Query Details
Identity Info Find At Riskand High Blast Radius Users
Query
//Find accounts that are considered to have a high blast radius and currently at risk //Data connector required for this query - Microsoft Sentinel UEBA IdentityInfo | where TimeGenerated > ago(30d) | summarize arg_max(TimeGenerated, *) by AccountUPN | where BlastRadius == "High" | where RiskState == "AtRisk"
Explanation
This query is looking for accounts that are considered to have a high potential impact and are currently at risk. It uses the Microsoft Sentinel UEBA data connector to gather the necessary information. It filters the data based on the time generated in the last 30 days and then groups the results by the account's user principal name. It further filters the results to only include accounts with a high blast radius and at risk.
Details
Matt Zorich
Released: June 28, 2022
Tables
IdentityInfo
Keywords
Accounts,BlastRadius,RiskState,IdentityInfo,TimeGenerated,AccountUPN
Operators
|where>agosummarizearg_maxby==