Query Details

Critical Monitor For Critical Assets

Query

// Critical Monitor for Critical Assets
// https://www.linkedin.com/posts/activity-7189844353610088448-BajA/

// Custom DefenderXDR KQL Monitor for Tier 0 Critical Identities on High Security Alerts:

let HighlyPrivilegedAdmins =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and 
NodeProperties.rawData.criticalityLevel.criticalityLevel==0 
| extend EntraObjectID = NodeProperties.rawData.accountObjectId
| project EntraObjectID;
AlertInfo
| join AlertEvidence on AlertId
| extend ReportId = AlertId
| where Severity == "High"
| where AccountObjectId has_any(HighlyPrivilegedAdmins)


// MITRE ATT&CK Mapping

// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// The query identifies highly privileged accounts, which could be used by adversaries to gain unauthorized access.

// T1087 - Account Discovery:
// The process of identifying highly privileged accounts aligns with account discovery techniques.

// T1071 - Application Layer Protocol:
// The query joins alert information, which could involve detecting communication over application layer protocols.

// T1566 - Phishing:
// High severity alerts could be related to phishing attempts targeting privileged accounts.

// T1210 - Exploitation of Remote Services:
// High severity alerts involving privileged accounts could indicate exploitation attempts on remote services.

Explanation

This query is designed to monitor critical security alerts related to highly privileged accounts, specifically Tier 0 critical identities, using Microsoft Defender's KQL (Kusto Query Language). Here's a simple breakdown:

  1. Identify Critical Accounts:

    • The query first identifies accounts that are considered highly privileged (Tier 0) by checking the ExposureGraphNodes table for identities with a criticality level of 0. - It extracts the unique identifier (EntraObjectID) for these accounts.
  2. Monitor High Severity Alerts:

    • It then looks for high severity security alerts in the AlertInfo table.
    • These alerts are joined with evidence data from the AlertEvidence table to gather more context.
    • The query filters these alerts to only include those that involve the highly privileged accounts identified earlier.
  3. MITRE ATT&CK Techniques:

    • The query is mapped to several MITRE ATT&CK techniques, suggesting potential security threats:
      • T1078 - Valid Accounts: The focus on privileged accounts could indicate attempts to gain unauthorized access.
      • T1087 - Account Discovery: Identifying these accounts aligns with techniques used to discover account details.
      • T1071 - Application Layer Protocol: The alert data might involve communication over application protocols.
      • T1566 - Phishing: High severity alerts could be related to phishing attacks targeting these accounts.
      • T1210 - Exploitation of Remote Services: Alerts involving these accounts might indicate attempts to exploit remote services.

In summary, this query helps security teams monitor and respond to high-risk alerts involving critical accounts, potentially indicating serious security threats such as unauthorized access, phishing, or exploitation attempts.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodes AlertInfo AlertEvidence

Keywords

ExposureGraphNodesCategoriesNodePropertiesAlertInfoAlertEvidenceSeverityAccountObjectIdEntraObjectIDAlertIdReportId

Operators

letset_has_elementwhereisnotnullextendprojectjoinonhas_any

Actions

GitHub