KQL Search

Query Details

HomeAI ToolsDevice Query

Sensitive Service Principals Az ADSPI

Query

let SensitiveMsGraphPermissions = externaldata(EAMTierLevel: string, Category: string, APIPermission: string)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_MsGraphPermissions.json"] with(format='multijson');
let SensitiveAadDirectoryRoles = externaldata(EAMTierLevel: string, Category: string, id: string)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_AadDirectoryRoles.json"] with(format='multijson');
AADServicePrincipals_CL
| mv-expand parse_json(APP_s), parse_json(SPAppRoleAssignments_s)
| mv-expand SPAppRoleAssignments_s.AppRolePermissionSensitivity, SPAppRoleAssignments_s.AppRolePermission, parse_json(SPAADRoleAssignments_s)
| mv-expand SPAADRoleAssignments_s.roleDefinitionName, SPAADRoleAssignments_s.roleDefinitionId
| extend AppRolePermission = tostring(SPAppRoleAssignments_s_AppRolePermission)
| extend AadDirectoryRoleId = tostring(SPAADRoleAssignments_s_roleDefinitionId)
| extend AadDirectoryRoleName = tostring(SPAADRoleAssignments_s_roleDefinitionName)
// Option A: Filter on classification from AadSpInsights
//| where SPAADRoleAssignments_s_roleDefinitionId == true or SPAppRoleAssignments_s_AppRolePermissionSensitivity == "critical"
// Option B: Filter on enrichment from external classification schema
| join kind=leftouter(
    SensitiveMsGraphPermissions | project AppRolePermissionTierLevel = EAMTierLevel, AppRolePermissionCategory = Category, APIPermission
    ) on $left.AppRolePermission == $right.APIPermission
| join kind=leftouter(
    SensitiveAadDirectoryRoles | project AadDirectoryRoleTierLevel = EAMTierLevel, AadDirectoryRoleTierCategory = Category, id
    )on $left.AadDirectoryRoleId == $right.id
| extend Classification = iif((AppRolePermissionTierLevel == "ControlPlane" or AadDirectoryRoleTierLevel == "ControlPlane"), "ControlPlane", "NonControlPlane")
| where Classification == "ControlPlane"
| project APPObjectId = tostring(parse_json(APP_s).APPObjectId), APPDisplayName = tostring(parse_json(APP_s).APPDisplayName), ObjectId_g, ObjectType_s, AppRolePermission, AadDirectoryRoleName, Classification, AppRolePermissionCategory, AadDirectoryRoleTierCategory, tostring(parse_json(APP_s).APPSignInAudience)
| distinct APPObjectId, APPDisplayName, ObjectId_g, ObjectType_s, Classification

Explanation

This query retrieves data from two external sources, "Classification_MsGraphPermissions.json" and "Classification_AadDirectoryRoles.json". It then expands and joins the data to filter and classify the results. The final output includes the APPObjectId, APPDisplayName, ObjectId_g, ObjectType_s, and Classification of the data. The query specifically focuses on filtering and selecting data related to the "ControlPlane" classification.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AADServicePrincipals_CL

Keywords

Devices,Intune,User

Operators

mv-expandparse_jsonextendtostringjoinprojectiifwheredistinct

Actions