KQL Search

Query Details

HomeAI ToolsDevice Query

Multiple Unsynchronized Defender For Cloud Alert

Query

AzureActivity
| where ResourceProviderValue =~ "MICROSOFT.SECURITY" and OperationNameValue =~ "Microsoft.Security/locations/alerts/activate/action"
| extend PreferenceInteger = case(
    ResourceProviderValue == "Microsoft.Security", 1,
    ResourceProviderValue == "MICROSOFT.SECURITY", 0,
    -1
    )
| summarize hint.shufflekey=CorrelationId
    PropertiesDynamic = make_bag(pack(ResourceProviderValue, todynamic(Properties))),
    EventDataId = make_bag(pack(ResourceProviderValue, EventDataId)),
    take_any(TenantId, SourceSystem, CategoryValue, SubscriptionId, Type),
    arg_min(PreferenceInteger, Properties_d, EventSubmissionTimestamp),
    arg_max(PreferenceInteger, Level, OperationNameValue, OperationId, ResourceGroup, ResourceProviderValue, ActivityStatusValue, OperationName, ActivityStatus, Category, ResourceId, ResourceProvider, Resource)
    by CorrelationId, TimeGenerated, _ResourceId
| project-away PreferenceInteger*
| join kind=leftanti (
    SecurityAlert
    | where ProductName == "Azure Security Center"
    | distinct VendorOriginalId
    ) on $left.CorrelationId == $right.VendorOriginalId
| extend Key = tostring(bag_keys(PropertiesDynamic)[0])
| extend
    AlertLink = strcat(
    @"https://portal.azure.com/#blade/Microsoft_Azure_Security_AzureDefenderForData/AlertBlade/alertId/",
    CorrelationId,
    "/subscriptionId/",
    tolower(tostring(PropertiesDynamic[Key]["subscriptionId"])),
    "/resourceGroup/",
    tolower(tostring(PropertiesDynamic[Key]["resourceGroup"])),
    "/referencedFrom/alertDeepLink/location/",
    tostring(split(tostring(PropertiesDynamic[Key]["resource"]), "/")[0])
    ),
    AlertTitle = tostring(PropertiesDynamic[Key]["eventName"]),
    AlertSeverity = tostring(todynamic(tostring(PropertiesDynamic[Key]["eventProperties"]))["severity"])
| project
    TimeGenerated,
    ResourceProviderValue,
    SubscriptionId,
    ResourceGroup,
    OperationNameValue,
    AlertTitle,
    AlertSeverity,
    AlertLink,
    CorrelationId,
    PropertiesDynamic,
    EventDataId,
    _ResourceId

Explanation

The query retrieves Azure security alerts and activates them. It then performs various operations to filter and summarize the data. Finally, it joins the results with the SecurityAlert table and generates a link for each alert. The final result includes information such as the time generated, resource provider, subscription ID, resource group, operation name, alert title, alert severity, alert link, correlation ID, properties dynamic, event data ID, and resource ID.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: January 23, 2024

Tables

AzureActivitySecurityAlert

Keywords

AzureActivity,ResourceProviderValue,OperationNameValue,PreferenceInteger,CorrelationId,PropertiesDynamic,EventDataId,TenantId,SourceSystem,CategoryValue,SubscriptionId,Type,Level,OperationId,ResourceGroup,ActivityStatusValue,OperationName,ActivityStatus,Category,ResourceId,Resource,TimeGenerated,_ResourceId,SecurityAlert,ProductName,VendorOriginalId,Key,AlertLink,AlertTitle,AlertSeverity

Operators

where=~andextendcase==summarizehint.shufflekeymake_bagpacktodynamictake_anyarg_minarg_maxbyproject-awayjoinkind=leftantidistincton$left.$right.tostringstrcat/tolowersplit

Actions