Merge pull request #2712 from MicrosoftDocs/main638913709373810855sync_temp

For protected branch, push strategy should use PR and merge to target branch method to work around git push error

Author: learn-build-service-prod[bot]

data-explorer/kusto/query/graph-sample-data.md

@@ -0,0 +1,35 @@
+%%{ init: { 'flowchart': {'defaultRenderer': 'elk' } } }%%
+graph LR
+    %% Real Entities from BloodHound_AD dataset
+    ALICE["ALICE@PHANTOM\.CORP<br/>User<br/>Domain User"]
+    
+    %% Her Computer
+    LAPTOP["ALICE-LAPTOP\.PHANTOM\.CORP<br/>Computer<br/>Workstation"]
+    
+    %% Administrative Groups
+    DOMAINUSERS["DOMAIN USERS@PHANTOM\.CORP<br/>Group<br/>Default Domain Group"]
+    
+    %% Domain Infrastructure
+    USERS["USERS@PHANTOM\.CORP<br/>Container<br/>AD Container"]
+    PHANTOM["PHANTOM\.CORP<br/>Domain<br/>AD Domain"]
+    
+    %% Validated Attack Path Relationships
+    ALICE -->|AdminTo| LAPTOP
+    ALICE -->|MemberOf| DOMAINUSERS
+    
+    %% Container Hierarchy
+    USERS -->|Contains| ALICE
+    PHANTOM -->|Contains| USERS
+    
+    %% Styling
+    classDef user fill:#e3f2fd,stroke:#1976d2,stroke-width:3px
+    classDef computer fill:#fff3e0,stroke:#f57c00,stroke-width:2px
+    classDef group fill:#e8f5e8,stroke:#388e3c,stroke-width:2px
+    classDef admingroup fill:#ffebee,stroke:#d32f2f,stroke-width:3px
+    classDef infrastructure fill:#f1f8e9,stroke:#689f38,stroke-width:2px
+    classDef certificate fill:#fce4ec,stroke:#c2185b,stroke-width:3px
+    
+    class ALICE user
+    class LAPTOP computer
+    class DOMAINUSERS,DOMAINADMINS group
+    class USERS,PHANTOM infrastructure

data-explorer/kusto/query/media/graphs/graph-example-bloodhound-ad-instance.mmd

@@ -0,0 +1,64 @@
+%%{ init: { 'flowchart': {'defaultRenderer': 'elk' } } }%%
+graph TD
+    %% Core AD Objects
+    USER[User<br/>Domain Users]
+    COMPUTER[Computer<br/>Domain Computers]
+    GROUP[Group<br/>Security Groups]
+    LOCALGROUP[ADLocalGroup<br/>Local Groups]
+    
+    %% AD Infrastructure
+    DOMAIN[Domain<br/>AD Domains]
+    OU[OU<br/>Organizational Units]
+    CONTAINER[Container<br/>AD Containers]
+    GPO[GPO<br/>Group Policy Objects]
+    
+    %% Certificate Infrastructure
+    CERT[CertTemplate<br/>Certificate Templates]
+    ENTCA[EnterpriseCA<br/>Certificate Authorities]
+    ROOTCA[RootCA<br/>Root CAs]
+    
+    %% Domain Hierarchy & Containment
+    DOMAIN -->|Contains| CONTAINER
+    CONTAINER -->|Contains| USER
+    CONTAINER -->|Contains| GROUP
+    DOMAIN -->|Contains| OU
+    OU -->|Contains| USER
+    OU -->|Contains| COMPUTER
+    
+    %% Group Memberships
+    USER -->|MemberOf| GROUP
+    USER -->|MemberOf| LOCALGROUP
+    GROUP -->|MemberOf| GROUP
+    
+    %% Administrative Access
+    USER -->|AdminTo| COMPUTER
+    GROUP -->|AdminTo| COMPUTER
+    USER -->|GenericAll| USER
+    GROUP -->|GenericAll| GROUP
+    
+    %% Dangerous Permissions
+    USER -->|WriteDacl| GROUP
+    GROUP -->|WriteOwner| CERT
+    USER -->|GenericWrite| GPO
+    
+    %% Certificate Attack Paths
+    USER -->|GenericAll| ROOTCA
+    GROUP -->|WriteDacl| ENTCA
+    
+    %% Object Ownership
+    GROUP -->|Owns| CONTAINER
+    USER -->|Owns| CERT
+    
+    %% Styling
+    classDef user fill:#e3f2fd,stroke:#1976d2,stroke-width:3px
+    classDef computer fill:#fff3e0,stroke:#f57c00,stroke-width:2px
+    classDef group fill:#e8f5e8,stroke:#388e3c,stroke-width:2px
+    classDef infrastructure fill:#f1f8e9,stroke:#689f38,stroke-width:2px
+    classDef certificate fill:#fce4ec,stroke:#c2185b,stroke-width:2px
+    classDef dangerous fill:#ffebee,stroke:#d32f2f,stroke-width:3px
+    
+    class USER user
+    class COMPUTER computer
+    class GROUP,LOCALGROUP group
+    class DOMAIN,OU,CONTAINER,GPO infrastructure
+    class CERT,ENTCA,ROOTCA certificate

data-explorer/kusto/query/media/graphs/graph-example-bloodhound-ad-instance.png

@@ -0,0 +1,47 @@
+%%{ init: { 'flowchart': {'defaultRenderer': 'elk' } } }%%
+graph TD
+    %% Real Entities from BloodHound_Entra dataset
+    JACOB[John Jacob<br/>AZUser<br/>admin_tier_0<br/>[email protected]]
+    
+    %% Groups he owns
+    ALLUSERS[All Users<br/>AZGroup<br/>ID: 2f061293]
+    GAROLE[ThisGroupHasGARoleAlwaysActive<br/>AZGroup<br/>ID: 4c8435bf]
+    
+    %% App he owns
+    AZUREHOUND[AzureHoundEnterprise<br/>AZApp<br/>ID: 5595629b]
+    
+    %% Device he owns
+    WIN10[AADJoinedWin10<br/>AZDevice<br/>ID: 2a2dc5ab]
+    
+    %% Administrative Role
+    GLOBALADMIN[Global Administrator<br/>AZRole<br/>Privileged Role]
+    
+    %% Tenant
+    PHANTOM[Phantom Corp<br/>AZTenant<br/>phantomcorp.onmicrosoft.com]
+    
+    %% Validated Relationships
+    JACOB -->|AZOwns<br/>Application Owner| AZUREHOUND
+    JACOB -->|AZOwns<br/>Group Owner| ALLUSERS
+    JACOB -->|AZOwns<br/>Group Owner| GAROLE
+    JACOB -->|AZOwns<br/>Device Owner| WIN10
+    
+    %% Administrative Privileges
+    GLOBALADMIN -->|AZResetPassword<br/>Can Reset| JACOB
+    
+    %% Tenant Containment
+    PHANTOM -->|AZContains<br/>Tenant Member| JACOB
+    
+    %% Styling
+    classDef user fill:#e3f2fd,stroke:#1976d2,stroke-width:3px
+    classDef app fill:#f3e5f5,stroke:#7b1fa2,stroke-width:3px
+    classDef group fill:#e8f5e8,stroke:#388e3c,stroke-width:2px
+    classDef device fill:#fff3e0,stroke:#f57c00,stroke-width:2px
+    classDef role fill:#ffebee,stroke:#d32f2f,stroke-width:3px
+    classDef tenant fill:#e1f5fe,stroke:#0277bd,stroke-width:2px
+    
+    class JACOB user
+    class AZUREHOUND app
+    class ALLUSERS,GAROLE group
+    class WIN10 device
+    class GLOBALADMIN role
+    class PHANTOM tenant

data-explorer/kusto/query/media/graphs/graph-example-bloodhound-ad-schema.mmd

@@ -0,0 +1,58 @@
+%%{ init: { 'flowchart': {'defaultRenderer': 'elk' } } }%%
+graph TD
+    %% Core Azure AD Entities
+    USER[AZUser<br/>Azure AD Users]
+    SP[AZServicePrincipal<br/>Service Principals]
+    APP[AZApp<br/>Applications]
+    GROUP[AZGroup<br/>Security Groups]
+    DEVICE[AZDevice<br/>Managed Devices]
+    ROLE[AZRole<br/>Azure Roles]
+    
+    %% Azure Resource Hierarchy
+    TENANT[AZTenant<br/>Azure Tenant]
+    SUB[AZSubscription<br/>Subscriptions]
+    RG[AZResourceGroup<br/>Resource Groups]
+    VM[AZVM<br/>Virtual Machines]
+    
+    %% Azure Resource Containment Hierarchy
+    TENANT -->|AZContains| SUB
+    TENANT -->|AZContains| USER
+    SUB -->|AZContains| RG
+    RG -->|AZContains| VM
+    
+    %% Identity and Access Relationships
+    USER -->|AZMemberOf| GROUP
+    USER -->|AZOwns| APP
+    USER -->|AZOwns| DEVICE
+    USER -->|AZOwns| GROUP
+    USER -->|AZOwner| SUB
+    USER -->|AZOwner| RG
+    
+    %% Service Principal Relationships
+    SP -->|AZRunsAs| APP
+    VM -->|AZManagedIdentity| SP
+    
+    %% Administrative Permissions
+    ROLE -->|AZResetPassword| USER
+    GROUP -->|AZAddMembers| GROUP
+    
+    %% High-Volume Permissions (simplified for readability)
+    ROLE -.->|AZMGAddOwner<br/>403k edges| RG
+    ROLE -.->|AZMGAddSecret<br/>345k edges| APP
+    
+    %% Styling
+    classDef user fill:#e3f2fd,stroke:#1976d2,stroke-width:3px
+    classDef app fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
+    classDef group fill:#e8f5e8,stroke:#388e3c,stroke-width:2px
+    classDef device fill:#fff3e0,stroke:#f57c00,stroke-width:2px
+    classDef resource fill:#fce4ec,stroke:#c2185b,stroke-width:2px
+    classDef role fill:#e1f5fe,stroke:#0277bd,stroke-width:2px
+    classDef hierarchy fill:#f1f8e9,stroke:#689f38,stroke-width:2px
+    
+    class USER user
+    class SP,APP app
+    class GROUP group
+    class DEVICE device
+    class VM,RG resource
+    class ROLE role
+    class TENANT,SUB hierarchy

data-explorer/kusto/query/media/graphs/graph-example-bloodhound-ad-schema.png

@@ -0,0 +1,42 @@
+%%{ init: { 'flowchart': {'defaultRenderer': 'elk' } } }%%
+graph TD
+    %% Connected Financial Network - Real People and Entities
+    HOUSE[House<br/>Person ID: 467<br/>Female, Born 1995]
+    BARKER[Barker<br/>Person ID: 6597069767083<br/>Transfer Recipient]
+    
+    %% Real Accounts (fully connected)
+    ACC1[Renato Holness<br/>Account: 4619004367821865972<br/>House's Main Account]
+    ACC2[Luis Thies<br/>Account: 4687121312185844640<br/>Barker's Account]
+    ACC3[Daniel Joye<br/>Account: 4786200503987995554<br/>Barker's Second Account]
+    
+    %% Real Loan and Mediums
+    LOAN1[Debt Consolidation Loan<br/>ID: 4843058449283547765<br/>Amount: $63.5M]
+    MEDIUM1[IPv6 Medium<br/>ID: 4398046511850<br/>Risk: Very High]
+    MEDIUM2[Phone Medium<br/>ID: 30786325577800<br/>Risk: Severe]
+    
+    %% Validated Connected Relationships
+    HOUSE -->|OWN| ACC1
+    BARKER -->|OWN| ACC2
+    BARKER -->|OWN| ACC3
+    HOUSE -->|APPLY| LOAN1
+    
+    %% Financial Transaction Flow
+    ACC1 -->|TRANSFER<br/>$4.3M| ACC2
+    ACC1 -->|TRANSFER<br/>$9.7M| ACC3
+    LOAN1 -->|DEPOSIT<br/>$7.2M| ACC1
+    ACC1 -->|REPAY<br/>$7.4M| LOAN1
+    
+    %% Authentication Access
+    MEDIUM1 -->|SIGN_IN| ACC2
+    MEDIUM2 -->|SIGN_IN| ACC3
+    
+    %% Styling
+    classDef person fill:#e1f5fe,stroke:#0277bd,stroke-width:3px
+    classDef account fill:#f3e5f5,stroke:#7b1fa2,stroke-width:2px
+    classDef loan fill:#fff3e0,stroke:#f57c00,stroke-width:2px
+    classDef medium fill:#fce4ec,stroke:#c2185b,stroke-width:2px
+    
+    class HOUSE,BARKER person
+    class ACC1,ACC2,ACC3 account
+    class LOAN1 loan
+    class MEDIUM1,MEDIUM2 medium