{"id":326,"date":"2025-09-16T14:29:42","date_gmt":"2025-09-16T13:29:42","guid":{"rendered":"https:\/\/cyber-resilience.mobi\/?p=326"},"modified":"2025-09-16T14:29:42","modified_gmt":"2025-09-16T13:29:42","slug":"roles-sensibles","status":"publish","type":"post","link":"https:\/\/cyber-resilience.mobi\/?p=326","title":{"rendered":"R\u00f4les sensibles"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Cette requ\u00eate permet de :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Identifier les r\u00f4les sensibles Entra ID<\/strong>\u00a0avec des chemins d\u2019attaque connus.<\/li>\n\n\n\n<li><strong>Lister les membres \u00e0 risque ou externes<\/strong>\u00a0dans ces r\u00f4les.<\/li>\n\n\n\n<li><strong>Croiser les r\u00f4les avec des classifications EntraOps et des exemples d\u2019attaque<\/strong>.<\/li>\n\n\n\n<li><strong>Prioriser les actions de rem\u00e9diation<\/strong>\u00a0sur les r\u00f4les les plus expos\u00e9s.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/\/ Early draft: List of Directory Roles including known attack paths (defined by Emilien Socchi repository: https:\/\/github.com\/emiliensocchi\/azure-tiering\/blob\/main\/Entra%20roles\/tiered-entra-roles.json), classification by EntraOps, categories and rich details by Graph API and their role members with flags for Guest, Risky User and count of role members from IdentityInfo.\nlet SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, Categories: string, RichDescription: string, isPrivileged: bool, Classification: dynamic, RolePermissions:dynamic)&#91;\"https:\/\/raw.githubusercontent.com\/Cloud-Architekt\/AzurePrivilegedIAM\/main\/Classification\/Classification_EntraIdDirectoryRoles.json\"] with(format='multijson')\n| where Classification.EAMTierLevelName != \"Unclassified\"\n| mv-expand RolePermissions\n| extend Categories = split(Categories,',')\n| summarize EntraOpsCategory = make_set(RolePermissions.Category), Categories = make_set(Categories) by RoleName, RoleId, isPrivileged, EntraOpsClassification = tostring(Classification.EAMTierLevelName), RichDescription;\nlet KnownAttackPaths = externaldata(id: string, pathType: string, knownShortestPath: string, example: string)&#91;\"https:\/\/raw.githubusercontent.com\/emiliensocchi\/azure-tiering\/main\/Entra%20roles\/tiered-entra-roles.json\"] with(format='multijson')\n| where isnotempty(knownShortestPath) or isnotempty(example)\n| project-rename RoleId = id, AttackPathType = pathType, ShortestAttackPath = knownShortestPath, AttackPathExample = example;\nlet PrivilegedUsers = IdentityInfo\n| where TimeGenerated > ago(14d)\n| summarize arg_max(TimeGenerated, *) by AccountObjectId\n| mv-expand AssignedRoles\n| extend RoleName = tostring(AssignedRoles);\nSensitiveEntraDirectoryRoles\n| join kind=inner ( PrivilegedUsers ) on RoleName\n| extend RoleAssignment = bag_pack_columns(AccountName, AccountUPN, UserType, Tags, IsAccountEnabled, RiskState)\n| summarize RoleMembers = count(), RoleAssignments = make_list(RoleAssignment), RiskState = make_list(RiskState), UserType = make_list(UserType) by RoleName, RoleId, tostring(Categories), tostring(EntraOpsCategory), isPrivileged, tostring(EntraOpsClassification), tostring(RichDescription)\n| extend RiskyAdmins = iff(RiskState has \"atRisk\", true, false)\n| extend GuestAsAdmins = iff(UserType has \"Guest\", true, false)\n| project-reorder RiskState, RoleName, RichDescription, EntraOpsClassification, isPrivileged, EntraOpsCategory,Categories, RoleMembers, RoleAssignments\n| sort by RoleName asc\n| join kind=inner ( KnownAttackPaths) on RoleId\n| project-away RiskState, UserType, RoleId1\n\/\/ Filter for risky or external users only\n| where RiskyAdmins = true or GuestAsAdmins == true<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Cette requ\u00eate permet de :<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[18],"class_list":["post-326","post","type-post","status-publish","format-standard","hentry","category-kql-sentinel","tag-kql"],"_links":{"self":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=326"}],"version-history":[{"count":1,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/326\/revisions"}],"predecessor-version":[{"id":327,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=\/wp\/v2\/posts\/326\/revisions\/327"}],"wp:attachment":[{"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=326"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=326"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyber-resilience.mobi\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}