KQL Search

Query Details

Identity Managed Identity Summaryof Resources

Query

//Summarize the Azure resources that each of your managed identities are accessing. The higher the count the higher the potential blast radius.

//Data connector required for this query - Azure Active Directory - Managed Identity Signin Logs

AADManagedIdentitySignInLogs
| where TimeGenerated > ago(30d)
| where ResultType == 0
| summarize
    ['List of Azure Resources Accessed']=make_set(ResourceDisplayName),
    ['Distinct Resources Accessed']=dcount(ResourceDisplayName)
    by ServicePrincipalName
| sort by ['Distinct Resources Accessed'] desc

Explanation

This query summarizes the Azure resources that each managed identity is accessing. It uses the Azure Active Directory - Managed Identity Signin Logs data connector. The query filters the logs for the past 30 days and only includes successful sign-ins. It then groups the resources by the service principal name (managed identity) and calculates the count of distinct resources accessed. The results are sorted in descending order based on the count of distinct resources accessed.

Details

Matt Zorich

Released: June 17, 2022

Tables

AADManagedIdentitySignInLogs

Keywords

AADManagedIdentitySignInLogs,TimeGenerated,ResultType,ResourceDisplayName,ServicePrincipalName,ListofAzureResourcesAccessed,DistinctResourcesAccessed

Operators

where>ago==summarizemake_setdcountbysortdesc

KQL Search

Identity Managed Identity Summaryof Resources

Query

Explanation

Details

Actions