Security Alert Logon Activity From A Potentially Harmful Application

SecurityAlert | where AlertName has "Logon activity from a potentially harmful application" and ProviderName != "ASI Scheduled Alerts" | extend ExtendedProperties = todynamic(ExtendedProperties) | extend CompromisedEntity = tostring(ExtendedProperties["CompromisedEntity"]), ClientApplication = tostring(ExtendedProperties["Client application"]), ClientPrincipalName = tostring(ExtendedProperties["Client principal name"]), ClientIPAddress = tostring(ExtendedProperties["Client IP address"]) // Clean Entities | extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '') | summarize TimeGenerated = min(TimeGenerated), StartTime = min(StartTime), EndTime = max(EndTime), CompromisedEntities = make_set(CompromisedEntity, 250), ClientPrincipalNames = make_set(ClientPrincipalName, 250), ClientIPAddresses = make_set(ClientIPAddress, 250), ResourceIds = make_set(tolower(ResourceId), 250), AlertLinks = make_set(AlertLink, 250), Entities = make_set(todynamic(Entities)), take_any(RemediationSteps, Tactics, Techniques) by AlertName, AlertSeverity, Description, ClientApplication | project TimeGenerated, AlertName, AlertSeverity, Description, RemediationSteps, ResourceIds, StartTime, EndTime, ClientApplication, ClientIPAddresses, ClientPrincipalNames, CompromisedEntities, AlertLinks, Tactics, Techniques, Entities

Explanation

This query retrieves security alerts related to potentially harmful logon activity. It filters out alerts from the "ASI Scheduled Alerts" provider. It then extracts specific properties from the ExtendedProperties field and renames them for clarity. The query also cleans up the Entities field by removing unnecessary information. Finally, it summarizes the data by various fields and projects the desired output fields.

Details

Jose Sebastián Canós

Released: December 26, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,CompromisedEntity,ClientApplication,ClientPrincipalName,ClientIPAddress,Entities,TimeGenerated,StartTime,EndTime,AlertSeverity,Description,RemediationSteps,ResourceIds,AlertLink,Tactics,Techniques

Operators

wherehas!=extendtostringreplace_regexsummarizeminmaxmake_settolowertake_anybyproject

KQL Search