Security Alert Adaptive Application Control Policy Violation Was Audited
Query
let _BenignFiles =
_GetWatchlist("File-BenignAzureExecution")
| project SubscriptionId = tostring(SubscriptionId), GroupName, FilePath
;
SecurityAlert
| where AlertName has "Adaptive application control policy violation was audited" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
FileProperties = extract_all(@"(Path: .*)", tostring(ExtendedProperties.File)),
ResourceType = tostring(ExtendedProperties.resourceType),
GroupName = tostring(ExtendedProperties.GroupName)
| mv-expand FileProperties to typeof(string)
| extend
FilePath = trim(@'\r', extract(@"Path: ([^;]*)", 1, FileProperties)),
FileSignature = extract(@"Signature : ([^;]*)", 1, FileProperties),
FileHitCount = extract(@"HitCount: ([^;]*)", 1, FileProperties),
AccountName = trim(@'\r', extract(@"User: ([^;]*)", 1, FileProperties)),
SubscriptionId = extract(@"^/subscriptions/([^/]+)/.+$", 1, ResourceId)
| summarize arg_max(TimeGenerated, *) by SubscriptionId, GroupName, AccountName, FilePath
| join kind=leftanti _BenignFiles on SubscriptionId, GroupName, FilePath
| project
TimeGenerated,
CompromisedEntity,
SubscriptionId,
GroupName,
AccountName,
FilePath,
ResourceType,
ResourceId,
AlertName,
Description,
ProviderName,
ProductName,
FileSignature,
FileHitCountExplanation
This KQL (Kusto Query Language) query is designed to identify and filter out security alerts related to application control policy violations in Azure. Here's a simplified breakdown of what the query does:
-
Define a List of Benign Files:
- It starts by creating a list of benign files from a watchlist named "File-BenignAzureExecution". This list includes the subscription ID, group name, and file path.
-
Filter Security Alerts:
- The query then looks at security alerts specifically for "Adaptive application control policy violation was audited" from the "Azure Security Center".
-
Summarize Alerts:
- It summarizes these alerts to get the earliest instance of each alert by
SystemAlertId.
- It summarizes these alerts to get the earliest instance of each alert by
-
Extract and Expand Properties:
- The query extracts detailed properties from the alerts, such as file paths, signatures, hit counts, and account names. It also expands these properties to handle multiple file entries.
-
Summarize by Key Attributes:
- It further summarizes the data to get the latest instance of each alert by subscription ID, group name, account name, and file path.
-
Exclude Benign Files:
- The query performs a left anti-join with the benign files list to exclude any alerts related to files that are known to be benign.
-
Project Relevant Information:
- Finally, it selects and displays relevant information such as the time the alert was generated, the compromised entity, subscription ID, group name, account name, file path, resource type, resource ID, alert name, description, provider name, product name, file signature, and file hit count.
In essence, this query helps in identifying potentially malicious file activities by filtering out known benign files and focusing on alerts that might indicate a security threat.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
SecurityAlert
Keywords
SecurityAlertAzureSecurityCenterSubscriptionIdGroupNameFilePathSystemAlertIdExtendedPropertiesResourceTypeAccountNameResourceIdTimeGeneratedCompromisedEntityAlertNameDescriptionProviderNameProductNameFileSignatureFileHitCount
Operators
letprojectwheresummarizearg_minextendtodynamicextract_alltostringmv-expandtrimextractarg_maxjoinkind=leftanti