KQL Search

Query Details

HomeAI ToolsDevice Query

Identity Blast Radius 2

Query

//Identity Blast Radius 2 KQL
//https://www.linkedin.com/feed/update/urn:li:activity:7177358332662337536/

//A different approach of deriving identity blast radius, instead of using DefenderXDR schema we now use Sentinel User and Entity Behavior Analytics (UEBA) IdentityInfo schema to derive the high blast radius & risk user and their associated logon devices to trace the potential attack path for remediation purposes.

let HighRiskUsers =
IdentityInfo
| where BlastRadius == "High" and ChangeSource == "UEBA"
| where RiskLevel == "High" and RiskState == "AtRisk"
| distinct AccountSID;
DeviceLogonEvents
| where AccountSid has_any(HighRiskUsers)
| summarize by AccountName, DeviceName
| sort by AccountName

Explanation

This query identifies high-risk users and their associated logon devices using Sentinel User and Entity Behavior Analytics (UEBA) data. Here's a simple summary:

  1. Identify High-Risk Users:

    • Look for users with a high blast radius and high risk level, flagged by UEBA.
    • Extract their unique account IDs.

  2. Find Associated Logon Devices:

    • Check which devices these high-risk users have logged into.
    • List the account names and device names.

  3. Output:

    • Provide a sorted list of high-risk users and their logon devices for further investigation and remediation.

In essence, this query helps trace potential attack paths by linking high-risk users to the devices they have accessed.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

IdentityInfoDeviceLogonEvents

Keywords

IdentityDevicesUser

Operators

let==and|distincthas_anysummarizebysort

Actions