KQL Search

Query Details

HomeAI ToolsDevice Query

Critical Identities Privilege Escalation On Entra Service Principal

Query

// Critical Identities Privilege Escalation on Entra Service Principal
// https://www.linkedin.com/posts/0x534c_defenderxdr-customdetection-exposuremanagement-activity-7182618135659692032-HsE5/

//Custom DefenderXDR privilege escalation detection rule for critical identities marked by exposure management for adding Entra service principal credentials. It is vital for SecOps to monitor organization's critical identities for any potential privilege escalation in Entra service principals.

let CriticalIdentities =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) 
and NodeProperties.rawData.criticalityLevel.criticalityLevel < 4
| extend AccountID = tostring(NodeProperties.rawData.accountObjectId)
| distinct AccountID;
CloudAppEvents
| where ActivityType == "Add"
| where ActionType == @"Add service principal credentials."
| where AccountId has_any(CriticalIdentities)

Explanation

This KQL query is designed to detect privilege escalation activities involving critical identities within an organization's Entra service principals. Here's a simplified summary:

  1. Identify Critical Identities:

    • The query first identifies critical identities from the ExposureGraphNodes table.
    • It filters nodes categorized as "identity" and with a criticality level less than 4. - Extracts and lists unique AccountIDs of these critical identities.

  2. Monitor for Privilege Escalation:

    • The query then looks at the CloudAppEvents table for events where the activity type is "Add" and the action type is "Add service principal credentials."
    • It checks if any of these events involve the critical identities identified earlier.

In essence, the query helps security operations teams monitor and detect when critical identities are involved in adding credentials to Entra service principals, which could indicate a potential privilege escalation.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

ExposureGraphNodesCloudAppEvents

Keywords

CriticalIdentitiesPrivilegeEscalationEntraServicePrincipalExposureManagementSecOps

Operators

let|whereset_has_elementisnotnulland<extendtostringdistinct==has_any

Actions