KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Antimalware Action

Query

SecurityAlert
| where AlertName has "Antimalware Action" and ProviderName != "ASI Scheduled Alerts"
| where not(Status == "Dismissed")
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    ActionTaken = tostring(ExtendedProperties["ActionTaken"]),
    Category = tostring(ExtendedProperties["Category"]),
    FilePath = split(ExtendedProperties["File Path"], ", "),
    ProtectionType = tostring(ExtendedProperties["Protection Type"]),
    ThreatID = tostring(ExtendedProperties["Threat ID"]),
    ThreatStatus = tostring(ExtendedProperties["Threat Status"]),
    ThreatName = tostring(ExtendedProperties["ThreatName"])
| mv-expand FilePath to typeof(string)
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    Categories = array_sort_asc(make_set(Category)),
    Threats = make_set(bag_pack("ThreatName", ThreatName, "FilePath", FilePath, "ThreatID", ThreatID)),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), CompromisedEntity, ProtectionType, ActionTaken, ThreatStatus
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    CompromisedEntity,
    ProtectionType,
    ActionTaken,
    ThreatStatus,
    Categories,
    Threats,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts that have the name "Antimalware Action" and are not from the provider "ASI Scheduled Alerts". It then extends the properties of the alerts and extracts specific information such as the action taken, category, file path, protection type, threat ID, threat status, and threat name. The file paths are expanded into separate rows. The entities are cleaned and summarized by various fields such as alert name, severity, description, resource ID, compromised entity, protection type, action taken, and threat status. Finally, the query projects specific fields such as time generated, alert name, severity, description, remediation steps, resource ID, start time, end time, compromised entity, protection type, action taken, threat status, categories, threats, alert links, tactics, techniques, and entities.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: April 5, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,Status,ExtendedProperties,ActionTaken,Category,FilePath,ProtectionType,ThreatID,ThreatStatus,ThreatName,Entities,TimeGenerated,StartTime,EndTime,Categories,Threats,AlertLinks,RemediationSteps,Tactics,Techniques,Description,ResourceId,CompromisedEntity

Operators

wherehasand!=notextendtostringsplitmv-expandreplace_regexsummarizeminmaxarray_sort_ascmake_setbag_packtake_anybyproject

Actions