Query Details

Tracking The Most Dangerous Entra Admin Role

Query

// Tracking The Most Dangerous Entra Admin Role 
// https://www.linkedin.com/posts/activity-7189502682628349952-Uc9z/

// Custom DefenderXDR KQL detecting this dangerous role activation: 

let DangerousAdmin =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| extend AccountUPN = NodeProperties.rawData.accountUpn
| extend AdminRoles = NodeProperties.rawData.assignedRoles
| where AdminRoles contains "Partner Tier2 Support"
| project AccountUPN;
IdentityLogonEvents
| where AccountUpn has_any(DangerousAdmin)

// MITRE ATT&CK Mapping

// T1078.004: Valid Accounts: Cloud Accounts - Identifying and monitoring privileged accounts in cloud environments.
// T1078: Valid Accounts - Monitoring logon events for suspicious activity.
// T1078.001: Valid Accounts: Domain Accounts - Tracking logon events for domain accounts.

Explanation

This query is designed to track and monitor the activation of a specific high-risk administrative role, "Partner Tier2 Support," within a cloud environment. Here's a breakdown of what the query does:

  1. Identify Dangerous Admin Accounts:

    • It searches through a dataset called ExposureGraphNodes to find entries categorized as "identity."
    • It extracts the user principal name (UPN) and the roles assigned to each account.
    • It filters these accounts to find those with the "Partner Tier2 Support" role, which is considered dangerous.
    • The result is a list of user accounts (UPNs) with this role.
  2. Monitor Logon Events:

    • It then checks another dataset, IdentityLogonEvents, for any logon events involving the accounts identified as having the dangerous role.
    • This helps in tracking when and how these accounts are being used, which is crucial for detecting suspicious activities.
  3. Security Framework Mapping:

    • The query is aligned with the MITRE ATT&CK framework, specifically focusing on:
      • T1078.004: Monitoring privileged cloud accounts.
      • T1078: Observing logon events for any unusual activities.
      • T1078.001: Keeping track of logon events for domain accounts.

In simple terms, this query helps security teams identify and keep an eye on potentially risky admin accounts in a cloud environment to prevent unauthorized or harmful activities.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodesIdentityLogonEvents

Keywords

ExposureGraphNodesIdentityLogonEventsCategoriesNodePropertiesAccountUPNAdminRolesPartnerTier2SupportMITREATT&CKValidAccountsCloudEnvironmentsDomain

Operators

let|whereset_has_elementextendcontainsprojecthas_any

MITRE Techniques

Actions

GitHub