Query Details
Directory Role Member With Classification
Query
// List of (active/permanent) Directory role member with with enriched classification from EntraOps Privileged EAM // by using IdentityInfo table from Microsoft Sentinel UEBA let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson') | where Classification.EAMTierLevelName != "Unclassified" | extend EAMTierLevelName = Classification.EAMTierLevelName | project RoleName, isPrivileged, EAMTierLevelName; let SensitiveUsers = IdentityInfo | where TimeGenerated > ago(14d) | summarize arg_max(TimeGenerated, *) by AccountObjectId | mv-expand AssignedRoles | extend RoleName = tostring(AssignedRoles) | join kind=inner ( SensitiveEntraDirectoryRoles ) on RoleName; SensitiveUsers | project EAMTierLevelName, RoleName, AccountObjectId, AccountDisplayName, AccountUPN, IsAccountEnabled, UserType, SourceSystem
Explanation
This query retrieves a list of active or permanent members of specific directory roles, along with their enriched classification information. The classification information is obtained from the EntraOps Privileged EAM and is based on the IdentityInfo table from Microsoft Sentinel UEBA. The query filters out any unclassified roles and includes the role name, privileged status, and EAM tier level for each member. It also includes additional information such as the account object ID, display name, UPN, account enabled status, user type, and source system.
Details
Thomas Naunheim
Released: October 15, 2023
Tables
IdentityInfoSensitiveEntraDirectoryRoles
Keywords
Devices,Intune,User
Operators
whereextendprojectsummarizearg_maxmv-expandjoinon