KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert A History File Has Been Cleared

Query

let _ExpectedCommandLinesRegex = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "HistoryFileClearedCommand"
    | summarize RegEx = make_list(Auxiliar)
    | project RegEx = strcat(@'^(', strcat_array(RegEx, '|'), @')$')
);
SecurityAlert
| where AlertName has "A history file has been cleared" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Compromised Host"]),
    Account = tostring(ExtendedProperties["User Name"]),
    Process = tostring(ExtendedProperties["Suspicious Process"]),
    CommandLine = tostring(ExtendedProperties["Suspicious Command Line"])
| where not(CommandLine matches regex _ExpectedCommandLinesRegex)
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    Processes = make_set(Process, 250),
    CommandLines = make_set(CommandLine, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    Computer,
    Account,
    Processes,
    CommandLines,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

The query is filtering security alerts related to a specific activity and excluding alerts from a certain provider. It then extracts specific properties from the alerts and applies a regular expression filter to the "CommandLine" property. After that, it cleans up some entities and summarizes the results by various properties. Finally, it selects and projects specific properties for the final output.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,CompromisedHost,UserName,SuspiciousProcess,SuspiciousCommandLine,_ExpectedCommandLinesRegex,CommandLine,Entities,TimeGenerated,StartTime,EndTime,Processes,AlertLink,RemediationSteps,Tactics,Techniques,Description,ResourceId,Computer,Account

Operators

|where!=extendtostringmatches regexreplace_regexsummarizeminmaxmake_settolowerproject

Actions