Security Alert Possible Attack Tool Detected
Query
SecurityAlert
| where AlertName has "Possible attack tool detected" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
Computer = tostring(ExtendedProperties["Compromised Host"]),
Account = tostring(ExtendedProperties["User Name"]),
Process = tostring(ExtendedProperties["Suspicious Process"]),
CommandLine = tostring(ExtendedProperties["Suspicious Command Line"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
Processes = make_set(Process, 250),
CommandLines = make_set(CommandLine, 250),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceId,
StartTime,
EndTime,
Computer,
Account,
Processes,
CommandLines,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This KQL (Kusto Query Language) query is designed to analyze security alerts from Azure Security Center that are related to potential attack tools. Here's a simplified breakdown of what the query does:
-
Filter Alerts: It starts by filtering the
SecurityAlerttable to find alerts with the name "Possible attack tool detected" and ensures these alerts are specifically from the "Azure Security Center" provider. -
Summarize Alerts: It groups these alerts by
SystemAlertIdand selects the earliest occurrence of each alert based on theTimeGeneratedfield. -
Extract Details: The query extracts specific details from the
ExtendedPropertiesfield of each alert, such as the compromised host (Computer), the user account involved (Account), the suspicious process (Process), and the command line used (CommandLine). -
Clean Entities: It cleans up the
Entitiesfield by removing certain patterns to make the data more readable. -
Aggregate Information: The query aggregates various pieces of information for each alert:
- It calculates the earliest and latest times (
StartTimeandEndTime) the alert was generated. - It compiles lists of unique processes, command lines, and alert links associated with each alert.
- It gathers any remediation steps, tactics, and techniques related to the alert.
- It calculates the earliest and latest times (
-
Project Results: Finally, it selects and organizes the relevant fields to display, including:
- The time the alert was generated (
TimeGenerated). - The alert's name, severity, and description.
- Remediation steps and resource ID (converted to lowercase).
- The start and end times of the alert.
- Details about the computer and account involved.
- Lists of processes, command lines, and alert links.
- Tactics, techniques, and cleaned entities.
- The time the alert was generated (
In essence, this query is used to identify and summarize potential attack tool detections from Azure Security Center, providing a comprehensive view of each alert's details and context.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators