KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Script Extension Mismatch Detected

Query

SecurityAlert
| where AlertName has "Script extension mismatch detected" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Compromised Host"]),
    UserName = tostring(ExtendedProperties["User Name"]),
    Process = tostring(ExtendedProperties["Suspicious Process"]),
    CommandLine = tostring(ExtendedProperties["Suspicious Command Line"]),
    ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    UserNames = make_set(UserName, 250),
    Processes = make_set(Process, 250),
    CommandLines = make_set(CommandLine, 250), 
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    Computer,
    UserNames,
    Processes,
    CommandLines,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts that have the name "Script extension mismatch detected" and are not from the provider "ASI Scheduled Alerts". It then extends the properties of the alert, such as the compromised host, user name, suspicious process, suspicious command line, and resource type.

Next, it cleans up the entities by removing unnecessary information. It then summarizes the data by grouping it based on the alert name, severity, description, resource ID, computer, and resource type. It also calculates the minimum and maximum time generated, start time, and end time. It creates sets of user names, processes, command lines, and alert links. It also takes any remediation steps, tactics, and techniques.

Finally, it projects the selected properties and outputs the results.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,CompromisedHost,UserName,SuspiciousProcess,SuspiciousCommandLine,resourceType,Entities,TimeGenerated,StartTime,EndTime,UserName,Process,CommandLine,ResourceType,RemediationSteps,AlertLink,Description,ResourceId,AlertSeverity,Tactics,Techniques

Operators

wherehas!=extendtostringtodynamicreplace_regexsummarizeminmaxmake_settake_anybyproject

Actions