Security Alert A History File Has Been Cleared
Query
let _ExpectedCommandLinesRegex = toscalar(
_GetWatchlist("Activity-ExpectedSignificantActivity")
| where Activity == "HistoryFileClearedCommand"
| summarize RegEx = make_list(Auxiliar)
| project RegEx = strcat(@'^(', strcat_array(RegEx, '|'), @')$')
);
SecurityAlert
| where AlertName has "A history file has been cleared" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
Computer = tostring(ExtendedProperties["Compromised Host"]),
Account = tostring(ExtendedProperties["User Name"]),
Process = tostring(ExtendedProperties["Suspicious Process"]),
CommandLine = tostring(ExtendedProperties["Suspicious Command Line"])
| where not(CommandLine matches regex _ExpectedCommandLinesRegex)
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
Processes = make_set(Process, 250),
CommandLines = make_set(CommandLine, 250),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceId,
StartTime,
EndTime,
Computer,
Account,
Processes,
CommandLines,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This KQL query is designed to analyze security alerts related to the clearing of history files, specifically those generated by Azure Security Center. Here's a simplified breakdown of what the query does:
-
Define Expected Command Lines: It retrieves a list of expected command lines related to the activity "HistoryFileClearedCommand" from a watchlist and compiles them into a regular expression pattern.
-
Filter Security Alerts: It searches for security alerts with the name "A history file has been cleared" and ensures they are from the "Azure Security Center" provider.
-
Select Earliest Alert: For each unique alert (identified by
SystemAlertId), it selects the earliest occurrence. -
Extract and Extend Properties: It extracts specific properties from the alert's extended properties, such as the compromised host, user name, suspicious process, and command line.
-
Exclude Expected Command Lines: It filters out alerts where the command line matches the expected pattern defined earlier, focusing on unexpected or suspicious activity.
-
Clean and Summarize Data: It cleans up the entities data by removing certain patterns and then summarizes the alerts. This includes aggregating processes, command lines, alert links, and entities, and capturing various details like time generated, alert severity, and remediation steps.
-
Project Final Output: Finally, it selects and organizes the relevant columns for output, providing a concise summary of the alerts with all the necessary details.
In essence, this query helps identify and summarize unexpected history file clearing activities on compromised hosts, providing insights into potential security incidents.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators