Query Details

Entra Admin Roles Query

Query

// Exposure Management - Entra Admin Roles Query
// https://www.linkedin.com/posts/activity-7189252312106700800-boXn/


// This KQL is even better than Entra PIM Dashboard! 😎 Just run this KQL in DefenderXDR Advanced Hunting, it will instantly tell you how many admin roles has been assigned out. If you comment out the last line of the KQL code, it will give you a comprehensive view of each admin and the number of roles assigned to him/her. Now with this roles assignment information available, you can also combine composite threat hunting KQL inclusive of admin roles 🤯

ExposureGraphNodes
| where set_has_element(Categories, "identity")
| extend AccountUPN = NodeProperties.rawData.accountUpn
| extend AdminRoles = NodeProperties.rawData.assignedRoles
| extend NumberofRoles = array_length(AdminRoles)
| where NumberofRoles > 0
| summarize TotalRolesAssigned = sum(NumberofRoles)

// MITRE ATT&CK Mapping

// The KQL query focuses on identifying accounts with administrative roles, which can be mapped to the following MITRE ATT&CK techniques:

// T1078 - Valid Accounts:
// This technique involves the use of valid accounts to gain access to systems. The query identifies accounts with administrative roles, which could be targeted by adversaries to gain elevated privileges1.
// T1078.004 - Valid Accounts: Cloud Accounts:
// If the accounts are cloud-based, this sub-technique is relevant. Adversaries may target cloud accounts with administrative roles to gain access to cloud resources1.
// T1087 - Account Discovery:
// This technique involves discovering accounts and their roles. The query helps in identifying accounts with administrative roles, which is a form of account discovery1.

Explanation

This KQL (Kusto Query Language) query is designed to help you quickly identify how many administrative roles have been assigned within your organization. Here's a simple breakdown of what the query does:

  1. Data Source: It starts by looking at a dataset called ExposureGraphNodes, which contains information about various entities, including user accounts.

  2. Filter for Identities: It filters the data to focus only on entities categorized as "identity," which typically refers to user accounts.

  3. Extract Information: For each identity, it extracts:

    • AccountUPN: The user principal name, which is essentially the user's email or login name.
    • AdminRoles: The list of administrative roles assigned to the user.
    • NumberofRoles: The count of roles assigned to each user.
  4. Filter for Admin Roles: It further filters the data to include only those users who have been assigned one or more administrative roles.

  5. Summarize: Finally, it calculates the total number of administrative roles assigned across all users.

If you remove the last line (summarize TotalRolesAssigned = sum(NumberofRoles)), the query will provide a detailed view of each user and the number of roles assigned to them, rather than just the total count.

Security Context: The query is useful for security purposes as it helps identify accounts with elevated privileges, which could be potential targets for adversaries. It aligns with several MITRE ATT&CK techniques related to account discovery and the use of valid accounts to gain unauthorized access, particularly in cloud environments.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodes

Keywords

ExposureGraphNodesCategoriesNodePropertiesAccountUPNAdminRolesNumberofRolesTotalRolesAssignedAccountsAdministrativeRolesSystemsAdversariesPrivilegesCloudResourcesDiscovery

Operators

set_has_elementextendarray_lengthwheresummarizesum

MITRE Techniques

Actions

GitHub