Privileged Workload Identity Info

id: 1225bb11-96d0-40f0-9ad7-b460042e0a52 Function: Title: Parser for WorkloadIdentityInfo with enriched classification of EntraOps Version: '1.0.0' LastUpdated: '2023-11-11' Category: Microsoft Sentinel Parser FunctionName: PrivilegedWorkloadIdentityInfo FunctionAlias: PrivilegedWorkloadIdentityInfo FunctionQuery: | let SensitiveMsGraphPermissions = externaldata(EAMTierLevelName: string, Category: string, AppRoleDisplayName: string)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_AppRoles.json"] with(format='multijson'); let SensitiveAadDirectoryRoles = externaldata(Classification: string, RolePermissions: string, Category: string, RoleId: string)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson') | mv-expand parse_json(RolePermissions) | summarize Category = make_list(RolePermissions.Category) by AadDirectoryRoleId = RoleId, AadDirectoryRoleTierLevel = tostring(parse_json(Classification).EAMTierLevelName); let SpWithAppRole = _GetWatchlist('WorkloadIdentityInfo') | mv-expand parse_json(AssignedAppRoles) | extend AppRoleDisplayName = tostring(AssignedAppRoles.AppRoleDisplayName) | extend ResourceDisplayName = tostring(AssignedAppRoles.ResourceDisplayName) | join kind=leftouter( SensitiveMsGraphPermissions | project AppRolePermissionTierLevel = EAMTierLevelName, Category, AppRoleDisplayName, ResourceDisplayName = "Microsoft Graph" ) on AppRoleDisplayName, ResourceDisplayName | where isnotempty(AppRoleDisplayName) | summarize AppRolePermissions = make_set(AppRoleDisplayName), AppRolePermissionTierLevels = make_set(AppRolePermissionTierLevel) by ServicePrincipalObjectId; let SpWithDirectoryRole = _GetWatchlist('WorkloadIdentityInfo') | mv-expand parse_json(AssignedRoles) | extend AadDirectoryRoleId = tostring(AssignedRoles.RoleDefinitionId) | extend AadDirectoryRoleName = tostring(AssignedRoles.RoleDefinitionName) | join kind=leftouter( SensitiveAadDirectoryRoles ) on AadDirectoryRoleId | where isnotempty(AadDirectoryRoleName) | summarize AadDirectoryRoles = make_set(AadDirectoryRoleName), AadDirectoryRoleTierLevels = make_set(AadDirectoryRoleTierLevel) by ServicePrincipalObjectId; _GetWatchlist('WorkloadIdentityInfo') | join kind=leftouter ( union SpWithAppRole, SpWithDirectoryRole | summarize AppRolePermissions = make_set(AppRolePermissions), AppRolePermissionTierLevels = make_set(AppRolePermissionTierLevels), AadDirectoryRoles = make_set(AadDirectoryRoles), AadDirectoryRoleTierLevels = make_set(AadDirectoryRoleTierLevels) by ServicePrincipalObjectId ) on ServicePrincipalObjectId | extend Classification = iif((AppRolePermissionTierLevels contains "ControlPlane" or AadDirectoryRoleTierLevels contains "ControlPlane"), "ControlPlane", "Unclassified") | extend Classification = iif((Classification == "Unclassified" and (AppRolePermissionTierLevels contains "ManagementPlane" or AadDirectoryRoleTierLevels contains "ManagementPlane")), "ManagementPlane", Classification) | extend Classification = iif((Classification == "Unclassified" and (AppRolePermissionTierLevels contains "WorkloadPlane" or AadDirectoryRoleTierLevels contains "WorkloadPlane")), "WorkloadPlane", Classification) | extend Classification = iif((Classification == "Unclassified" and (AppRolePermissionTierLevels contains "UserAccess" or AadDirectoryRoleTierLevels contains "UserAccess")), "UserAccess", Classification) | project WorkloadIdentityName = AppDisplayName, WorkloadIdentityType = ServicePrincipalType, IsFirstPartyApp, SignInAudience, UserAssignmentRequired, tostring(ServicePrincipalObjectId), ApplicationObjectId = tostring(AppObjectId), ApplicationId = tostring(AppId), EntraIdRoles = AadDirectoryRoles, AppRolePermissions, EnterpriseAccessModelTiering = Classification

Explanation

The query is used to parse and classify the permissions and roles assigned to workload identities in Azure. It retrieves sensitive permissions and roles from external data sources and joins them with the workload identity information. It then classifies the workload identities based on the permissions and roles assigned to them. The query outputs various attributes of the workload identities, including their name, type, assigned roles and permissions, and the classification based on the access model tiering.

Details

Thomas Naunheim

Released: November 18, 2023

Tables

SensitiveMsGraphPermissionsSensitiveAadDirectoryRolesSpWithAppRoleSpWithDirectoryRole_GetWatchlist('WorkloadIdentityInfo')

Keywords

Devices,Intune,User,AppRoleDisplayName,ResourceDisplayName,AssignedAppRoles,AssignedRoles,ServicePrincipalObjectId,AppRolePermissionTierLevel,AadDirectoryRoleId,AadDirectoryRoleTierLevel,AppRolePermissions,AppRolePermissionTierLevels,AadDirectoryRoles,AadDirectoryRoleTierLevels,WorkloadIdentityName,WorkloadIdentityType,IsFirstPartyApp,SignInAudience,UserAssignmentRequired,ServicePrincipalType,AppDisplayName,AppObjectId,AppId,EnterpriseAccessModelTiering

Operators

letexternaldatawithformatmv-expandsummarizeextendjoinprojectisnotemptymake_listtostringparse_jsonmake_setiif

KQL Search