KQL Search

Query Details

HomeAI ToolsDevice Query

Incidents Of Entities In MDC Attack Paths

Query

arg("").securityresources
| where type == "microsoft.security/attackpaths"
| extend AttackPathDisplayName = tostring(properties["displayName"])
| mvexpand (properties.graphComponent.entities)
| extend Entity = parse_json(properties_graphComponent_entities)
| extend ResourceId = tostring(tolower(Entity.entityIdentifiers.azureResourceId))
| where ResourceId  != ""
| project AttackPathDisplayName, ResourceId
| join hint.remote=right (SecurityAlert
    | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray
    | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name)
    | where Entitytype == "azure-resource"
    | extend ResourceId = tostring(tolower(EntitiesDynamicArray.ResourceId))
    | project TimeGenerated, AlertName, AlertSeverity, ResourceId
) on ResourceId

Explanation

This query retrieves security resources and attack paths from the "arg" table. It then expands the entities in the attack paths and extracts the Azure resource ID. The query also retrieves security alerts and expands the entities in the alerts. It joins the attack paths and alerts based on the resource ID. The final result includes the attack path display name, resource ID, time generated, alert name, and alert severity.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: September 5, 2023

Tables

arg("").securityresourcesSecurityAlert

Keywords

Devices,Intune,User

Operators

arg("")securityresourceswheretype=="microsoft.security/attackpaths"extendAttackPathDisplayNametostringproperties["displayName"]mvexpand(properties.graphComponent.entities)extendEntityparse_jsonproperties_graphComponent_entitiesextendResourceIdtostringtolowerEntity.entityIdentifiers.azureResourceIdwhereResourceId!=""projectAttackPathDisplayNameResourceIdjoinhint.remote=right(SecurityAlertextendEntitiesDynamicArrayparse_jsonEntitiesmv-expandEntitiesDynamicArrayextendEntitytypetostringparse_jsonEntitiesDynamicArray.TypeEntityNametostringparse_jsonEntitiesDynamicArray.NamewhereEntitytype=="azure-resource"extendResourceIdtostringtolowerEntitiesDynamicArray.ResourceIdprojectTimeGeneratedAlertNameAlertSeverityResourceId

Actions