Query Details

Security Alert Adaptive Application Control Policy Violation Was Audited

Query

let _BenignFiles =
    _GetWatchlist("File-BenignAzureExecution")
    | project SubscriptionId = tostring(SubscriptionId), GroupName, FilePath
;
SecurityAlert
| where AlertName has "Adaptive application control policy violation was audited" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    FileProperties = extract_all(@"(Path: .*)", tostring(ExtendedProperties.File)),
    ResourceType = tostring(ExtendedProperties.resourceType),
    GroupName = tostring(ExtendedProperties.GroupName)
| mv-expand FileProperties to typeof(string)
| extend
    FilePath = trim(@'\r', extract(@"Path: ([^;]*)", 1, FileProperties)),
    FileSignature = extract(@"Signature : ([^;]*)", 1, FileProperties),
    FileHitCount = extract(@"HitCount: ([^;]*)", 1, FileProperties),
    AccountName = trim(@'\r', extract(@"User: ([^;]*)", 1, FileProperties)),
    SubscriptionId = extract(@"^/subscriptions/([^/]+)/.+$", 1, ResourceId)
| summarize arg_max(TimeGenerated, *) by SubscriptionId, GroupName, AccountName, FilePath
| join kind=leftanti _BenignFiles on SubscriptionId, GroupName, FilePath
| project
    TimeGenerated,
    CompromisedEntity,
    SubscriptionId,
    GroupName,
    AccountName,
    FilePath,
    ResourceType,
    ResourceId,
    AlertName,
    Description,
    ProviderName,
    ProductName,
    FileSignature,
    FileHitCount

Explanation

This KQL (Kusto Query Language) query is designed to identify and filter out security alerts related to application control policy violations in Azure. Here's a simplified breakdown of what the query does:

  1. Define a List of Benign Files:

    • It starts by creating a list of benign files from a watchlist named "File-BenignAzureExecution". This list includes the subscription ID, group name, and file path.
  2. Filter Security Alerts:

    • The query then looks at security alerts specifically for "Adaptive application control policy violation was audited" from the "Azure Security Center".
  3. Summarize Alerts:

    • It summarizes these alerts to get the earliest instance of each alert by SystemAlertId.
  4. Extract and Expand Properties:

    • The query extracts detailed properties from the alerts, such as file paths, signatures, hit counts, and account names. It also expands these properties to handle multiple file entries.
  5. Summarize by Key Attributes:

    • It further summarizes the data to get the latest instance of each alert by subscription ID, group name, account name, and file path.
  6. Exclude Benign Files:

    • The query performs a left anti-join with the benign files list to exclude any alerts related to files that are known to be benign.
  7. Project Relevant Information:

    • Finally, it selects and displays relevant information such as the time the alert was generated, the compromised entity, subscription ID, group name, account name, file path, resource type, resource ID, alert name, description, provider name, product name, file signature, and file hit count.

In essence, this query helps in identifying potentially malicious file activities by filtering out known benign files and focusing on alerts that might indicate a security threat.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterSubscriptionIdGroupNameFilePathSystemAlertIdExtendedPropertiesResourceTypeAccountNameResourceIdTimeGeneratedCompromisedEntityAlertNameDescriptionProviderNameProductNameFileSignatureFileHitCount

Operators

letprojectwheresummarizearg_minextendtodynamicextract_alltostringmv-expandtrimextractarg_maxjoinkind=leftanti

Actions

GitHub