KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Possible Attack Tool Detected

Query

SecurityAlert
| where AlertName has "Possible attack tool detected" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Compromised Host"]),
    Account = tostring(ExtendedProperties["User Name"]),
    Process = tostring(ExtendedProperties["Suspicious Process"]),
    CommandLine = tostring(ExtendedProperties["Suspicious Command Line"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    Processes = make_set(Process, 250),
    CommandLines = make_set(CommandLine, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    Computer,
    Account,
    Processes,
    CommandLines,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts that have the alert name "Possible attack tool detected" and are not from the provider "ASI Scheduled Alerts". It then extracts specific properties from the extended properties of the alerts, such as the compromised host, user name, suspicious process, and suspicious command line. The query also cleans up the entities field by removing certain patterns. It summarizes the data by grouping it based on various properties and selects specific fields to display in the final result.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,CompromisedHost,UserName,SuspiciousProcess,SuspiciousCommandLine,Entities,TimeGenerated,StartTime,EndTime,Processes,CommandLines,AlertLink,RemediationSteps,Tactics,Techniques,Description,ResourceId,Computer,Account

Operators

wherehas!=extendtostringtodynamicreplace_regexsummarizeminmaxmake_settake_anybyproject

Actions