Query Details

Security Alert Possible Attack Tool Detected

Query

SecurityAlert
| where AlertName has "Possible attack tool detected" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Compromised Host"]),
    Account = tostring(ExtendedProperties["User Name"]),
    Process = tostring(ExtendedProperties["Suspicious Process"]),
    CommandLine = tostring(ExtendedProperties["Suspicious Command Line"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    Processes = make_set(Process, 250),
    CommandLines = make_set(CommandLine, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    Computer,
    Account,
    Processes,
    CommandLines,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This KQL (Kusto Query Language) query is designed to analyze security alerts from Azure Security Center that are related to potential attack tools. Here's a simplified breakdown of what the query does:

  1. Filter Alerts: It starts by filtering the SecurityAlert table to find alerts with the name "Possible attack tool detected" and ensures these alerts are specifically from the "Azure Security Center" provider.

  2. Summarize Alerts: It groups these alerts by SystemAlertId and selects the earliest occurrence of each alert based on the TimeGenerated field.

  3. Extract Details: The query extracts specific details from the ExtendedProperties field of each alert, such as the compromised host (Computer), the user account involved (Account), the suspicious process (Process), and the command line used (CommandLine).

  4. Clean Entities: It cleans up the Entities field by removing certain patterns to make the data more readable.

  5. Aggregate Information: The query aggregates various pieces of information for each alert:

    • It calculates the earliest and latest times (StartTime and EndTime) the alert was generated.
    • It compiles lists of unique processes, command lines, and alert links associated with each alert.
    • It gathers any remediation steps, tactics, and techniques related to the alert.
  6. Project Results: Finally, it selects and organizes the relevant fields to display, including:

    • The time the alert was generated (TimeGenerated).
    • The alert's name, severity, and description.
    • Remediation steps and resource ID (converted to lowercase).
    • The start and end times of the alert.
    • Details about the computer and account involved.
    • Lists of processes, command lines, and alert links.
    • Tactics, techniques, and cleaned entities.

In essence, this query is used to identify and summarize potential attack tool detections from Azure Security Center, providing a comprehensive view of each alert's details and context.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterSystemAlertIdCompromisedHostUserNameSuspiciousProcessCommandLineEntitiesTimeGeneratedStartTimeEndTimeAlertNameAlertSeverityDescriptionResourceIdComputerAccountProcessesCommandLinesAlertLinksRemediationStepsTacticsTechniques

Operators

wherehasandsummarizearg_minbyextendtodynamictostringreplace_regexminmaxmake_settake_anytolowerproject

Actions

GitHub