KQL Search

Query Details

HomeAI ToolsDevice Query

ATP Detection For Critical Identities

Query

// ATP Detection for Critical Identities
// https://www.linkedin.com/posts/activity-7190937404625584128-hgdO/

// Custom DefenderXDR detection for CloudApp Advanced Threat Protection for Tier 0 Critical Identities giving you a comprehensive all-round threat monitoring. 

let HighlyPrivilegedAdmins =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and 
NodeProperties.rawData.criticalityLevel.criticalityLevel==0 
| extend EntraObjectID = NodeProperties.rawData.accountObjectId
| project EntraObjectID;
CloudAppEvents
| where ActionType == "AtpDetection"
| extend DetectionMethod = tostring(RawEventData.DetectionMethod)
| extend AccountUpn = RawEventData.UserId
| where AccountUpn has_any(HighlyPrivilegedAdmins)

Explanation

This KQL query is designed to detect threats targeting highly privileged administrative accounts (Tier 0 Critical Identities) using CloudApp Advanced Threat Protection (ATP). Here's a simplified breakdown:

  1. Identify Highly Privileged Admins:

    • The query first looks into ExposureGraphNodes to find identities (accounts).
    • It filters out those with a criticality level of 0 (indicating high privilege).
    • It extracts the EntraObjectID for these critical accounts.

  2. Monitor CloudApp Events:

    • The query then examines CloudAppEvents for actions labeled as "AtpDetection".
    • It extends the data to include the detection method and the user ID (AccountUpn).
    • Finally, it checks if any of these user IDs match the highly privileged admins identified earlier.

In summary, this query is used to monitor and detect potential threats specifically targeting highly privileged administrative accounts using CloudApp ATP.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

ExposureGraphNodesCloudAppEvents

Keywords

ATPDetectionCriticalIdentitiesCloudAppAdvancedThreatProtectionTierThreatMonitoringHighlyPrivilegedAdminsExposureGraphNodesCategoriesNodePropertiesRawDataCriticalityLevelEntraObjectIDCloudAppEventsActionTypeDetectionMethodAccountUpnRawEventDataUserId

Operators

letset_has_elementwhereisnotnullandextendprojecttostringhas_any

Actions