Query Details

Entra ID Administrative Role AD Sync

Query

// Entra ID Administrative Role (AD-Sync)

IdentityInfo
| where Timestamp > ago(30d)
| where AssignedRoles != ""
| mv-expand AssignedRoles
| extend EntraAdminRole = tostring(AssignedRoles)
| where OnPremSid != ""
| distinct EntraAdminRole, AccountUpn
| where AccountUpn != ""
| sort by EntraAdminRole asc

// MITRE ATT&CK Mapping

// Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// The query filters and expands assigned roles, which can help identify the use of valid accounts with specific roles.
// T1087 - Account Discovery:
// The query retrieves distinct combinations of roles and UPNs, which aligns with discovering accounts and their associated roles.
// T1071 - Application Layer Protocol:
// Filtering by OnPremSid and AccountUpn can help detect unusual or unauthorized use of application layer protocols for accessing resources.
// T1556 - Modify Authentication Process:
// The query’s focus on assigned roles and on-premises SIDs can help detect modifications to authentication processes or roles.

Explanation

This KQL query is designed to analyze identity information related to administrative roles in Entra ID (formerly Azure Active Directory) over the past 30 days. Here's a simple breakdown of what the query does:

  1. Filter Recent Data: It looks at identity information from the last 30 days.
  2. Identify Assigned Roles: It focuses on entries where roles have been assigned, expanding these roles to analyze them individually.
  3. Filter for On-Premises Accounts: It specifically examines accounts that have an associated on-premises security identifier (SID).
  4. Extract Unique Role-Account Combinations: It retrieves unique combinations of administrative roles and user principal names (UPNs) for accounts that have been assigned roles.
  5. Sort Results: The results are sorted alphabetically by the administrative role.

The query is mapped to several MITRE ATT&CK techniques, indicating its relevance in identifying valid accounts, discovering account roles, detecting unusual protocol use, and monitoring changes to authentication processes.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

IdentityInfo

Keywords

IdentityInfoEntraAdminRoleAccountUpnOnPremSid

Operators

agowhere!=mv-expandextendtostringdistinctsort byasc

MITRE Techniques

Actions

GitHub