Thomas Naunheim
@naunheim.cloud
#Microsoft MVP | #CloudSecurity Architect ☁️ | #Entra #AzureAD 🔑 + #AzureSecurity 🛡️ | #CommunityRocks | #Schaengel
3️⃣ 🛠️ Enhanced Enrichment Function
Recently, I've released a #KQL function integrating #ExposureManagement and #EntraOps data to identify sensitive callers, actions, and targets. Updated to support parameters like IP Address and Token Identifier.
🔗 github.com/Cloud-Archit...
Recently, I've released a #KQL function integrating #ExposureManagement and #EntraOps data to identify sensitive callers, actions, and targets. Updated to support parameters like IP Address and Token Identifier.
🔗 github.com/Cloud-Archit...
July 30, 2025 at 6:47 AM
3️⃣ 🛠️ Enhanced Enrichment Function
Recently, I've released a #KQL function integrating #ExposureManagement and #EntraOps data to identify sensitive callers, actions, and targets. Updated to support parameters like IP Address and Token Identifier.
🔗 github.com/Cloud-Archit...
Recently, I've released a #KQL function integrating #ExposureManagement and #EntraOps data to identify sensitive callers, actions, and targets. Updated to support parameters like IP Address and Token Identifier.
🔗 github.com/Cloud-Archit...
2️⃣ 🔍 Normalized schema for shared queries
Want to reuse existing queries or unify detection logic across both tables? I’ve published a #KQL function that normalizes the schema of GraphApiAuditEvents to match that of MicrosoftGraphActivityLogs.
🔗 github.com/Cloud-Archit...
Want to reuse existing queries or unify detection logic across both tables? I’ve published a #KQL function that normalizes the schema of GraphApiAuditEvents to match that of MicrosoftGraphActivityLogs.
🔗 github.com/Cloud-Archit...
July 30, 2025 at 6:47 AM
2️⃣ 🔍 Normalized schema for shared queries
Want to reuse existing queries or unify detection logic across both tables? I’ve published a #KQL function that normalizes the schema of GraphApiAuditEvents to match that of MicrosoftGraphActivityLogs.
🔗 github.com/Cloud-Archit...
Want to reuse existing queries or unify detection logic across both tables? I’ve published a #KQL function that normalizes the schema of GraphApiAuditEvents to match that of MicrosoftGraphActivityLogs.
🔗 github.com/Cloud-Archit...
1️⃣ 🤔 Comparison Deep Dive
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
July 30, 2025 at 6:47 AM
1️⃣ 🤔 Comparison Deep Dive
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
4. IsSensitiveTarget 🎯
The modified object is classified as critical (based on Exposure Management Critical Assets), and the applied rule details are displayed. In this case, the service principal has been assigned critical app permissions in Exchange Online.
The modified object is classified as critical (based on Exposure Management Critical Assets), and the applied rule details are displayed. In this case, the service principal has been assigned critical app permissions in Exchange Online.
July 17, 2025 at 6:43 AM
4. IsSensitiveTarget 🎯
The modified object is classified as critical (based on Exposure Management Critical Assets), and the applied rule details are displayed. In this case, the service principal has been assigned critical app permissions in Exchange Online.
The modified object is classified as critical (based on Exposure Management Critical Assets), and the applied rule details are displayed. In this case, the service principal has been assigned critical app permissions in Exchange Online.
3. IsSensitiveAction ▶️
The Graph request includes a POST to the servicePrincipal endpoint, which is flagged as a sensitive modification. This logic is experimental and simplified, so it may result in inaccurate classification and should be used in combo with others indicators.
The Graph request includes a POST to the servicePrincipal endpoint, which is flagged as a sensitive modification. This logic is experimental and simplified, so it may result in inaccurate classification and should be used in combo with others indicators.
July 17, 2025 at 6:43 AM
3. IsSensitiveAction ▶️
The Graph request includes a POST to the servicePrincipal endpoint, which is flagged as a sensitive modification. This logic is experimental and simplified, so it may result in inaccurate classification and should be used in combo with others indicators.
The Graph request includes a POST to the servicePrincipal endpoint, which is flagged as a sensitive modification. This logic is experimental and simplified, so it may result in inaccurate classification and should be used in combo with others indicators.
2. IsHighSensitiveScope 🔑
However, the scope includes Application.ReadWrite.All, which has been identified as "Control Plane" by using EntraOps classification model.
However, the scope includes Application.ReadWrite.All, which has been identified as "Control Plane" by using EntraOps classification model.
July 17, 2025 at 6:43 AM
2. IsHighSensitiveScope 🔑
However, the scope includes Application.ReadWrite.All, which has been identified as "Control Plane" by using EntraOps classification model.
However, the scope includes Application.ReadWrite.All, which has been identified as "Control Plane" by using EntraOps classification model.
In the following example, several indicators are included that make this particular call interesting for further investigation:
1. IsSensitiveCaller 🗣️
A regular enterprise user (based on Exposure Management Critical Asset information) is calling Graph.
1. IsSensitiveCaller 🗣️
A regular enterprise user (based on Exposure Management Critical Asset information) is calling Graph.
July 17, 2025 at 6:43 AM
In the following example, several indicators are included that make this particular call interesting for further investigation:
1. IsSensitiveCaller 🗣️
A regular enterprise user (based on Exposure Management Critical Asset information) is calling Graph.
1. IsSensitiveCaller 🗣️
A regular enterprise user (based on Exposure Management Critical Asset information) is calling Graph.
I've created an experimental KQL function that enriches the data with details from #ExposureManagement and #EntraOps. This might help identify sensitive Graph Calls from the large volume of events in this table.
🔗 The query is available here:
github.com/Cloud-Archit...
🔗 The query is available here:
github.com/Cloud-Archit...
github.com
July 17, 2025 at 6:43 AM
I've created an experimental KQL function that enriches the data with details from #ExposureManagement and #EntraOps. This might help identify sensitive Graph Calls from the large volume of events in this table.
🔗 The query is available here:
github.com/Cloud-Archit...
🔗 The query is available here:
github.com/Cloud-Archit...
I have integrated the classification model of #EntraOps to identify sensitive roles in #MicrosoftEntra, #MicrosoftGraph, and #AzureRBAC. This function offers a holistic view and report on SPs including details such as ownership and assigned Azure Roles (enriched by CSPM data). (2/2)
April 9, 2025 at 11:51 AM
I have integrated the classification model of #EntraOps to identify sensitive roles in #MicrosoftEntra, #MicrosoftGraph, and #AzureRBAC. This function offers a holistic view and report on SPs including details such as ownership and assigned Azure Roles (enriched by CSPM data). (2/2)
Check out my community tool #EntraOps if you are interested to get a customized and detailed analysis of all permanent and PIM-managed role assignments in #EntraID, #Intune and #IdentityGovernance: www.cloud-architekt.net/entraops/
EntraOps Privileged EAM
Community project to classify, identify and protect your privileges based on Enterprise Access Model (EAM)
www.cloud-architekt.net
March 17, 2025 at 6:12 AM
Check out my community tool #EntraOps if you are interested to get a customized and detailed analysis of all permanent and PIM-managed role assignments in #EntraID, #Intune and #IdentityGovernance: www.cloud-architekt.net/entraops/
There are some current limitations on this preview (for example, custom or scoped roles are not covered, data seems to be available in MDI tenants only). However, the new column offers some great capabilities at no additional implementation efforts.
March 17, 2025 at 6:12 AM
There are some current limitations on this preview (for example, custom or scoped roles are not covered, data seems to be available in MDI tenants only). However, the new column offers some great capabilities at no additional implementation efforts.
-🚨 Discovering alerts of privileged users with active or assigned roles, along with details on related roles and their highest access tier classification.
- 🕓 Determine which eligible or active roles were assigned at a specific time, and compare them to their current status
- 🕓 Determine which eligible or active roles were assigned at a specific time, and compare them to their current status
March 17, 2025 at 6:12 AM
-🚨 Discovering alerts of privileged users with active or assigned roles, along with details on related roles and their highest access tier classification.
- 🕓 Determine which eligible or active roles were assigned at a specific time, and compare them to their current status
- 🕓 Determine which eligible or active roles were assigned at a specific time, and compare them to their current status
This enables powerful hunting queries, such as:
-⚡️ Identifying assigned roles that include specific actions (e.g., reading BitLocker keys).
- 🦸♂️ Listing all eligible assignments for Control Plane (Tier0) roles, including Microsoft role categories and assignment types (direct or indirect).
-⚡️ Identifying assigned roles that include specific actions (e.g., reading BitLocker keys).
- 🦸♂️ Listing all eligible assignments for Control Plane (Tier0) roles, including Microsoft role categories and assignment types (direct or indirect).
March 17, 2025 at 6:12 AM
This enables powerful hunting queries, such as:
-⚡️ Identifying assigned roles that include specific actions (e.g., reading BitLocker keys).
- 🦸♂️ Listing all eligible assignments for Control Plane (Tier0) roles, including Microsoft role categories and assignment types (direct or indirect).
-⚡️ Identifying assigned roles that include specific actions (e.g., reading BitLocker keys).
- 🦸♂️ Listing all eligible assignments for Control Plane (Tier0) roles, including Microsoft role categories and assignment types (direct or indirect).
Thank you to everyone who joined my session in Amsterdam or via livestream! Huge thanks to the Yellowhat organizers for this incredible conference and for having me. I had an awesome time and can’t wait to see you all soon…
March 8, 2025 at 9:31 AM
Thank you to everyone who joined my session in Amsterdam or via livestream! Huge thanks to the Yellowhat organizers for this incredible conference and for having me. I had an awesome time and can’t wait to see you all soon…
Interested to learn more? I'll be talking about token hunting at #Yellowhat and covering how to leverage these new sign-in details. More details about this free community event can be found here: yellowhat.live (3/3)
Yellowhat
Yellowhat is a cutting-edge cybersecurity event dedicated to Microsoft Security Technology, offering advanced deep-dive sessions (level 400+) for seasoned professionals. It brings together experts and...
yellowhat.live
February 11, 2025 at 5:31 PM
Interested to learn more? I'll be talking about token hunting at #Yellowhat and covering how to leverage these new sign-in details. More details about this free community event can be found here: yellowhat.live (3/3)
Previously, these details were only available in XDR Hunting table "AADSignInEventsBeta", Portal and/or Graph API. These added properties offer the opportunity to write new analytics rules and hunting queries, for example in the area of #TokenTheft. (2/3)
learn.microsoft.com/en-us/azure/...
learn.microsoft.com/en-us/azure/...
Azure Monitor Logs reference - SigninLogs - Azure Monitor
Reference for SigninLogs table in Azure Monitor Logs.
learn.microsoft.com
February 11, 2025 at 5:31 PM
Previously, these details were only available in XDR Hunting table "AADSignInEventsBeta", Portal and/or Graph API. These added properties offer the opportunity to write new analytics rules and hunting queries, for example in the area of #TokenTheft. (2/3)
learn.microsoft.com/en-us/azure/...
learn.microsoft.com/en-us/azure/...