KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Defender For Cloud Incident

Query

// https://learn.microsoft.com/en-us/azure/defender-for-cloud/incidents-reference
let query_frequency = 15m;
let query_wait = 15m;
let query_period = 1d;
AzureActivity
| where ingestion_time() between (ago(query_frequency + query_wait) .. ago(query_wait))
| where ResourceProviderValue =~ "MICROSOFT.SECURITY" and OperationNameValue =~ "Microsoft.Security/locations/alerts/activate/action"
| extend PreferenceInteger = case(
    ResourceProviderValue == "Microsoft.Security", 1,
    ResourceProviderValue == "MICROSOFT.SECURITY", 0,
    -1
    )
| summarize hint.shufflekey=CorrelationId
    PropertiesDynamic = make_bag(pack(ResourceProviderValue, todynamic(Properties))),
    EventDataId = make_bag(pack(ResourceProviderValue, EventDataId)),
    take_any(TenantId, SourceSystem, CategoryValue, SubscriptionId, Type),
    arg_min(PreferenceInteger, Properties_d, EventSubmissionTimestamp),
    arg_max(PreferenceInteger, Level, OperationNameValue, OperationId, ResourceGroup, ResourceProviderValue, ActivityStatusValue, OperationName, ActivityStatus, Category, ResourceId, ResourceProvider, Resource)
    by CorrelationId, TimeGenerated, _ResourceId
| extend Key = tostring(bag_keys(PropertiesDynamic)[0])
| extend AlertTitle = tostring(PropertiesDynamic[Key]["eventName"])
| where (AlertTitle startswith "Security incident" and AlertTitle has "detected")
    or tostring(todynamic(tostring(PropertiesDynamic[Key]["eventProperties"]))["isincident"]) == "****"
    or isnotempty(todynamic(tostring(PropertiesDynamic[Key]["eventProperties"]))["relatedAlerts"])
| project-away PreferenceInteger*
// | join kind=leftanti (
//     SecurityIncident
//     | where TimeGenerated > ago(query_period)
//     | where ProviderName == "Azure Security Center" ???
//     | distinct ???
//     ) on ???
| extend
    AlertLink = strcat(
    @"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/",
    CorrelationId,
    "/subscriptionId/",
    tolower(tostring(PropertiesDynamic[Key]["subscriptionId"])),
    "/resourceGroup/",
    tolower(tostring(PropertiesDynamic[Key]["resourceGroup"])),
    "/referencedFrom/alertDeepLink/location/",
    tostring(split(tostring(PropertiesDynamic[Key]["resource"]), "/")[0])
    ),
    AlertSeverity = tostring(todynamic(tostring(PropertiesDynamic[Key]["eventProperties"]))["severity"])
| project
    TimeGenerated,
    ResourceProviderValue,
    SubscriptionId,
    ResourceGroup,
    OperationNameValue,
    AlertTitle,
    AlertSeverity,
    AlertLink,
    CorrelationId,
    PropertiesDynamic,
    EventDataId,
    _ResourceId

Explanation

This query looks for security alerts related to Microsoft Security in Azure Activity logs. It filters out specific types of alerts and summarizes the data to show relevant information such as alert title, severity, and link to view more details. It also includes a link to the Azure portal for each alert.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 26, 2024

Tables

AzureActivity

Keywords

AzureActivity,ResourceProviderValue,OperationNameValue,Properties,EventDataId,TenantId,SourceSystem,CategoryValue,SubscriptionId,Type,Level,OperationId,ResourceGroup,ActivityStatusValue,OperationName,ActivityStatus,Category,ResourceId,ResourceProvider,Resource,CorrelationId,TimeGenerated,_ResourceId,AlertTitle,AlertLink,AlertSeverity.

Operators

| wherebetween=~==caseextendsummarizemake_bagpacktake_anyarg_minarg_maxbytostringstartswithhasisnotemptyproject-awayextendstrcattolowersplitproject.

Actions