KQL Search

Query Details

HomeAI ToolsDevice Query

Privileged Identity Info

Query

id: b7661446-5116-40ae-9f01-79074549ec18
Function:
  Title: Parser to get privileged human identities from IdentityInfo table and privileged workloads from WorkloadIdentityInfo for unified list of all privileges
  Version: '1.0.0'
  LastUpdated: '2023-11-11'
Category: Microsoft Sentinel Parser
FunctionName: PrivilegedIdentityInfo
FunctionAlias: PrivilegedIdentityInfo
FunctionQuery: |
    // Function to get privileged users from IdentityInfo and privileged workloads from WorkloadIdentityInfo
    let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
    | where Classification.EAMTierLevelName != "Unclassified"
    | project RoleName, isPrivileged, Classification;
    let SensitiveUsers = IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    | mv-expand AssignedRoles
    | extend RoleName = tostring(AssignedRoles)
    | join kind=inner ( SensitiveEntraDirectoryRoles ) on RoleName
    | summarize Classification = make_set(parse_json(Classification.EAMTierLevelName)), RoleAssignments = make_set(RoleName) by AccountObjectId, AccountDisplayName, OnPremisesAccountObjectId;
    let PrivilegedUsers = SensitiveUsers
    | extend OnPremSynchronized = iff(isnotempty(OnPremisesAccountObjectId), "true", "false")
    | project
        ObjectId = tostring(AccountObjectId),
        ObjectType = "User",
        ObjectDisplayName = AccountDisplayName,
        OnPremSynchronized,
        tostring(Classification),
        EntraIdRoles = RoleAssignments;
    let PrivilegedWorkloads = PrivilegedWorkloadIdentityInfo
    | where isnotempty(EntraIdRoles) or isnotempty(AppRolePermissions)
    | project
        ObjectId = tostring(ServicePrincipalObjectId),
        ObjectType = WorkloadIdentityType,
        ObjectDisplayName = WorkloadIdentityName,
        OnPremSynchronized = "false",
        Classification = tostring(EnterpriseAccessModelTiering),
        EntraIdRoles = EntraIdRoles,
        AppRoles = AppRolePermissions;
    union PrivilegedUsers, PrivilegedWorkloads

Explanation

This query is a parser that retrieves privileged human identities from the IdentityInfo table and privileged workloads from the WorkloadIdentityInfo table. It uses external data to get a list of sensitive enterprise directory roles and filters out unclassified roles. It then joins the IdentityInfo table with the sensitive roles and summarizes the results by account object ID, display name, and on-premises account object ID. The query also retrieves privileged workloads from the PrivilegedWorkloadIdentityInfo table and combines the results of privileged users and privileged workloads into a unified list.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: November 18, 2023

Tables

IdentityInfoWorkloadIdentityInfo

Keywords

IdentityInfo,WorkloadIdentityInfo,SensitiveEntraDirectoryRoles,SensitiveUsers,PrivilegedUsers,PrivilegedWorkloadIdentityInfo,AppRolePermissions,ServicePrincipalObjectId,WorkloadIdentityType,WorkloadIdentityName,EnterpriseAccessModelTiering

Operators

whereprojectexternaldatawithformat|summarizearg_maxbymv-expandextendjoinmake_setparse_jsoniffisnotemptyisnotemptyorunion

Actions