KQL Search

Query Details

HomeAI ToolsDevice Query

Security Alert Suspicious Request To Kubernetes API

Query

SecurityAlert
| where AlertName has "Suspicious request to Kubernetes API" and ProviderName != "ASI Scheduled Alerts"
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    APIRequest = tostring(ExtendedProperties["API Request"]),
    ContainerID = tostring(ExtendedProperties["Container ID"]),
    ImageName = tostring(ExtendedProperties["Image Name"]),
    UserName = tostring(ExtendedProperties["User Name"]),
    ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\,{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    ContainerIDs = make_set(ContainerID, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), APIRequest, ImageName, UserName, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    ImageName,
    UserName,
    APIRequest,
    ContainerIDs,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query retrieves security alerts related to suspicious requests to the Kubernetes API. It filters out alerts from the "ASI Scheduled Alerts" provider. It then extracts specific properties from the ExtendedProperties field and renames them for easier analysis. The query also cleans up the Entities field by removing unnecessary information. Finally, it summarizes the data by various fields and projects the desired columns for further analysis.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: March 28, 2023

Tables

SecurityAlert

Keywords

SecurityAlert,AlertName,ProviderName,ExtendedProperties,APIRequest,ContainerID,ImageName,UserName,ResourceType,Entities,TimeGenerated,StartTime,EndTime,AlertLink,RemediationSteps,Tactics,Techniques,Description,ResourceId

Operators

wherehas!=extendtostringreplace_regexextendsummarizeminmaxmake_settolowerproject

Actions