Query Details

Directory Roles With Details

Query

// List of Directory Roles including classification by EntraOps, categories and rich details by Graph API and their role members with flags for Guest, Risky User and count of role members.
// by using IdentityInfo table from Microsoft Sentinel UEBA
let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, Categories: string, RichDescription: string, isPrivileged: bool, Classification: dynamic, RolePermissions:dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
| where Classification.EAMTierLevelName != "Unclassified"
| mv-expand RolePermissions
| extend Categories = split(Categories,',')
| summarize EntraOpsCategory = make_set(RolePermissions.Category), Categories = make_set(Categories) by RoleName, isPrivileged, EntraOpsClassification = tostring(Classification.EAMTierLevelName), RichDescription;
let PrivilegedUsers = IdentityInfo
| where TimeGenerated > ago(14d)
| summarize arg_max(TimeGenerated, *) by AccountObjectId
| mv-expand AssignedRoles
| extend RoleName = tostring(AssignedRoles);
SensitiveEntraDirectoryRoles
| join kind=inner ( PrivilegedUsers ) on RoleName
| extend RoleAssignment = bag_pack_columns(AccountName, AccountUPN, UserType, Tags, IsAccountEnabled, RiskState)
| summarize RoleMembers = count(), RoleAssignments = make_list(RoleAssignment), RiskState = make_list(RiskState), UserType = make_list(UserType) by RoleName, tostring(Categories), tostring(EntraOpsCategory), isPrivileged, tostring(EntraOpsClassification), tostring(RichDescription)
| extend RiskyAdmins = iff(RiskState has "atRisk", true, false)
| extend GuestAsAdmins = iff(UserType has "Guest", true, false)
| project-reorder RiskState, RoleName, RichDescription, EntraOpsClassification, isPrivileged, EntraOpsCategory,Categories, RoleMembers, RoleAssignments
| sort by RoleName asc
| project-away RiskState, UserType

Explanation

This query is designed to analyze and summarize information about directory roles and their members in a Microsoft environment, using data from Microsoft Sentinel's User and Entity Behavior Analytics (UEBA). Here's a simplified breakdown:

  1. Data Source: The query starts by importing a list of directory roles from an external JSON file. This file contains details like role names, IDs, categories, descriptions, privilege status, and classifications.

  2. Filtering: It filters out roles that are unclassified, focusing only on those with a defined classification.

  3. Role Details: For each role, it expands the permissions and categorizes them, summarizing the roles by their operational categories, privilege status, and detailed descriptions.

  4. User Information: It retrieves user information from the IdentityInfo table, focusing on data from the last 14 days. It identifies users and their assigned roles.

  5. Joining Data: The query joins the role details with user information to find which users are assigned to which roles.

  6. Summarizing Role Members: It counts the number of members per role and collects details about each member, including their risk state and user type (e.g., guest).

  7. Flags for Risk and Guest Users: It flags roles that have risky users (those with a risk state) and guest users as administrators.

  8. Output: The final output is a sorted list of roles with their descriptions, classifications, privilege status, categories, number of members, and member details, excluding the risk state and user type from the final display.

In essence, the query provides a detailed overview of directory roles, highlighting sensitive roles, their members, and any potential risks associated with those members.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: July 30, 2024

Tables

IdentityInfo

Keywords

DirectoryRolesEntraOpsGraphAPIRoleMembersGuestRiskyUserMicrosoftSentinelUEBAIdentityInfo

Operators

externaldatawithwheremv-expandextendsplitsummarizemake_settostringletagoarg_maxjoinkindonbag_pack_columnscountmake_listiffhastruefalseproject-reordersortascproject-away

Actions

GitHub