{"id":282,"date":"2024-12-04T10:26:17","date_gmt":"2024-12-04T09:26:17","guid":{"rendered":"https:\/\/cyber-resilience.mobi\/?p=282"},"modified":"2024-12-04T10:26:17","modified_gmt":"2024-12-04T09:26:17","slug":"utilisateurs-privilegies-externes-a-risque-avec-enrichissement-des-chemins-dattaque-connus-et-classification","status":"publish","type":"post","link":"https:\/\/cyber-resilience.mobi\/?p=282","title":{"rendered":"Utilisateurs privil\u00e9gi\u00e9s externes \u00e0 risque avec enrichissement des chemins d&rsquo;attaque connus et classification."},"content":{"rendered":"\n<pre class=\"wp-block-code\"><code>\/\/ Early draft: List of Directory Roles including known attack paths (defined by Emilien Socchi repository: https:\/\/github.com\/emiliensocchi\/azure-tiering\/blob\/main\/Entra%20roles\/tiered-entra-roles.json), classification by EntraOps, categories and rich details by Graph API and their role members with flags for Guest, Risky User and count of role members from IdentityInfo.\nlet SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, Categories: string, RichDescription: string, isPrivileged: bool, Classification: dynamic, RolePermissions:dynamic)&#91;\"https:\/\/raw.githubusercontent.com\/Cloud-Architekt\/AzurePrivilegedIAM\/main\/Classification\/Classification_EntraIdDirectoryRoles.json\"] with(format='multijson')\n| where Classification.EAMTierLevelName != \"Unclassified\"\n| mv-expand RolePermissions\n| extend Categories = split(Categories,',')\n| summarize EntraOpsCategory = make_set(RolePermissions.Category), Categories = make_set(Categories) by RoleName, RoleId, isPrivileged, EntraOpsClassification = tostring(Classification.EAMTierLevelName), RichDescription;\nlet KnownAttackPaths = externaldata(id: string, pathType: string, knownShortestPath: string, example: string)&#91;\"https:\/\/raw.githubusercontent.com\/emiliensocchi\/azure-tiering\/main\/Entra%20roles\/tiered-entra-roles.json\"] with(format='multijson')\n| where isnotempty(knownShortestPath) or isnotempty(example)\n| project-rename RoleId = id, AttackPathType = pathType, ShortestAttackPath = knownShortestPath, AttackPathExample = example;\nlet PrivilegedUsers = IdentityInfo\n| where TimeGenerated > ago(14d)\n| summarize arg_max(TimeGenerated, *) by AccountObjectId\n| mv-expand AssignedRoles\n| extend RoleName = tostring(AssignedRoles);\nSensitiveEntraDirectoryRoles\n| join kind=inner ( PrivilegedUsers ) on RoleName\n| extend RoleAssignment = bag_pack_columns(AccountName, AccountUPN, UserType, Tags, IsAccountEnabled, RiskState)\n| summarize RoleMembers = count(), RoleAssignments = make_list(RoleAssignment), RiskState = make_list(RiskState), UserType = make_list(UserType) by RoleName, RoleId, tostring(Categories), tostring(EntraOpsCategory), isPrivileged, tostring(EntraOpsClassification), tostring(RichDescription)\n| extend RiskyAdmins = iff(RiskState has \"atRisk\", true, false)\n| extend GuestAsAdmins = iff(UserType has \"Guest\", true, false)\n| project-reorder RiskState, RoleName, RichDescription, EntraOpsClassification, isPrivileged, EntraOpsCategory,Categories, RoleMembers, RoleAssignments\n| sort by RoleName asc\n| join kind=inner ( KnownAttackPaths) on RoleId\n| project-away RiskState, UserType, RoleId1\n\/\/ Filter for risky or external users only\n| where RiskyAdmins = true or GuestAsAdmins == true\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[18,19,37,22,29,30],"class_list":["post-282","post","type-post","status-publish","format-standard","hentry","category-kql-sentinel","tag-kql","tag-kusto","tag-securite","tag-sentinel","tag-siem","tag-xdr"],"_links":{"self":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=282"}],"version-history":[{"count":1,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/282\/revisions"}],"predecessor-version":[{"id":283,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/282\/revisions\/283"}],"wp:attachment":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}