ATP Detection For Critical Identities
Query
// ATP Detection for Critical Identities
// https://www.linkedin.com/posts/activity-7190937404625584128-hgdO/
// Custom DefenderXDR detection for CloudApp Advanced Threat Protection for Tier 0 Critical Identities giving you a comprehensive all-round threat monitoring.
let HighlyPrivilegedAdmins =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and
NodeProperties.rawData.criticalityLevel.criticalityLevel==0
| extend EntraObjectID = NodeProperties.rawData.accountObjectId
| project EntraObjectID;
CloudAppEvents
| where ActionType == "AtpDetection"
| extend DetectionMethod = tostring(RawEventData.DetectionMethod)
| extend AccountUpn = RawEventData.UserId
| where AccountUpn has_any(HighlyPrivilegedAdmins)
//MITRE ATT&CK Mapping
//Based on the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts:
// The query is identifying and monitoring highly privileged accounts, which aligns with the technique of using valid accounts for persistence and privilege escalation1.
// T1071 - Application Layer Protocol:
// The CloudAppEvents table and the AtpDetection action type suggest monitoring for suspicious activities in cloud applications, which can involve the use of application layer protocols2.
// T1087 - Account Discovery:
// The query involves discovering highly privileged accounts, which aligns with the technique of account discovery3.
// T1057 - Process Discovery:
// The detection method and user ID extensions indicate monitoring for specific processes or actions taken by privileged accounts4.Explanation
This query is designed to detect potential threats involving highly privileged accounts (Tier 0 Critical Identities) using Microsoft Defender for Cloud Apps. Here's a simplified breakdown of what the query does:
-
Identify Highly Privileged Accounts:
- It first identifies accounts with a criticality level of 0, which are considered highly privileged, from a dataset called
ExposureGraphNodes. - It extracts the unique identifiers (EntraObjectID) for these accounts.
- It first identifies accounts with a criticality level of 0, which are considered highly privileged, from a dataset called
-
Monitor Cloud Application Events:
- It then looks at events in the
CloudAppEventstable where the action type is "AtpDetection," indicating that these are advanced threat protection detections. - It checks if any of these events involve the highly privileged accounts identified earlier.
- It then looks at events in the
-
MITRE ATT&CK Techniques:
- The query is related to several MITRE ATT&CK techniques:
- T1078 - Valid Accounts: It monitors the use of valid, highly privileged accounts, which could be used for unauthorized access or privilege escalation.
- T1071 - Application Layer Protocol: It involves monitoring cloud application activities, which may use application layer protocols.
- T1087 - Account Discovery: It identifies and monitors highly privileged accounts, aligning with the technique of discovering accounts.
- T1057 - Process Discovery: The query extends detection methods and user IDs, suggesting monitoring of specific actions or processes by these accounts.
- The query is related to several MITRE ATT&CK techniques:
Overall, this query helps in comprehensive threat monitoring by focusing on critical identities and their activities in cloud applications.
Details

Steven Lim
Released: August 25, 2024
Tables
ExposureGraphNodesCloudAppEvents
Keywords
ExposureGraphNodesCategoriesNodePropertiesCloudAppEventsActionTypeRawEventDataEntraObjectIDAccountUpnDetectionMethod
Operators
letset_has_elementwhereisnotnulland==extendtostringprojecthas_any