Identity Blast Radius 2
Query
//Identity Blast Radius 2 KQL
//https://www.linkedin.com/feed/update/urn:li:activity:7177358332662337536/
//A different approach of deriving identity blast radius, instead of using DefenderXDR schema we now use Sentinel User and Entity Behavior Analytics (UEBA) IdentityInfo schema to derive the high blast radius & risk user and their associated logon devices to trace the potential attack path for remediation purposes.
let HighRiskUsers =
IdentityInfo
| where BlastRadius == "High" and ChangeSource == "UEBA"
| where RiskLevel == "High" and RiskState == "AtRisk"
| distinct AccountSID;
DeviceLogonEvents
| where AccountSid has_any(HighRiskUsers)
| summarize by AccountName, DeviceName
| sort by AccountName
// MITRE ATT&CK Mapping
// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts:
// The query is identifying high-risk user accounts, which could be indicative of compromised or misused valid accounts.
// T1078.001 - Valid Accounts: Default Accounts:
// If the high-risk users include default accounts, this technique would be relevant.
// T1078.002 - Valid Accounts: Domain Accounts:
// If the high-risk users include domain accounts, this technique would be relevant.
// T1078.003 - Valid Accounts: Local Accounts:
// If the high-risk users include local accounts, this technique would be relevant.
// T1078.004 - Valid Accounts: Cloud Accounts:
// If the high-risk users include cloud accounts, this technique would be relevant.
// T1059 - Command and Scripting Interpreter:
// The use of KQL itself can be mapped to this technique as it involves scripting and querying.
// T1087 - Account Discovery:
// The query is effectively performing account discovery by identifying high-risk accounts.
// T1110 - Brute Force:
// If the high-risk users were identified due to brute force attempts, this technique would be relevant.Explanation
This KQL query is designed to identify high-risk user accounts and their associated devices for potential security threats. Here's a simplified breakdown:
-
Identify High-Risk Users:
- The query first looks at the
IdentityInfotable to find users with a "High" blast radius and risk level, specifically those flagged by the User and Entity Behavior Analytics (UEBA) system as "AtRisk". - It collects the unique security identifiers (SIDs) of these high-risk users.
- The query first looks at the
-
Find Associated Devices:
- It then checks the
DeviceLogonEventstable to find logon events involving these high-risk users. - The query extracts and lists the account names and device names where these users have logged in.
- It then checks the
-
Purpose:
- The goal is to trace potential attack paths by identifying which devices these high-risk users have accessed, aiding in remediation efforts.
-
MITRE ATT&CK Techniques:
- The query aligns with several MITRE ATT&CK techniques, indicating it can help identify compromised accounts, whether they are default, domain, local, or cloud accounts.
- It also involves account discovery and could relate to brute force attempts if those were the reason for the high-risk designation.
Overall, this query helps security teams focus on users and devices that might be part of a security incident, allowing them to take targeted actions to mitigate risks.
Details

Steven Lim
Released: August 25, 2024
Tables
IdentityInfoDeviceLogonEvents
Keywords
IdentityInfoUEBARiskLevelRiskStateAccountSIDDeviceLogonEventsAccountNameDeviceName
Operators
let|whereanddistincthas_anysummarize bysort by