Query Details
Tracking The Most Dangerous Entra Admin Role
Query
// Tracking The Most Dangerous Entra Admin Role // https://www.linkedin.com/posts/activity-7189502682628349952-Uc9z/ // Custom DefenderXDR KQL detecting this dangerous role activation: let DangerousAdmin = ExposureGraphNodes | where set_has_element(Categories, "identity") | extend AccountUPN = NodeProperties.rawData.accountUpn | extend AdminRoles = NodeProperties.rawData.assignedRoles | where AdminRoles contains "Partner Tier2 Support" | project AccountUPN; IdentityLogonEvents | where AccountUpn has_any(DangerousAdmin)
Explanation
This KQL query is designed to identify and track the activation of a specific high-risk administrative role within an organization. Here's a simplified breakdown:
-
Identify Dangerous Admins:
- The query first looks at the
ExposureGraphNodestable to find entries related to identities. - It extracts the user principal names (UPNs) and their assigned roles.
- It filters for users who have the "Partner Tier2 Support" role, which is considered dangerous.
- It creates a list of these dangerous admin UPNs.
- The query first looks at the
-
Track Logon Events:
- The query then looks at the
IdentityLogonEventstable. - It filters logon events to find any that involve the dangerous admin UPNs identified in the first step.
- The query then looks at the
In essence, this query helps in monitoring logon activities of users who have been assigned a high-risk administrative role, "Partner Tier2 Support".
Details
Steven Lim
Released: August 2, 2024
Tables
ExposureGraphNodesIdentityLogonEvents
Keywords
DevicesIntuneUser
Operators
let|whereset_has_elementextendcontainsprojecthas_any