Critical Monitor For Critical Assets

// Critical Monitor for Critical Assets // https://www.linkedin.com/posts/activity-7189844353610088448-BajA/ Custom DefenderXDR KQL Monitor for Tier 0 Critical Identities on High Security Alerts: let HighlyPrivilegedAdmins = ExposureGraphNodes | where set_has_element(Categories, "identity") | where isnotnull(NodeProperties.rawData.criticalityLevel) and NodeProperties.rawData.criticalityLevel.criticalityLevel==0 | extend EntraObjectID = NodeProperties.rawData.accountObjectId | project EntraObjectID; AlertInfo | join AlertEvidence on AlertId | extend ReportId = AlertId | where Severity == "High" | where AccountObjectId has_any(HighlyPrivilegedAdmins)

Explanation

This KQL query is designed to monitor high-security alerts for critical identities, specifically Tier 0 critical identities, within a custom Defender XDR setup. Here’s a simplified breakdown:

Identify Critical Identities:
- The query first identifies highly privileged admin accounts (Tier 0 critical identities) from the ExposureGraphNodes table.
- It filters nodes categorized as "identity" and checks if their criticality level is 0 (indicating the highest level of criticality).
- It extracts the EntraObjectID for these critical identities.
Filter High Severity Alerts:
- The query then looks at the AlertInfo table and joins it with the AlertEvidence table using the AlertId.
- It extends the data to include a ReportId which is the same as AlertId.
- It filters the alerts to only include those with a "High" severity level.
Match Alerts to Critical Identities:
- Finally, it checks if any of the high-severity alerts are associated with the previously identified highly privileged admin accounts (HighlyPrivilegedAdmins).

In summary, this query identifies high-severity security alerts that are related to the most critical admin accounts in the system.

KQL Search

Critical Monitor For Critical Assets

Query

Explanation

Details

Actions