3 Finding Sensitive Roles With CSPM Posture And Used By O Auth
Query
WorkloadIdentityInfoXdr
| mv-expand parse_json(AssignedAzureRoles)
| where parse_json(AssignedAzureRoles)["RoleIsPrivileged"] == 'true'
| where parse_json(AssignedAzureRoles)["IsOverProvisioned"] == 'true' or parse_json(AssignedAzureRoles)["IsIdentityInactive"] == 'true'Explanation
This query is analyzing data from the WorkloadIdentityInfoXdr table. Here's a simple breakdown of what it does:
-
Expand Assigned Azure Roles: It takes each entry in the
AssignedAzureRolesfield, which is in JSON format, and expands it so that each role can be analyzed individually. -
Filter Privileged Roles: It filters the roles to only include those where the
RoleIsPrivilegedproperty is set to 'true'. This means it focuses on roles with elevated permissions. -
Filter Over-Provisioned or Inactive Identities: It further filters these privileged roles to find cases where either:
- The role is over-provisioned (
IsOverProvisionedis 'true'), meaning the role has more permissions than necessary. - The identity associated with the role is inactive (
IsIdentityInactiveis 'true').
- The role is over-provisioned (
In summary, the query identifies privileged roles that are either over-provisioned or associated with inactive identities.
Details

Thomas Naunheim
Released: June 4, 2025
Tables
Keywords
Operators