Attack Paths Related Security Alerts

arg("").securityresources | where type == "microsoft.security/attackpaths" | extend AttackPathDisplayName = tostring(properties["displayName"]) | mvexpand (properties.graphComponent.entities) | extend Entity = parse_json(properties_graphComponent_entities) | extend ResourceId = tostring(tolower(Entity.entityIdentifiers.azureResourceId)) | project AttackPathDisplayName, AttackPathDescription = parse_json(properties.description), AttackPathStory = parse_json(properties.attackStory), ResourceId // Existing Security Alert? | join kind=inner ( SecurityAlert | where TimeGenerated >ago(90d) | where ProviderName == "Azure Security Center" | mv-expand parse_json(Entities) | where Entities.Type == "azure-resource" | extend ResourceId = tolower(Entities.ResourceId) | project AlertName, AlertSeverity, AlertDescription = Description, ResourceId) on ResourceId // System-assigned Managed Identity to the Resource? | lookup ( arg("").resources | where identity has 'SystemAssigned' or identity has 'UserAssigned' | project ResourceId = tolower(id), AssociatedWorkloadIdentity = identity ) on ResourceId | extend PrincipalId = tostring(AssociatedWorkloadIdentity.principalId) // Permissions assigned to System-assigned Managed Identity of the Resource? | join hint.remote=left (arg("").authorizationresources | where type =~ 'microsoft.authorization/roleassignments' | extend RoleDefinitionId = properties.roleDefinitionId | extend PrincipalType = properties.principalType | extend PrincipalId = tostring(properties.principalId) | extend RoleAssignmentScope = properties.scope | project PrincipalId, RoleDefinitionId, RoleAssignmentScope ) on PrincipalId | project-away ResourceId1, PrincipalId1

Explanation

This query retrieves information about attack paths and security alerts in Azure Security Center. It joins the data from different sources to find existing security alerts, system-assigned managed identities, and permissions assigned to those identities. The final result includes the attack path display name, description, story, alert name, severity, description, resource ID, principal ID, role definition ID, and role assignment scope.

Details

Thomas Naunheim

Released: January 7, 2024

Tables

securityresourcesSecurityAlertresourcesauthorizationresources

Keywords

Devices,Intune,User,SecurityResources,microsoft.security/attackpaths,displayName,properties,graphComponent,entities,Entity,entityIdentifiers,azureResourceId,AttackPathDisplayName,AttackPathDescription,AttackPathStory,ResourceId,SecurityAlert,TimeGenerated,ProviderName,AzureSecurityCenter,Entities,Type,ResourceId,AlertName,AlertSeverity,AlertDescription,Description,SystemAssigned,UserAssigned,ResourceId,AssociatedWorkloadIdentity,PrincipalId,permissions,authorizationresources,microsoft.authorization/roleassignments,RoleDefinitionId,PrincipalType,RoleAssignmentScope

Operators

arg("")securityresourceswheretype=="microsoft.security/attackpaths"extendAttackPathDisplayName=tostring(properties["displayName"])mvexpand(properties.graphComponent.entities)extendEntity=parse_json(properties_graphComponent_entities)extendResourceId=tostring(tolower(Entity.entityIdentifiers.azureResourceId))projectAttackPathDisplayNameAttackPathDescription=parse_json(properties.description)AttackPathStory=parse_json(properties.attackStory)ResourceIdjoinkind=inner(SecurityAlertwhereTimeGenerated>ago(90d)whereProviderName=="Azure Security Center"mv-expandparse_json(Entities)whereEntities.Type=="azure-resource"extendResourceId=tolower(Entities.ResourceId)projectAlertNameAlertSeverityAlertDescription=DescriptionResourceId)onResourceIdlookup(arg("")resourceswhereidentityhas'SystemAssigned'oridentityhas'UserAssigned'projectResourceId=tolower(id)AssociatedWorkloadIdentity=identity)onResourceIdextendPrincipalId=tostring(AssociatedWorkloadIdentity.principalId)joinhint.remote=left(arg("")authorizationresourceswheretype=~'microsoft.authorization/roleassignments'extendRoleDefinitionId=properties.roleDefinitionIdextendPrincipalType=properties.principalTypeextendPrincipalId=tostring(properties.principalId)extendRoleAssignmentScope=properties.scopeprojectPrincipalIdRoleDefinitionIdRoleAssignmentScope)onPrincipalIdproject-awayResourceId1PrincipalId1.

KQL Search