Query Details
Identity Info Find Priv Accounts High Blast Radius
Query
//Find user accounts that hold an Azure AD privileged role and are considered to have a high blast radius //Data connector required for this query - Microsoft Sentinel UEBA IdentityInfo | where TimeGenerated > ago(30d) | summarize arg_max(TimeGenerated, *) by AccountUPN | where isnotempty(AssignedRoles) and AssignedRoles != "[]" | where BlastRadius == "High"
Explanation
This query is looking for user accounts that have an Azure AD privileged role and are considered to have a high blast radius. It uses the Microsoft Sentinel UEBA data connector. It filters the IdentityInfo data based on the time generated in the last 30 days. Then, it groups the data by the user's account UPN and selects the latest record for each user. It further filters the data to only include accounts that have assigned roles and the blast radius is classified as "High".
Details
Matt Zorich
Released: June 28, 2022
Tables
IdentityInfo
Keywords
User,AzureAD,PrivilegedRole,BlastRadius
Operators
wheresummarizearg_maxisnotempty!===