Security Alert Suspicious Request To Kubernetes API
Query
SecurityAlert
| where AlertName has "Suspicious request to Kubernetes API" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
APIRequest = tostring(ExtendedProperties["API Request"]),
ContainerID = tostring(ExtendedProperties["Container ID"]),
ImageName = tostring(ExtendedProperties["Image Name"]),
UserName = tostring(ExtendedProperties["User Name"]),
ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
ContainerIDs = make_set(ContainerID, 250),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), APIRequest, ImageName, UserName, ResourceType
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceId,
ResourceType,
StartTime,
EndTime,
ImageName,
UserName,
APIRequest,
ContainerIDs,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This KQL (Kusto Query Language) query is designed to analyze security alerts related to suspicious requests to the Kubernetes API, specifically those generated by Azure Security Center. Here's a simplified breakdown of what the query does:
-
Filter Alerts: It starts by filtering the
SecurityAlerttable to find alerts with the name "Suspicious request to Kubernetes API" and where the provider is "Azure Security Center". -
Summarize Alerts: For each unique alert (identified by
SystemAlertId), it selects the earliest occurrence (arg_min(TimeGenerated, *)). -
Extract Properties: It extracts specific details from the
ExtendedPropertiesfield, such asAPIRequest,ContainerID,ImageName,UserName, andResourceType. -
Clean Entities: It cleans up the
Entitiesfield by removing certain patterns using regular expressions to make the data more readable. -
Aggregate Data: It summarizes the data by:
- Finding the earliest (
min) and latest (max) times for the alerts. - Collecting unique
ContainerIDandAlertLinkvalues into sets. - Compiling a set of cleaned
Entities. - Selecting any available
RemediationSteps,Tactics, andTechniques.
- Finding the earliest (
-
Project Results: Finally, it selects and organizes specific fields to display in the output, including details like
TimeGenerated,AlertName,AlertSeverity,Description,RemediationSteps,ResourceId,ResourceType,StartTime,EndTime,ImageName,UserName,APIRequest,ContainerIDs,AlertLinks,Tactics,Techniques, andEntities.
In essence, this query is used to identify and summarize key details about suspicious Kubernetes API requests detected by Azure Security Center, providing a concise view of the alerts and associated metadata.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators