KQL Search

Query Details

HomeAI ToolsDevice Query

1 Correlation Between Alert And Attack Path

Query

arg("").securityresources
| where type == "microsoft.security/attackpaths"
| extend AttackPathDisplayName = tostring(properties["displayName"])
| mvexpand (properties.graphComponent.entities)
| extend Entity = parse_json(properties_graphComponent_entities)
| extend ResourceId = tostring(tolower(Entity.entityIdentifiers.azureResourceId))
| where isnotempty(ResourceId)
| extend AttackStory = parse_json(properties.attackStory)
| extend AttackDescription = parse_json(properties.description)
| project AttackPathDisplayName, AttackStory, AttackDescription, ResourceId
| join hint.remote=right (SecurityAlert
		| where TimeGenerated >ago(30d)
    | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray
    | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name)
    | where Entitytype == "azure-resource"
    | extend ResourceId = tostring(tolower(EntitiesDynamicArray.ResourceId))
    | project AlertTimeGenerated = TimeGenerated, AlertName, AlertSeverity, ResourceId, AlertLink, AlertDescription = Description
) on ResourceId
| project-away ResourceId1

Explanation

This query is designed to analyze and correlate security data related to attack paths and security alerts within a Microsoft environment. Here's a simplified breakdown of what it does:

  1. Data Source: It starts by accessing a dataset of security resources, specifically looking for entries of type "microsoft.security/attackpaths".

  2. Extract and Transform:

    • It extracts the display name of each attack path and converts it to a string.
    • It expands the list of entities involved in each attack path and parses them into a JSON format.
    • It extracts the Azure Resource ID from these entities, ensuring they are in lowercase and not empty.
    • It also extracts and parses additional details about the attack story and description.

  3. Projection: It selects specific fields to keep for further analysis: the attack path display name, attack story, attack description, and resource ID.

  4. Join with Security Alerts:

    • It retrieves security alerts generated in the last 30 days.
    • It expands and parses the entities involved in these alerts, focusing on those of type "azure-resource".
    • It extracts relevant details such as the alert time, name, severity, resource ID, link, and description.

  5. Correlation: The query joins the attack path data with the security alerts based on the resource ID, effectively correlating attack paths with recent security alerts.

  6. Final Output: It removes duplicate resource ID columns and outputs a combined dataset that includes attack path details alongside correlated security alert information.

In summary, this query identifies and correlates attack paths with recent security alerts in Azure, providing insights into potential security threats and their associated resources.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: June 4, 2025

Tables

securityresourcesSecurityAlert

Keywords

SecurityResourcesAttackPathsEntitiesResourceIdSecurityAlertTimeGeneratedAlertNameAlertSeverityAlertLinkAlertDescription

Operators

argwhereextendtostringmvexpandparse_jsontolowerisnotemptyprojectjoinhint.remoteagomv-expandproject-away

Actions