Query Details
Identity Blast Radius
Query
//Identity Blast Radius KQL //https://www.linkedin.com/feed/update/urn:li:activity:7174327431485431808/ //Assessing high risk identity account blast radius by using risk data from AADSignInEventsBeta and edge/nodes data from ExposureGraphEdges and ExposureGraphNodes to determine the list of assets that can be potentially impacted in the event of account compromised. let HighRiskAccounts = AADSignInEventsBeta | where RiskLevelAggregated > 50 | distinct AccountDisplayName; ExposureGraphEdges | where EdgeLabel == @"can authenticate to" | where SourceNodeName has_any (HighRiskAccounts) | join ExposureGraphNodes on $left.TargetNodeId==$right.NodeId | summarize by SourceNodeName, TargetNodeName
Explanation
This query is designed to identify the potential impact of compromised high-risk identity accounts. Here's a simplified summary:
- Identify High-Risk Accounts: It first selects accounts from
AADSignInEventsBetathat have a high risk level (greater than 50) and lists their display names. - Find Impacted Assets: It then looks at the
ExposureGraphEdgesto find which assets these high-risk accounts can authenticate to. - Combine Data: Finally, it joins this information with
ExposureGraphNodesto get the details of the impacted assets and summarizes the relationships between the high-risk accounts and the assets they can access.
In essence, the query determines which assets could be affected if any of the high-risk accounts were compromised.
Details
Steven Lim
Released: August 2, 2024
Tables
AADSignInEventsBetaExposureGraphEdgesExposureGraphNodes
Keywords
IdentityAccountsRiskDataAssetsEventsGraph
Operators
let|where>distinct==has_anyjoinon==summarize by