Query Details

MDA App Governance Alerts With Enriched Information

Query

SecurityAlert
| where ProductName == "Microsoft Application Protection"
| where TimeGenerated > ago(1h)
| extend CloudAppUrl = parse_url(Description)
| extend CloudAppUrlParam = parse_json(tostring(CloudAppUrl.["Query Parameters"])).oauthAppId
| extend AppId = tostring(toguid(CloudAppUrlParam))
| extend Category = tostring(parse_json(ExtendedProperties).Category)
| extend AlertDisplayName = tostring(DisplayName)
| join kind=inner (
    PrivilegedWorkloadIdentityInfo
    | project
        WorkloadIdentityName,
        WorkloadIdentityType,
        IsFirstPartyApp,
        AppId = tostring(ApplicationId),
        tostring(ServicePrincipalObjectId),
        EnterpriseAccessModelTiering,
        EntraIdRoles,
        AppRolePermissions
    )
    on AppId
| join kind=inner (
    SecurityIncident
    | mv-expand AlertIds
    | extend SystemAlertId = tostring(AlertIds)
    | summarize arg_max(TimeGenerated, *) by SystemAlertId
    | project
        SystemAlertId,
        IncidentUrl = AdditionalData.providerIncidentUrl,
        IncidentStatus = Status,
        IncidentName = IncidentNumber
    )
    on SystemAlertId

Explanation

This query is part of a scheduled analytic rule designed to monitor and create incidents from Microsoft Defender for Cloud Apps (MDA) governance alerts. Here's a simplified breakdown of what the query does:

  1. Source and Filtering: It starts by filtering security alerts from Microsoft Application Protection that were generated in the last hour.

  2. Data Enrichment:

    • Extracts and processes the URL from the alert description to get the OAuth application ID.
    • Retrieves additional details like the category and display name of the alert.
  3. Joining Data:

    • It joins this data with information from the PrivilegedWorkloadIdentityInfo table to get details about the application, such as its name, type, whether it's a first-party app, and its roles and permissions.
    • It also joins with the SecurityIncident table to get incident details like the incident URL, status, and name.
  4. Incident Creation:

    • If the conditions are met, it creates an incident with medium severity.
    • The incident configuration includes grouping settings to manage how incidents are grouped and whether closed incidents should be reopened.
  5. Alert Customization:

    • The alert details are customized with specific formats for display name and description.
    • Additional properties like alert link, techniques, provider name, and remediation steps are included.
  6. Entity Mapping:

    • It maps the application ID and workload identity name to a cloud application entity type for better tracking and management.
  7. Suppression:

    • Alerts are suppressed for 5 hours to prevent duplicate alerts from being generated too frequently.

Overall, this query automates the process of monitoring, enriching, and creating incidents from MDA governance alerts, providing detailed information and context to security teams for further investigation and response.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: November 18, 2023

Tables

SecurityAlertPrivilegedWorkloadIdentityInfoSecurityIncident

Keywords

SecurityAlertMicrosoftApplicationProtectionCloudPrivilegedWorkloadIdentitySecurityIncidentNameTypeServicePrincipalObjectIdEnterpriseAccessModelTieringEntraRolesAppRolePermissionsAlertIdsSystemAdditionalDataProviderUrlStatusNumberDescriptionTacticsSeverityLinkTechniquesRemediationStepsIsFirstPartyDirectoryMSGraph

Operators

==>ago()extendparse_url()parse_json()tostring()toguid()joinprojectmv-expandsummarizearg_max()

Severity

Medium

Frequency: 1h

Period: 1h

Actions

GitHub