Security Alert Anomalous Access To Kubernetes Secret
Query
SecurityAlert
| where AlertName has "Anomalous access to Kubernetes secret" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
UserName = tostring(ExtendedProperties["UserName"]),
UserAgent = tostring(ExtendedProperties["UserAgent"]),
Namespace = tostring(ExtendedProperties["Namespace"]),
RequestVerb = tostring(ExtendedProperties["RequestVerb"]),
SecretName = tostring(ExtendedProperties["SecretName"]),
RequestURI = tostring(ExtendedProperties["RequestURI"]),
ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
UserAgents = make_set(UserAgent, 250),
SecretNames = make_set(SecretName, 250),
RequestURIs = make_set(RequestURI, 250),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Namespace, UserName, RequestVerb, ResourceType
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceId,
ResourceType,
StartTime,
EndTime,
UserName,
UserAgents,
Namespace,
RequestVerb,
SecretNames,
RequestURIs,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This KQL query is designed to analyze security alerts related to anomalous access to Kubernetes secrets, specifically those generated by Azure Security Center. Here's a simplified breakdown of what the query does:
-
Filter Alerts: It starts by filtering the
SecurityAlertdata to only include alerts with the name "Anomalous access to Kubernetes secret" and those provided by "Azure Security Center". -
Summarize Alerts: It groups the alerts by their unique
SystemAlertIdand selects the earliest occurrence of each alert based on theTimeGeneratedfield. -
Extract Properties: The query extracts specific properties from the
ExtendedPropertiesfield, such asUserName,UserAgent,Namespace,RequestVerb,SecretName,RequestURI, andResourceType. -
Clean Entities: It cleans up the
Entitiesfield by removing certain patterns using regular expressions. -
Aggregate Data: The query then aggregates the data, summarizing various fields:
- It calculates the earliest
TimeGeneratedandStartTime, and the latestEndTime. - It creates sets of unique
UserAgents,SecretNames,RequestURIs, andAlertLinks, with a limit of 250 items each. - It also aggregates
Entitiesinto a set and selects any availableRemediationSteps,Tactics, andTechniques.
- It calculates the earliest
-
Project Results: Finally, it selects and organizes the relevant fields to be displayed in the output, including alert details, user information, and aggregated data.
Overall, this query is used to identify and summarize security alerts related to unauthorized access attempts to Kubernetes secrets, providing insights into the affected resources, users involved, and potential remediation steps.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators