KQL Search

Query Details

Exposure Management Cloud Permissions User

Query

# List all Cloud Permissions of a Compromised User

### Sentinel
```KQL
// Cloud Permissions Compromised User
let UserName = "Bert-Jan Pals";
ExposureGraphEdges
| where EdgeLabel == "has permissions to"
| where SourceNodeName == UserName
| extend Type = extract(@'"name":"(.*?)"', 1, tostring(EdgeProperties))
| project SourceNodeName, EdgeLabel, Type, TargetNodeName, TargetNodeLabel, EdgeProperties
| sort by Type, TargetNodeLabel, TargetNodeName
```

Explanation

This query lists all the cloud permissions of a compromised user named "Bert-Jan Pals" in Sentinel. It looks at the permissions the user has and sorts them by type, target node label, and target node name.

Details

Bert-Jan Pals

Released: June 25, 2024

Tables

ExposureGraphEdges

Keywords

Cloud,Permissions,Compromised,User,ExposureGraphEdges,EdgeLabel,SourceNodeName,Type,TargetNodeName,TargetNodeLabel,EdgeProperties.

Operators

whereextendextractprojectsort

KQL Search

Exposure Management Cloud Permissions User

Query

Explanation

Details

Actions