KQL Search

Query Details

HomeAI ToolsDevice Query

Privileged Unified Identity Info

Query

id: b7661446-5116-40ae-9f01-79074549ec18
Function:
  Title: Parser to get privileged human identities from IdentityInfo table and privileged workloads from WorkloadIdentityInfo for unified list of all privileges
  Version: '1.0.0'
  LastUpdated: '2025-03-17'
Category: Microsoft Sentinel Parser
FunctionName: PrivilegedUnifiedIdentityInfo
FunctionAlias: PrivilegedUnifiedIdentityInfo
FunctionQuery: |
    // Function to get privileged users from IdentityInfo and privileged workloads from WorkloadIdentityInfo
    let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
    | where Classification.EAMTierLevelName != "Unclassified"
    | project RoleName, isPrivileged, Classification;
    let SensitiveUsers = IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, *) by AccountObjectId
    | mv-expand AssignedRoles
    | extend RoleName = tostring(AssignedRoles)
    | join kind=inner ( SensitiveEntraDirectoryRoles ) on RoleName
    | join kind=inner ( SensitiveEntraDirectoryRoles ) on RoleName
    | extend AadDirectoryRoleTierLevels = parse_json(Classification.EAMTierLevelName)
    | extend Classification = iif((AadDirectoryRoleTierLevels contains "ControlPlane"), "ControlPlane", "Unclassified")
    | extend Classification = iif((Classification == "Unclassified" and (AadDirectoryRoleTierLevels contains "ManagementPlane")), "ManagementPlane", Classification)
    | extend Classification = iif((Classification == "Unclassified" and (AadDirectoryRoleTierLevels contains "WorkloadPlane")), "WorkloadPlane", Classification)
    | extend Classification = iif((Classification == "Unclassified" and (AadDirectoryRoleTierLevels contains "UserAccess")), "UserAccess", Classification)
    | summarize RoleAssignments = make_set(RoleName) by AccountObjectId, AccountDisplayName, OnPremisesAccountObjectId, Classification;
    let PrivilegedUsers = SensitiveUsers
    | extend OnPremSynchronized = iff(isnotempty(OnPremisesAccountObjectId), "true", "false")
    | project
        ObjectId = tostring(AccountObjectId),
        ObjectType = "User",
        ObjectDisplayName = AccountDisplayName,
        OnPremSynchronized,
        tostring(Classification),
        EntraIdRoles = RoleAssignments;
    let PrivilegedWorkloads = PrivilegedWorkloadIdentityInfo
    | where isnotempty(EntraIdRoles) or isnotempty(AppRolePermissions)
    | project
        ObjectId = tostring(ServicePrincipalObjectId),
        ObjectType = WorkloadIdentityType,
        ObjectDisplayName = WorkloadIdentityName,
        OnPremSynchronized = "false",
        Classification = tostring(EnterpriseAccessModelTiering),
        EntraIdRoles = EntraIdRoles,
        AppRoles = AppRolePermissions;
    union PrivilegedUsers, PrivilegedWorkloads

Explanation

This query is designed to create a unified list of privileged identities by combining information about privileged human users and privileged workloads. Here's a simplified breakdown of what the query does:

  1. Sensitive Role Identification: It retrieves a list of sensitive roles from an external JSON source, filtering out roles that are unclassified.

  2. Sensitive Users Extraction:

    • It pulls data from the IdentityInfo table, focusing on the last 14 days.
    • It identifies users with assigned roles that match the sensitive roles.
    • It classifies these roles into categories like "ControlPlane", "ManagementPlane", "WorkloadPlane", or "UserAccess" based on certain conditions.
    • It summarizes the role assignments for each user.

  3. Privileged Users Formatting:

    • It formats the data for privileged users, including details like whether their account is synchronized with on-premises directories, and lists their role assignments.

  4. Privileged Workloads Extraction:

    • It pulls data from the WorkloadIdentityInfo table for workloads with specific role or permission assignments.
    • It formats this data similarly to the user data, but marks these workloads as not synchronized with on-premises directories.

  5. Combining Data:

    • It combines the formatted data for both privileged users and workloads into a single unified list.

This unified list can be used for monitoring and managing privileged access within an organization, helping to ensure security and compliance.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: March 17, 2025

Tables

IdentityInfoWorkloadIdentityInfo

Keywords

IdentityInfoWorkloadIdentityInfoRoleNameAccountObjectIdAccountDisplayNameOnPremisesAccountObjectIdServicePrincipalObjectIdWorkloadIdentityTypeWorkloadIdentityNameEnterpriseAccessModelTieringEntraIdRolesAppRolePermissionsClassification

Operators

letexternaldatawithformatwhereprojectsummarizearg_maxbymv-expandextendtostringjoinkindonparse_jsoniifcontainsmake_setiffisnotemptyunion

Actions