KQL Search

Query Details

HomeAI ToolsDevice Query

All Privileged Identity Info

Query

id: b7661446-5116-40ae-9f01-79074549ec18
Function:
  Title: Parser to get privileged human identities from IdentityInfo table and privileged workloads from WorkloadIdentityInfo for unified list of all privileges
  Version: '1.0.0'
  LastUpdated: '2023-11-11'
Category: Microsoft Sentinel Parser
FunctionName: AllPrivilegedIdentityInfo
FunctionAlias: AllPrivilegedIdentityInfo
FunctionQuery: |
    // Function to get privileged users from IdentityInfo and privileged workloads from WorkloadIdentityInfo
    let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
    | where Classification.EAMTierLevelName != "Unclassified"
    | project RoleName, isPrivileged, Classification;
    let SensitiveUsers = IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    | mv-expand AssignedRoles
    | extend RoleName = tostring(AssignedRoles)
    | join kind=inner ( SensitiveEntraDirectoryRoles ) on RoleName
    | summarize Classification = make_set(parse_json(Classification.EAMTierLevelName)), RoleAssignments = make_set(RoleName) by AccountObjectId, AccountDisplayName, OnPremisesAccountObjectId;
    let PrivilegedUsers = SensitiveUsers
    | extend OnPremSynchronized = iff(isnotempty(OnPremisesAccountObjectId), "true", "false")
    | project
        ObjectId = tostring(AccountObjectId),
        ObjectType = "User",
        ObjectDisplayName = AccountDisplayName,
        OnPremSynchronized,
        tostring(Classification),
        EntraIdRoles = RoleAssignments;
    let PrivilegedWorkloads = WorkloadIdentityInfo
    | where isnotempty(EntraIdRoles) or isnotempty(AppRolePermissions)
    | project
        ObjectId = tostring(ServicePrincipalObjectId),
        ObjectType = WorkloadIdentityType,
        ObjectDisplayName = WorkloadIdentityName,
        OnPremSynchronized = "false",
        Classification = tostring(EnterpriseAccessModelTiering),
        EntraIdRoles = EntraIdRoles,
        AppRoles = AppRolePermissions;
    union PrivilegedUsers, PrivilegedWorkloads

Explanation

This query is a function that retrieves privileged human identities from the IdentityInfo table and privileged workloads from the WorkloadIdentityInfo table. It uses external data to get a list of sensitive enterprise directory roles, filters out unclassified roles, and joins them with the IdentityInfo table to get the privileged users. It then formats the results and combines them with the privileged workloads from the WorkloadIdentityInfo table. The final result is a unified list of all privileged identities.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: November 11, 2023

Tables

IdentityInfoWorkloadIdentityInfo

Keywords

Devices,Intune,User,IdentityInfo,WorkloadIdentityInfo

Operators

whereprojectexternaldatawithformatjoinsummarizearg_maxmv-expandextendiffisnotemptytostringmake_setparse_jsonisnotemptyunion

Actions