KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Adaptive Application Control Policy Violation Was Audited

Query

let _BenignFiles =
    _GetWatchlist("File-BenignAzureExecution")
    | project SubscriptionId = tostring(SubscriptionId), GroupName, FilePath
;
SecurityAlert
| where AlertName has "Adaptive application control policy violation was audited" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    FileProperties = extract_all(@"(Path: .*)", tostring(ExtendedProperties.File)),
    ResourceType = tostring(ExtendedProperties.resourceType),
    GroupName = tostring(ExtendedProperties.GroupName)
| mv-expand FileProperties to typeof(string)
| extend
    FilePath = trim(@'\r', extract(@"Path: ([^;]*)", 1, FileProperties)),
    FileSignature = extract(@"Signature : ([^;]*)", 1, FileProperties),
    FileHitCount = extract(@"HitCount: ([^;]*)", 1, FileProperties),
    AccountName = trim(@'\r', extract(@"User: ([^;]*)", 1, FileProperties)),
    SubscriptionId = extract(@"^/subscriptions/([^/]+)/.+$", 1, ResourceId)
| summarize arg_max(TimeGenerated, *) by SubscriptionId, GroupName, AccountName, FilePath
| join kind=leftanti _BenignFiles on SubscriptionId, GroupName, FilePath
| project
    TimeGenerated,
    CompromisedEntity,
    SubscriptionId,
    GroupName,
    AccountName,
    FilePath,
    ResourceType,
    ResourceId,
    AlertName,
    Description,
    ProviderName,
    ProductName,
    FileSignature,
    FileHitCount

Explanation

This query retrieves security alerts where the alert name indicates a violation of an adaptive application control policy. It then extracts various properties from the extended properties of the alert, such as file path, resource type, and group name. It expands the file properties into separate rows and extracts specific values from them. It then summarizes the data based on certain fields and performs a left anti-join with a list of benign files. Finally, it projects the desired fields for the output.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: August 2, 2022

Tables

SecurityAlert_BenignFiles

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,FileProperties,ResourceType,GroupName,FilePath,FileSignature,FileHitCount,AccountName,SubscriptionId,TimeGenerated,CompromisedEntity,ResourceId,Description,ProductName

Operators

| whereand!=extendtodynamicextract_alltostringmv-expandtrimextractsummarizearg_maxbyjoinkind=leftantiproject

Actions