[New blog post] Analyzing #MicrosoftEntra π€ Workload Identity Activity Through πͺ Token-Based Hunting: Iβve published a #KQL function to hunt activities by tokens from non-human identities and share some experimental queries and insights in this article.
www.cloud-architekt.net/token-huntin...
#ConsentFix is a great way for attackers to work around some protective layers but not all. @naunheim.cloud , @cbrhh.bsky.social and I wrote a blog post on detection and mitigations. Hope you find it useful and can adapt it to your environment.
www.glueckkanja.com/de/posts/202...
Had the great privilege and a lot of fun joining ποΈ#EntraChat together with my friend and MVP fellow @samilamppu.bsky.social!
π Big thanks to @merill.net for having us - it was a pleasure to be part of the podcast. I hope everyone listening enjoyed it as much as we did recording it!
3οΈβ£ π οΈ Enhanced Enrichment Function
Recently, I've released a #KQL function integrating #ExposureManagement and #EntraOps data to identify sensitive callers, actions, and targets. Updated to support parameters like IP Address and Token Identifier.
π github.com/Cloud-Archit...
2οΈβ£ π Normalized schema for shared queries
Want to reuse existing queries or unify detection logic across both tables? Iβve published a #KQL function that normalizes the schema of GraphApiAuditEvents to match that of MicrosoftGraphActivityLogs.
π github.com/Cloud-Archit...
1οΈβ£ π€ Comparison Deep Dive
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? Iβve built a comparison table outlining the differences in column availability and detail levels.
The availability of GraphApiAuditEvents in #MicrosoftDefender brings significant value to every environment, enhancing capabilities for detecting and hunting #MicrosoftGraph API calls. In my recent research, Iβve created a few resources that Iβm happy to share with the community.
4. IsSensitiveTarget π―
The modified object is classified as critical (based on Exposure Management Critical Assets), and the applied rule details are displayed. In this case, the service principal has been assigned critical app permissions in Exchange Online.
3. IsSensitiveAction βΆοΈ
The Graph request includes a POST to the servicePrincipal endpoint, which is flagged as a sensitive modification. This logic is experimental and simplified, so it may result in inaccurate classification and should be used in combo with others indicators.
2. IsHighSensitiveScope π
However, the scope includes Application.ReadWrite.All, which has been identified as "Control Plane" by using EntraOps classification model.
In the following example, several indicators are included that make this particular call interesting for further investigation:
1. IsSensitiveCaller π£οΈ
A regular enterprise user (based on Exposure Management Critical Asset information) is calling Graph.
I've created an experimental KQL function that enriches the data with details from #ExposureManagement and #EntraOps. This might help identify sensitive Graph Calls from the large volume of events in this table.
π The query is available here:
github.com/Cloud-Archit...
ππ Track Sensitive Graph API Calls with my new #KQL Function for #MicrosoftDefenderXDR
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
My session, βDefending Tier 0: Taking Control of Your Cloudβs Control Plane,β from last yearβs #HIPConf is now available on YouTube. The session focused on securing privileged access and implementing a tiered administration model in #MicrosoftEntra.
youtu.be/pVPEieHtOVM
I have integrated the classification model of #EntraOps to identify sensitive roles in #MicrosoftEntra, #MicrosoftGraph, and #AzureRBAC. This function offers a holistic view and report on SPs including details such as ownership and assigned Azure Roles (enriched by CSPM data). (2/2)
I've published a #KQL function ("WorkloadIdentityInfoXDR") for #MicrosoftDefender to enhance details of #MicrosoftEntra #WorkloadID from various sources, incl. the new table "OAuthAppInfo" but also IdentityInfo table and #ExposureManagement. (1/2)
π github.com/Cloud-Archit...
Cloud #IdentitySummit 2025 is back!
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
Check out my community tool #EntraOps if you are interested to get a customized and detailed analysis of all permanent and PIM-managed role assignments in #EntraID, #Intune and #IdentityGovernance: www.cloud-architekt.net/entraops/
There are some current limitations on this preview (for example, custom or scoped roles are not covered, data seems to be available in MDI tenants only). However, the new column offers some great capabilities at no additional implementation efforts.
-π¨ Discovering alerts of privileged users with active or assigned roles, along with details on related roles and their highest access tier classification.
- π Determine which eligible or active roles were assigned at a specific time, and compare them to their current status
This enables powerful hunting queries, such as:
-β‘οΈ Identifying assigned roles that include specific actions (e.g., reading BitLocker keys).
- π¦ΈββοΈ Listing all eligible assignments for Control Plane (Tier0) roles, including Microsoft role categories and assignment types (direct or indirect).
IdentityInfo table in #MicrosoftDefender has been expanded to include eligible roles from #MicrosoftEntra. Iβve developed a #KQL function to get a summarized overview of all directory role assignments, enriched with details from my #EntraOps classification:
github.com/Cloud-Archit...
Thank you to everyone who joined my session in Amsterdam or via livestream! Huge thanks to the Yellowhat organizers for this incredible conference and for having me. I had an awesome time and canβt wait to see you all soonβ¦
I had the great pleasure of speaking about #MicrosoftEntra Token Hunting πͺπ at #YellowHat π§π·ββοΈ. You can find the slides from my session here:
π github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
π¨βπ» github.com/Cloud-Archit...
I have the great pleasure of joining a shared session with @samilamppu.bsky.social at the M365 Security & Compliance User Group tonight. Last preparations are now in full swing... You can find more details about the meetup and register for this free online event here:
www.meetup.com/m365sandcug/...
Interested to learn more? I'll be talking about token hunting at #Yellowhat and covering how to leverage these new sign-in details. More details about this free community event can be found here: yellowhat.live (3/3)
Previously, these details were only available in XDR Hunting table "AADSignInEventsBeta", Portal and/or Graph API. These added properties offer the opportunity to write new analytics rules and hunting queries, for example in the area of #TokenTheft. (2/3)
learn.microsoft.com/en-us/azure/...
Enhancements in #MicrosoftEntra (diagnostic) logs: Several interesting sign-in properties (including Session ID, status for Token Protection, or GSA traffic) have been added to the sign-in logs and available in #MicrosoftSentinel. (1/3)
I'm building a new home for IntuneBrew and would like to share my progress so far.
IntuneBrew.com will serve as the project's landing page, featuring a Quick Start Guide and an overview of key features.
EntraOps repository:
github.com/Cloud-Archit...
Learn more about XSPM and Graph:
Deep Dive blog post on XSPM by @samilamppu.bsky.social
samilamppu.com/2024/04/25/m...
Blog posts by @fabian.bader.cloud
cloudbrothers.info/en/workshop-...
cloudbrothers.info/en/find-late...
Kusto Graph rocks! (3/3)
