Query Details
Identity Info Find Guestswith High Blast Radius
Query
//Find Azure AD guest accounts that are considered to have a high blast radius //Data connector required for this query - Microsoft Sentinel UEBA IdentityInfo | where TimeGenerated > ago(30d) | summarize arg_max(TimeGenerated, *) by AccountUPN | where UserType == "Guest" and BlastRadius == "High"
Explanation
This query is searching for Azure AD guest accounts that are considered to have a high blast radius. It uses the Microsoft Sentinel UEBA data connector. It filters the IdentityInfo data based on the time generated in the last 30 days. Then, it groups the data by AccountUPN and selects the latest entry for each account. Finally, it filters the results to only include guest accounts with a high blast radius.
Details
Matt Zorich
Released: June 28, 2022
Tables
IdentityInfo
Keywords
AzureAD,Guest,BlastRadius,MicrosoftSentinelUEBA,IdentityInfo,TimeGenerated,AccountUPN,UserType
Operators
where>agosummarizearg_maxby==and