KQL Search

Query Details

HomeAI ToolsDevice Query

Exposure Management Cloud Or On Prem VDI Platform Blast Radius

Query

// Exposure Management: Cloud or On-Prem VDI Blast Radius
// https://www.linkedin.com/posts/0x534c_defenderxdr-exposuremanagement-attackpath-activity-7228066647335387137-dDBd/
// The following KQL query leverages the DefenderXDR ExposureGraphEdges schema to analyze workstations that permit multiple user logons. After identifying cloud or on-premises virtual desktop infrastructure (VDI), it scans the DeviceTvmSoftwareVulnerabilities for critical and high CVEs linked to these multi-user logons. Remember, unpatched workstations with numerous users significantly increase your attack surface. This KQL query helps you assess the associated blast radius of your VDI attack surface if not managed properly.🎯

let AVDs =
ExposureGraphEdges
| where EdgeLabel == "can authenticate as"
| summarize UserLogonCount=count() by SourceNodeName
| where UserLogonCount > 3
| distinct SourceNodeName;
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == "Critical" 
or VulnerabilitySeverityLevel == "High"
| where DeviceName has_any (AVDs)

// #DefenderXDR #ExposureManagement #AttackPath #BlastRadius

Explanation

This KQL query is designed to identify workstations that allow multiple user logons and assess their vulnerability to critical and high-severity security issues. Here's a simplified breakdown:

  1. Identify Multi-User Workstations:

    • The query first looks at the ExposureGraphEdges data to find workstations where more than three users can log in.
    • It summarizes and lists these workstations.

  2. Check for Vulnerabilities:

    • It then checks the DeviceTvmSoftwareVulnerabilities data for any critical or high-severity vulnerabilities on these identified workstations.

The goal is to help you understand the potential security risks (blast radius) associated with these multi-user workstations, especially if they are not properly patched. This is crucial for managing your attack surface in both cloud and on-premises virtual desktop infrastructure (VDI) environments.

Details

Steven Lim profile picture

Steven Lim

Released: August 10, 2024

Tables

ExposureGraphEdgesDeviceTvmSoftwareVulnerabilities

Keywords

DevicesVulnerabilitiesUsersWorkstations

Operators

let|==summarizecount()by>distinctorhas_any

Actions