KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Possible Exploitation Of Hadoop Yarn

Query

SecurityAlert
| where AlertName has "Possible exploitation of Hadoop Yarn" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Compromised Host"]),
    Account = tostring(ExtendedProperties["User Name"]),
    Process = tostring(ExtendedProperties["Suspicious Process"]),
    CommandLine = tostring(ExtendedProperties["Suspicious Command Line"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    Processes = make_set(Process, 250),
    CommandLines = make_set(CommandLine, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    Computer,
    Account,
    Processes,
    CommandLines,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts related to possible exploitation of Hadoop Yarn, excluding alerts from a specific provider. It then extends the properties of the alert, such as the compromised host, user name, suspicious process, and suspicious command line. The query also cleans up the entities and summarizes the data by various fields such as time generated, alert name, severity, description, resource ID, computer, account, and more. Finally, it projects the desired fields for the final result.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,Computer,Account,Process,CommandLine,Entities,TimeGenerated,StartTime,EndTime,Processes,CommandLines,AlertLinks,RemediationSteps,Tactics,Techniques,Description,ResourceId

Operators

wherehas!=extendtostringreplace_regexsummarizeminmaxmake_settolowerproject

Actions