Query Details

Incidents Of Entities In MDC Attack Paths

Query

arg("").securityresources
| where type == "microsoft.security/attackpaths"
| extend AttackPathDisplayName = tostring(properties["displayName"])
| mvexpand (properties.graphComponent.entities)
| extend Entity = parse_json(properties_graphComponent_entities)
| extend ResourceId = tostring(tolower(Entity.entityIdentifiers.azureResourceId))
| where isnotempty(ResourceId)
| extend AttackStory = parse_json(properties.attackStory)
| extend AttackDescription = parse_json(properties.description)
| project AttackPathDisplayName, AttackStory, AttackDescription, ResourceId
| join hint.remote=right (SecurityAlert
    | extend EntitiesDynamicArray = parse_json(Entities) | mv-expand EntitiesDynamicArray
    | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type), EntityName = tostring(parse_json(EntitiesDynamicArray).Name)
    | where Entitytype == "azure-resource"
    | extend ResourceId = tostring(tolower(EntitiesDynamicArray.ResourceId))
    | project AlertTimeGenerated = TimeGenerated, AlertName, AlertSeverity, ResourceId, AlertLink, AlertDescription = Description
) on ResourceId
| project-away ResourceId1

Explanation

This KQL (Kusto Query Language) query is designed to analyze security data related to attack paths and alerts in a Microsoft security environment. Here's a simplified explanation of what the query does:

  1. Data Source: It starts by accessing a dataset of security resources, specifically looking for entries of type "microsoft.security/attackpaths".

  2. Extracting Information:

    • It extracts the display name of each attack path and converts it to a string.
    • It expands the list of entities involved in each attack path to analyze them individually.
    • It extracts and standardizes the Azure Resource ID for each entity, ensuring it's in lowercase.
  3. Filtering:

    • It filters out any entries where the Resource ID is empty, ensuring only relevant data is processed.
  4. Additional Details:

    • It extracts additional details about each attack path, such as the attack story and description, converting them into JSON format for easier handling.
  5. Projection:

    • It selects specific columns to keep: the attack path display name, attack story, attack description, and resource ID.
  6. Joining with Alerts:

    • It joins this attack path data with another dataset containing security alerts.
    • It expands the list of entities in each alert to analyze them individually.
    • It filters for entities of type "azure-resource" and standardizes their Resource IDs.
    • It selects specific columns from the alerts, such as the time the alert was generated, alert name, severity, and a link to the alert.
  7. Final Output:

    • It combines the attack path and alert data based on matching Resource IDs.
    • It removes duplicate Resource ID columns from the final output.

In summary, this query correlates attack path information with security alerts based on Azure Resource IDs, providing a comprehensive view of potential security threats and their associated alerts.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: January 21, 2024

Tables

securityresourcesSecurityAlert

Keywords

SecurityResourcesAttackPathsEntitiesResourceIdAlertTimeGeneratedNameSeverityLinkDescription

Operators

argwhereextendtostringmvexpandparse_jsontolowerisnotemptyprojectjoinhint.remotemv-expandproject-away

Actions

GitHub