Tracking The Most Dangerous Entra Admin Role
Query
// Tracking The Most Dangerous Entra Admin Role
// https://www.linkedin.com/posts/activity-7189502682628349952-Uc9z/
// Custom DefenderXDR KQL detecting this dangerous role activation:
let DangerousAdmin =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| extend AccountUPN = NodeProperties.rawData.accountUpn
| extend AdminRoles = NodeProperties.rawData.assignedRoles
| where AdminRoles contains "Partner Tier2 Support"
| project AccountUPN;
IdentityLogonEvents
| where AccountUpn has_any(DangerousAdmin)
// MITRE ATT&CK Mapping
// T1078.004: Valid Accounts: Cloud Accounts - Identifying and monitoring privileged accounts in cloud environments.
// T1078: Valid Accounts - Monitoring logon events for suspicious activity.
// T1078.001: Valid Accounts: Domain Accounts - Tracking logon events for domain accounts.Explanation
This query is designed to track and monitor the activation of a specific high-risk administrative role, "Partner Tier2 Support," within a cloud environment. Here's a breakdown of what the query does:
-
Identify Dangerous Admin Accounts:
- It searches through a dataset called
ExposureGraphNodesto find entries categorized as "identity." - It extracts the user principal name (UPN) and the roles assigned to each account.
- It filters these accounts to find those with the "Partner Tier2 Support" role, which is considered dangerous.
- The result is a list of user accounts (UPNs) with this role.
- It searches through a dataset called
-
Monitor Logon Events:
- It then checks another dataset,
IdentityLogonEvents, for any logon events involving the accounts identified as having the dangerous role. - This helps in tracking when and how these accounts are being used, which is crucial for detecting suspicious activities.
- It then checks another dataset,
-
Security Framework Mapping:
- The query is aligned with the MITRE ATT&CK framework, specifically focusing on:
- T1078.004: Monitoring privileged cloud accounts.
- T1078: Observing logon events for any unusual activities.
- T1078.001: Keeping track of logon events for domain accounts.
- The query is aligned with the MITRE ATT&CK framework, specifically focusing on:
In simple terms, this query helps security teams identify and keep an eye on potentially risky admin accounts in a cloud environment to prevent unauthorized or harmful activities.
Details

Steven Lim
Released: August 25, 2024
Tables
ExposureGraphNodesIdentityLogonEvents
Keywords
ExposureGraphNodesIdentityLogonEventsCategoriesNodePropertiesAccountUPNAdminRolesPartnerTier2SupportMITREATT&CKValidAccountsCloudEnvironmentsDomain
Operators
let|whereset_has_elementextendcontainsprojecthas_any