Query Details

Directory Role Member With Classification

Query

// List of (active/permanent) Directory role member with with enriched classification from EntraOps Privileged EAM
// by using IdentityInfo table from Microsoft Sentinel UEBA
let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, Categories: string, RichDescription: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
| where Classification.EAMTierLevelName != "Unclassified"
| extend EAMTierLevelName = Classification.EAMTierLevelName
| project RoleName, Categories, isPrivileged, EAMTierLevelName;
let SensitiveUsers = IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand AssignedRoles
| extend RoleName = tostring(AssignedRoles)
| join kind=inner ( SensitiveEntraDirectoryRoles ) on RoleName;
SensitiveUsers
| project EAMTierLevelName, RoleName, Categories, AccountObjectId, AccountDisplayName, AccountUPN, IsAccountEnabled, UserType, SourceSystem

Explanation

This KQL query is designed to identify and list active or permanent members of directory roles with enriched classifications from EntraOps Privileged EAM. It uses data from the IdentityInfo table in Microsoft Sentinel UEBA. Here's a simplified breakdown of what the query does:

  1. Load Role Data: It retrieves a list of directory roles from an external JSON file, which includes details like role name, ID, categories, descriptions, privilege status, and classification. Only roles that are classified (not "Unclassified") are considered.

  2. Filter and Extend: The query filters out unclassified roles and extends the dataset to include a tier level name for each role.

  3. Process User Data: It processes user information from the IdentityInfo table, focusing on data generated in the last 14 days. It ensures that only the most recent record for each user is considered.

  4. Expand Roles: For each user, it expands the list of assigned roles and matches these roles with the previously loaded role data.

  5. Join and Project: The query performs an inner join between the user data and the role data based on role names. It then selects and displays relevant fields such as the tier level name, role name, categories, user account details, and source system.

In summary, the query identifies users with specific directory roles, enriches this information with classification data, and presents a detailed list of these users and their roles.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: July 30, 2024

Tables

IdentityInfo

Keywords

DirectoryRolesClassificationIdentityUsers

Operators

letexternaldatawithwhereextendprojectsummarizearg_maxbymv-expandtostringjoinkindon

Actions

GitHub