KQL Search

Query Details

HomeAI ToolsDevice Query

Analytics Privileged Identity Info

Query

// This query can help you to obtain which accounts in IdentityInfo table have privileged groups or roles, according to values specified in certain Watchlists.
// IdentityInfo table renews itself completely every ~14 days.
//
// Click "Save as function", in Parameters write in the fields:
// "datetime"  "start_time"  "14d"
// "datetime"  "end_time"    "time(null)"
//
// If you name the function "PrivilegedIdentityInfo", you can check the function with queries like the following:
//
// PrivilegedIdentityInfo
//
// PrivilegedIdentityInfo(26d, 12d)
//
//let Function = (start_time:timespan = 14d, end_time:timespan = time(null)){
let _PrivilegedGroupRegex = toscalar(
    union
        (_GetWatchlist("SID-AuditADObjects")
        | where Notes has_any ("[Privileged]", "[Unpopulated]")
        | project RegEx = regex_quote(SAMAccountName)
        ),
        (_GetWatchlist("RegEx-PrivDomainGroups")
        | project RegEx
        )
    | summarize RegEx = make_set(RegEx)
    | extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
let _PrivilegedRoleRegex = toscalar(
    _GetWatchlist("RegEx-PrivAADRoles")
    | summarize RegEx = make_list(RegEx)
    | extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
IdentityInfo
| where TimeGenerated between (ago(start_time) .. ago(end_time))
| summarize arg_max(TimeGenerated, *) by AccountObjectId, AccountSID
| mv-expand GroupMember = GroupMembership to typeof(string), AssignedRole = AssignedRoles to typeof(string)
| where GroupMember matches regex _PrivilegedGroupRegex or AssignedRole matches regex _PrivilegedRoleRegex
| project-away GroupMember, AssignedRole
| summarize take_any(*) by AccountObjectId, AccountSID
//};
//Function(14d, time(null))

Explanation

This query is designed to identify accounts in the IdentityInfo table that have privileged groups or roles, based on specified values in certain Watchlists. The IdentityInfo table updates itself every 14 days.

The query uses a function, which can be saved as "PrivilegedIdentityInfo", and it can be checked with queries like "PrivilegedIdentityInfo" or "PrivilegedIdentityInfo(26d, 12d)".

The function uses two variables, _PrivilegedGroupRegex and _PrivilegedRoleRegex, to pull data from the Watchlists "SID-AuditADObjects", "RegEx-PrivDomainGroups", and "RegEx-PrivAADRoles".

The query then checks the IdentityInfo table for accounts that match the privileged group or role patterns identified in the Watchlists. It does this for a specified time period, which defaults to the last 14 days if not otherwise specified.

Finally, it returns the most recent record for each account that matches the criteria, excluding the GroupMember and AssignedRole fields from the output.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: September 7, 2023

Tables

IdentityInfo

Keywords

IdentityInfo,Accounts,PrivilegedGroups,Roles,Watchlists,Function,TimeGenerated,AccountObjectId,AccountSID,GroupMembership,AssignedRoles,RegEx

Operators

toscalar()unionwhereprojectregex_quotesummarizemake_setextendstrcatstrcat_arrayIdentityInfoTimeGeneratedbetweenagoarg_maxmv-expandtypeofmatches regexproject-awaytake_any()

Actions