Query Details
Securing Your Azure Cloud Finding The Weakest Link In Admin Endpoints
Query
// Securing Your Azure Cloud: Finding the Weakest Link in Admin Endpoints // Who holds the key vault secrets to your Azure cloud? Are you aware of any critical vulnerabilities in these cloud admin endpoints? By running the DefenderXDR Exposure Management KQL below, you can identify your Azure Admin's weakest link, highlighting the most critical vulnerabilities and their susceptibility to external attacks and compromises. let AzureAdminWithKeyVaultAccess = ExposureGraphEdges | where SourceNodeLabel == "user" | where EdgeLabel == "has permissions to" | where TargetNodeLabel == "microsoft.keyvault/vaults" | where parse_json(TargetNodeCategories)[0] == 'secret' | distinct SourceNodeName; let AzureAdminEP= ExposureGraphEdges | where EdgeLabel == "frequently logged in by" | where TargetNodeName has_any(AzureAdminWithKeyVaultAccess) | distinct SourceNodeName; ExposureGraphNodes | where NodeLabel == "Cve" | extend Severity = tostring(NodeProperties.rawData.severity) | where Severity == "Critical" | join ExposureGraphEdges on $left.NodeId == $right.SourceNodeId | where TargetNodeName has_any(AzureAdminEP)
Explanation
This KQL query is designed to identify potential security vulnerabilities in Azure cloud admin endpoints, particularly focusing on those with access to key vault secrets. Here's a simplified breakdown of what the query does:
-
Identify Admins with Key Vault Access:
- It first searches for users who have permissions to access Azure Key Vaults, specifically those that contain secrets. This is done by filtering the
ExposureGraphEdgestable for edges where the source is a user and the target is a key vault with secret access.
- It first searches for users who have permissions to access Azure Key Vaults, specifically those that contain secrets. This is done by filtering the
-
Find Frequently Used Endpoints:
- Next, it identifies endpoints that these users frequently log into. This is achieved by looking for edges in the
ExposureGraphEdgestable where the target node name matches any of the previously identified users with key vault access.
- Next, it identifies endpoints that these users frequently log into. This is achieved by looking for edges in the
-
Detect Critical Vulnerabilities:
- Finally, it searches for critical vulnerabilities associated with these endpoints. It does this by joining the
ExposureGraphNodestable (which contains vulnerability data) with theExposureGraphEdgestable to find nodes labeled as "Cve" (Common Vulnerabilities and Exposures) with a severity marked as "Critical".
- Finally, it searches for critical vulnerabilities associated with these endpoints. It does this by joining the
In summary, the query helps pinpoint the most critical vulnerabilities in admin endpoints that are frequently accessed by users with key vault permissions, highlighting potential weak points that could be susceptible to external attacks.
Details
Steven Lim
Released: January 28, 2025
Tables
ExposureGraphEdgesExposureGraphNodes
Keywords
ExposureGraphEdgesExposureGraphNodesAzureAdminKeyVaultUserMicrosoftKeyvaultVaultsCveSeverityNodePropertiesRawData
Operators
let|where==parse_json()distincthas_any()extendtostring()joinon