Incidents Of Entities In MDC Attack Paths
Query
arg("").securityresources
| where type == "microsoft.security/attackpaths"
| extend AttackPathDisplayName = tostring(properties["displayName"])
| mvexpand (properties.graphComponent.entities)
| extend Entity = parse_json(properties_graphComponent_entities)
| extend ResourceId = tostring(tolower(Entity.entityIdentifiers.azureResourceId))
| where isnotempty(ResourceId)
| extend AttackStory = parse_json(properties.attackStory)
| extend AttackDescription = parse_json(properties.description)
| project AttackPathDisplayName, AttackStory, AttackDescription, ResourceId
| join hint.remote=right (SecurityAlert
| extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray
| extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name)
| where Entitytype == "azure-resource"
| extend ResourceId = tostring(tolower(EntitiesDynamicArray.ResourceId))
| project AlertTimeGenerated = TimeGenerated, AlertName, AlertSeverity, ResourceId, AlertLink, AlertDescription = Description
) on ResourceId
| project-away ResourceId1Explanation
This KQL (Kusto Query Language) query is designed to analyze security data related to attack paths and alerts in a Microsoft security environment. Here's a simplified explanation of what the query does:
-
Data Source: It starts by accessing a dataset of security resources, specifically looking for entries of type "microsoft.security/attackpaths".
-
Extracting Information:
- It extracts the display name of each attack path and converts it to a string.
- It expands the list of entities involved in each attack path to analyze them individually.
- It extracts and standardizes the Azure Resource ID for each entity, ensuring it's in lowercase.
-
Filtering:
- It filters out any entries where the Resource ID is empty, ensuring only relevant data is processed.
-
Additional Details:
- It extracts additional details about each attack path, such as the attack story and description, converting them into JSON format for easier handling.
-
Projection:
- It selects specific columns to keep: the attack path display name, attack story, attack description, and resource ID.
-
Joining with Alerts:
- It joins this attack path data with another dataset containing security alerts.
- It expands the list of entities in each alert to analyze them individually.
- It filters for entities of type "azure-resource" and standardizes their Resource IDs.
- It selects specific columns from the alerts, such as the time the alert was generated, alert name, severity, and a link to the alert.
-
Final Output:
- It combines the attack path and alert data based on matching Resource IDs.
- It removes duplicate Resource ID columns from the final output.
In summary, this query correlates attack path information with security alerts based on Azure Resource IDs, providing a comprehensive view of potential security threats and their associated alerts.
Details

Thomas Naunheim
Released: January 21, 2024
Tables
securityresourcesSecurityAlert
Keywords
SecurityResourcesAttackPathsEntitiesResourceIdAlertTimeGeneratedNameSeverityLinkDescription
Operators
argwhereextendtostringmvexpandparse_jsontolowerisnotemptyprojectjoinhint.remotemv-expandproject-away