Query Details
Most Permissive Entities
Query
# Most Permissive Entities ## Query Information #### Description This query lists the top 100 entities that have the most permissions to perform a certain action on a resource. The query extracts the type of permissions, such as reader, contributor, owner and other (custom) roles. It is good practice to review the users with the most permissions, or put additional monitoring on their accounts. Because they are highly priviliged threat actors can perform a lot of actions once the account has been taken over. #### References - https://learn.microsoft.com/en-us/security-exposure-management/microsoft-security-exposure-management ## Defender For Endpoint ```KQL // Permission Statistics ExposureGraphEdges | where EdgeLabel == "has permissions to" | extend Type = extract(@'"name":"(.*?)"', 1, tostring(EdgeProperties)) | where isnotempty(Type) | summarize TotalPermissions = dcount(TargetNodeName), ResourceList = make_set(TargetNodeName, 100), PermissionTypeCount = dcount(Type), PermissionTypes = make_set(Type) by SourceNodeName | sort by TotalPermissions, SourceNodeName | project SourceNodeName, TotalPermissions, PermissionTypeCount, ResourceList, PermissionTypes | top 100 by TotalPermissions ```
Explanation
This query identifies the top 100 entities with the most permissions to perform a specific action on a resource. It shows the type of permissions they have, such as reader, contributor, owner, or custom roles. It is important to monitor these highly privileged users closely to prevent security threats.
Details
Bert-Jan Pals
Released: June 20, 2024
Tables
ExposureGraphEdges
Keywords
Entities,Permissions,ResourceList,PermissionTypeCount,PermissionTypes,TotalPermissions,Type,EdgeLabel,EdgeProperties,TargetNodeName,SourceNodeName.
Operators
whereextendisnotemptysummarizedcountmake_setsortprojecttop