Query Details

Most Permissive Entities

Query

// Permission Statistics
ExposureGraphEdges
| where EdgeLabel == "has permissions to"
| extend Type = extract(@'"name":"(.*?)"', 1, tostring(EdgeProperties))
| where isnotempty(Type)
| summarize TotalPermissions = dcount(TargetNodeName), ResourceList = make_set(TargetNodeName, 100), PermissionTypeCount = dcount(Type), PermissionTypes = make_set(Type) by SourceNodeName
| sort by TotalPermissions, SourceNodeName
| project SourceNodeName, TotalPermissions, PermissionTypeCount, ResourceList, PermissionTypes
| top 100 by TotalPermissions

About this query

Most Permissive Entities

Query Information

Description

This query lists the top 100 entities that have the most permissions to perform a certain action on a resource. The query extracts the type of permissions, such as reader, contributor, owner and other (custom) roles. It is good practice to review the users with the most permissions, or put additional monitoring on their accounts. Because they are highly priviliged threat actors can perform a lot of actions once the account has been taken over.

References

Defender XDR

Explanation

This query is designed to identify the top 100 entities (such as users or service accounts) that have the most permissions to perform actions on various resources within a system. Here's a simplified breakdown of what the query does:

  1. Data Source: It starts by looking at a dataset called ExposureGraphEdges, which contains information about permissions assigned to entities.

  2. Filter: It filters the data to focus only on entries where the relationship is "has permissions to," indicating that an entity has been granted permissions on a resource.

  3. Extract Permission Types: It extracts the type of permissions (like reader, contributor, owner, or custom roles) from the data.

  4. Summarize: For each entity (referred to as SourceNodeName), it calculates:

    • The total number of unique resources (TotalPermissions) the entity has permissions for.
    • A list of these resources (ResourceList).
    • The number of different permission types (PermissionTypeCount) the entity has.
    • A list of these permission types (PermissionTypes).
  5. Sort and Select Top 100: It sorts the entities by the total number of permissions they have and selects the top 100 entities with the most permissions.

  6. Output: The final output includes the entity name, total number of permissions, count of different permission types, list of resources, and list of permission types for each of the top 100 entities.

The purpose of this query is to help identify highly privileged accounts that might require additional monitoring or review, as they could be targets for threat actors due to their extensive permissions.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

ExposureGraphEdges

Keywords

ExposureGraphEdges

Operators

|whereextendextracttostringisnotemptysummarizedcountmake_setbysortprojecttop

Actions

GitHub