KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Anomalous Access To Kubernetes Secret

Query

SecurityAlert
| where AlertName has "Anomalous access to Kubernetes secret" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    UserName = tostring(ExtendedProperties["UserName"]),
    UserAgent = tostring(ExtendedProperties["UserAgent"]),
    Namespace = tostring(ExtendedProperties["Namespace"]),
    RequestVerb = tostring(ExtendedProperties["RequestVerb"]),
    SecretName = tostring(ExtendedProperties["SecretName"]),
    RequestURI = tostring(ExtendedProperties["RequestURI"]),
    ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    UserAgents = make_set(UserAgent, 250),
    SecretNames = make_set(SecretName, 250),
    RequestURIs = make_set(RequestURI, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Namespace, UserName, RequestVerb, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    UserName,
    UserAgents,
    Namespace,
    RequestVerb,
    SecretNames,
    RequestURIs,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts related to anomalous access to Kubernetes secrets. It filters out alerts from the "ASI Scheduled Alerts" provider. It then extracts specific properties from the ExtendedProperties field and renames them for easier analysis. The query also cleans up the Entities field by removing unnecessary information. Finally, it summarizes the data by various fields and projects the desired properties for further analysis.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,UserName,UserAgent,Namespace,RequestVerb,SecretName,RequestURI,ResourceType,Entities,TimeGenerated,StartTime,EndTime,UserAgents,SecretNames,RequestURIs,AlertLinks,RemediationSteps,Tactics,Techniques,Description,ResourceId

Operators

wherehas!=extendtostringtodynamicreplace_regexsummarizeminmaxmake_settake_anybyproject

Actions