KQL Search

Query Details

HomeAI ToolsDevice Query

Directory Roles With Details

Query

// List of Directory Roles including classification by EntraOps, categories and rich details by Graph API and their role members with UserType (Guest) or RiskLevel
// by using IdentityInfo table from Microsoft Sentinel UEBA
let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, Categories: string, RichDescription: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
| where Classification.EAMTierLevelName != "Unclassified"
| extend EAMTierLevelName = Classification.EAMTierLevelName
| project RoleName, Categories, RichDescription, isPrivileged, EAMTierLevelName;
let PrivilegedUsers = IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand AssignedRoles
| extend RoleName = tostring(AssignedRoles);
SensitiveEntraDirectoryRoles
| join kind=inner ( PrivilegedUsers ) on RoleName
| extend RoleMember = bag_pack_columns(AccountName, AccountUPN, UserType, Tags, IsAccountEnabled, RiskState)
| summarize RoleMembers = make_list(RoleMember) by RoleName, Categories, isPrivileged, tostring(EAMTierLevelName), tostring(RichDescription)

Explanation

This KQL query is designed to provide a detailed list of sensitive directory roles from Microsoft Entra (formerly Azure AD) along with their members, focusing on users who have been active in the last 14 days. Here's a simplified summary of what the query does:

  1. Load Directory Roles Data: It imports a list of directory roles from an external JSON file, which includes details like role name, role ID, categories, descriptions, privilege status, and classification.

  2. Filter Classified Roles: It filters out roles that are not classified, keeping only those with a specific classification level.

  3. Fetch Recent Privileged Users: It retrieves information about users from the IdentityInfo table who have been active in the last 14 days and have assigned roles.

  4. Match Roles with Users: It joins the directory roles data with the user data based on the role names.

  5. Compile Detailed Role Information: For each role, it compiles a list of its members, including details like account name, user type, risk state, and other attributes.

  6. Summarize Results: Finally, it summarizes the results to show each role along with its categories, privilege status, classification, description, and a list of its members.

In essence, this query provides a comprehensive overview of sensitive directory roles and their members, focusing on recent activity and detailed user information.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: July 30, 2024

Tables

IdentityInfo

Keywords

DirectoryRolesEntraOpsGraphAPIUserTypeRiskLevelIdentityInfoMicrosoftSentinelUEBA

Operators

externaldatawithformatwhereextendprojectsummarizearg_maxbymv-expandtostringjoinkindonbag_pack_columnsmake_list

Actions