Security Alert Antimalware Action
Query
SecurityAlert
| where AlertName has "Antimalware Action" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| where not(Status == "Dismissed")
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
ActionTaken = tostring(ExtendedProperties["ActionTaken"]),
Category = tostring(ExtendedProperties["Category"]),
FilePath = split(ExtendedProperties["File Path"], ", "),
ProtectionType = tostring(ExtendedProperties["Protection Type"]),
ThreatID = tostring(ExtendedProperties["Threat ID"]),
ThreatStatus = tostring(ExtendedProperties["Threat Status"]),
ThreatName = tostring(ExtendedProperties["ThreatName"])
| mv-expand FilePath to typeof(string)
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
Categories = array_sort_asc(make_set(Category)),
Threats = make_set(bag_pack("ThreatName", ThreatName, "FilePath", FilePath, "ThreatID", ThreatID)),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), CompromisedEntity, ProtectionType, ActionTaken, ThreatStatus
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceId,
StartTime,
EndTime,
CompromisedEntity,
ProtectionType,
ActionTaken,
ThreatStatus,
Categories,
Threats,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This KQL (Kusto Query Language) query is designed to analyze security alerts related to antimalware actions within Azure Security Center. Here's a simplified breakdown of what the query does:
-
Filter Alerts: It starts by filtering the
SecurityAlerttable to find alerts with the name containing "Antimalware Action" and generated by "Azure Security Center". -
Select Earliest Alert: For each unique
SystemAlertId, it selects the earliest alert based onTimeGenerated. -
Exclude Dismissed Alerts: It removes any alerts that have been marked as "Dismissed".
-
Extract and Transform Data: It extracts various properties from the
ExtendedPropertiesfield, such asActionTaken,Category,FilePath,ProtectionType,ThreatID,ThreatStatus, andThreatName. TheFilePathis split into individual paths. -
Expand File Paths: It expands the
FilePathfield so that each file path is treated as a separate entry. -
Clean Entities: It cleans up the
Entitiesfield by removing certain patterns using regular expressions. -
Summarize Data: It summarizes the data by grouping it based on several fields like
AlertName,AlertSeverity,Description,ResourceId,CompromisedEntity,ProtectionType,ActionTaken, andThreatStatus. It also aggregates other details:- Finds the earliest
TimeGeneratedandStartTime, and the latestEndTime. - Collects unique
Categoriesand sorts them. - Gathers details about
Threats, includingThreatName,FilePath, andThreatID. - Compiles a list of
AlertLinksandEntities. - Selects any available
RemediationSteps,Tactics, andTechniques.
- Finds the earliest
-
Project Final Output: Finally, it selects specific fields to display in the output, including
TimeGenerated,AlertName,AlertSeverity,Description,RemediationSteps,ResourceId,StartTime,EndTime,CompromisedEntity,ProtectionType,ActionTaken,ThreatStatus,Categories,Threats,AlertLinks,Tactics,Techniques, andEntities.
In summary, this query is used to analyze and summarize antimalware-related security alerts from Azure Security Center, providing detailed information about each alert, including threat details, actions taken, and associated entities.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators