Query Details
Security Alert Defenderfor Id Parser
Query
//Parse all the relevant entities - hosts, accounts, IP addresses, files, groups, resources and times from Defender for Identity alerts
//Data connector required for this query - Security Alert (free table that other Defender products send alert info to)
SecurityAlert
| where ProviderName == "Azure Advanced Threat Protection"
| summarize arg_max(TimeGenerated, *) by VendorOriginalId
| mv-expand todynamic(Entities)
| extend x = parse_json(Entities)
| extend Host = x.HostName
| extend Account = x.Name
| extend IP = x.Address
| extend File = x.File
| extend Group = x.Group
| extend ResourceId = x.ResourceName
| extend Time= x.Time
| summarize
HostNames=make_set(Host),
AccountNames=make_set(Account),
IPAddresses=make_set(IP),
Files=make_set(File),
SecurityGroups=make_set(Group),
Resources=make_set(ResourceId),
TimeAccessed=make_set(Time)
by TimeGenerated, SystemAlertId, AlertName, DescriptionExplanation
This query is used to extract specific information from Defender for Identity alerts. It focuses on parsing and extracting entities such as hosts, accounts, IP addresses, files, groups, resources, and times from the Security Alert table. The query filters for alerts generated by Azure Advanced Threat Protection and then uses the arg_max function to select the latest alert information for each unique VendorOriginalId. The mv-expand function is used to expand the dynamic Entities column into separate rows. The query then uses the parse_json function to extract the relevant entity information and assigns them to separate columns. Finally, the summarize function is used to group and aggregate the extracted information, creating sets of unique values for each entity type. The resulting summary includes sets of host names, account names, IP addresses, files, security groups, resources, and times accessed, grouped by TimeGenerated, SystemAlertId, AlertName, and Description.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators