Critical Monitor For Critical Assets
Query
// Critical Monitor for Critical Assets
// https://www.linkedin.com/posts/activity-7189844353610088448-BajA/
// Custom DefenderXDR KQL Monitor for Tier 0 Critical Identities on High Security Alerts:
let HighlyPrivilegedAdmins =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel==0
| extend EntraObjectID = NodeProperties.rawData.accountObjectId
| project EntraObjectID;
AlertInfo
| join AlertEvidence on AlertId
| extend ReportId = AlertId
| where Severity == "High"
| where AccountObjectId has_any(HighlyPrivilegedAdmins)
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts:
// The query identifies highly privileged accounts, which could be used by adversaries to gain unauthorized access.
// T1087 - Account Discovery:
// The process of identifying highly privileged accounts aligns with account discovery techniques.
// T1071 - Application Layer Protocol:
// The query joins alert information, which could involve detecting communication over application layer protocols.
// T1566 - Phishing:
// High severity alerts could be related to phishing attempts targeting privileged accounts.
// T1210 - Exploitation of Remote Services:
// High severity alerts involving privileged accounts could indicate exploitation attempts on remote services.Explanation
This query is designed to monitor critical security alerts related to highly privileged accounts, specifically Tier 0 critical identities, using Microsoft Defender's KQL (Kusto Query Language). Here's a simple breakdown:
-
Identify Critical Accounts:
- The query first identifies accounts that are considered highly privileged (Tier 0) by checking the
ExposureGraphNodestable for identities with a criticality level of 0. - It extracts the unique identifier (EntraObjectID) for these accounts.
- The query first identifies accounts that are considered highly privileged (Tier 0) by checking the
-
Monitor High Severity Alerts:
- It then looks for high severity security alerts in the
AlertInfotable. - These alerts are joined with evidence data from the
AlertEvidencetable to gather more context. - The query filters these alerts to only include those that involve the highly privileged accounts identified earlier.
- It then looks for high severity security alerts in the
-
MITRE ATT&CK Techniques:
- The query is mapped to several MITRE ATT&CK techniques, suggesting potential security threats:
- T1078 - Valid Accounts: The focus on privileged accounts could indicate attempts to gain unauthorized access.
- T1087 - Account Discovery: Identifying these accounts aligns with techniques used to discover account details.
- T1071 - Application Layer Protocol: The alert data might involve communication over application protocols.
- T1566 - Phishing: High severity alerts could be related to phishing attacks targeting these accounts.
- T1210 - Exploitation of Remote Services: Alerts involving these accounts might indicate attempts to exploit remote services.
- The query is mapped to several MITRE ATT&CK techniques, suggesting potential security threats:
In summary, this query helps security teams monitor and respond to high-risk alerts involving critical accounts, potentially indicating serious security threats such as unauthorized access, phishing, or exploitation attempts.
Details

Steven Lim
Released: August 25, 2024
Tables
ExposureGraphNodes
AlertInfo
AlertEvidence
Keywords
ExposureGraphNodesCategoriesNodePropertiesAlertInfoAlertEvidenceSeverityAccountObjectIdEntraObjectIDAlertIdReportId
Operators
letset_has_elementwhereisnotnullextendprojectjoinonhas_any