Query Details

Security Alert Anomalous Access To Kubernetes Secret

Query

SecurityAlert
| where AlertName has "Anomalous access to Kubernetes secret" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    UserName = tostring(ExtendedProperties["UserName"]),
    UserAgent = tostring(ExtendedProperties["UserAgent"]),
    Namespace = tostring(ExtendedProperties["Namespace"]),
    RequestVerb = tostring(ExtendedProperties["RequestVerb"]),
    SecretName = tostring(ExtendedProperties["SecretName"]),
    RequestURI = tostring(ExtendedProperties["RequestURI"]),
    ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    UserAgents = make_set(UserAgent, 250),
    SecretNames = make_set(SecretName, 250),
    RequestURIs = make_set(RequestURI, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Namespace, UserName, RequestVerb, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    UserName,
    UserAgents,
    Namespace,
    RequestVerb,
    SecretNames,
    RequestURIs,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This KQL query is designed to analyze security alerts related to anomalous access to Kubernetes secrets, specifically those generated by Azure Security Center. Here's a simplified breakdown of what the query does:

  1. Filter Alerts: It starts by filtering the SecurityAlert data to only include alerts with the name "Anomalous access to Kubernetes secret" and those provided by "Azure Security Center".

  2. Summarize Alerts: It groups the alerts by their unique SystemAlertId and selects the earliest occurrence of each alert based on the TimeGenerated field.

  3. Extract Properties: The query extracts specific properties from the ExtendedProperties field, such as UserName, UserAgent, Namespace, RequestVerb, SecretName, RequestURI, and ResourceType.

  4. Clean Entities: It cleans up the Entities field by removing certain patterns using regular expressions.

  5. Aggregate Data: The query then aggregates the data, summarizing various fields:

    • It calculates the earliest TimeGenerated and StartTime, and the latest EndTime.
    • It creates sets of unique UserAgents, SecretNames, RequestURIs, and AlertLinks, with a limit of 250 items each.
    • It also aggregates Entities into a set and selects any available RemediationSteps, Tactics, and Techniques.
  6. Project Results: Finally, it selects and organizes the relevant fields to be displayed in the output, including alert details, user information, and aggregated data.

Overall, this query is used to identify and summarize security alerts related to unauthorized access attempts to Kubernetes secrets, providing insights into the affected resources, users involved, and potential remediation steps.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterUserUserAgentNamespaceResourceTypeSecretNameRequestURIAlertNameAlertSeverityDescriptionResourceIdRemediationStepsTacticsTechniquesEntities

Operators

wherehasandsummarizearg_minbyextendtodynamictostringreplace_regexminmaxmake_settake_anytolowerproject

Actions

GitHub