOverProvisionedIsIdentityInactive

Operators

mv-expandparse_jsonwhereor

Actions