KQL Search

Query Details

HomeAI ToolsDevice Query

EEG High Privilege Identities Across Subscriptions

Query

# High-Privilege Identities Across Subscriptions

## Query Information

### Description

This query finds identities with elevated roles like Owner or Contributor, helping you assess potential privilege escalation risks.


#### References

- [Performing Advanced Risk Hunting in Defender for Cloud](https://techcommunity.microsoft.com/blog/microsoftdefendercloudblog/performing-advanced-risk-hunting-in-defender-for-cloud/4420633)


### Author

- **Microsoft**

## Defender XDR

```kql
ExposureGraphEdges
| where EdgeLabel == "has permissions to"
| extend Roles = parse_json(EdgeProperties).rawData.permissions.roles
| mv-expand Roles
| where Roles.name in ("Owner", "Contributor")
| join kind=inner (
    ExposureGraphNodes
    | project NodeId, Department = tostring(NodeProperties.department)
) on $left.SourceNodeId == $right.NodeId
```

Explanation

This query is designed to identify identities with high-level permissions, specifically those with "Owner" or "Contributor" roles, across different subscriptions. It helps in assessing the risk of privilege escalation by highlighting users or entities with elevated access rights. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at a dataset called ExposureGraphEdges, which contains information about permissions relationships between identities and resources.

  2. Filter for Permissions: The query filters these relationships to only include those where the permission type is "has permissions to".

  3. Extract Roles: It extracts the roles associated with these permissions from a JSON field and expands them into individual entries.

  4. Role Filtering: It further filters these entries to only include roles named "Owner" or "Contributor", which are considered high-privilege roles.

  5. Join with Node Information: The query then joins this filtered data with another dataset, ExposureGraphNodes, to get additional information about the identities, specifically their department, by matching on a common identifier (NodeId).

In summary, this query helps security teams identify and assess potential risks by listing identities with significant access rights, which could be targets for privilege escalation attacks.

Details

Alex Verboon profile picture

Alex Verboon

Released: June 29, 2025

Tables

ExposureGraphEdgesExposureGraphNodes

Keywords

ExposureGraphEdgesExposureGraphNodesRolesNodeIdDepartment

Operators

|extendparse_jsonmv-expandinjoinprojecttostringon==

Actions