Query Details

Security Alert Antimalware Action

Query

SecurityAlert
| where AlertName has "Antimalware Action" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| where not(Status == "Dismissed")
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    ActionTaken = tostring(ExtendedProperties["ActionTaken"]),
    Category = tostring(ExtendedProperties["Category"]),
    FilePath = split(ExtendedProperties["File Path"], ", "),
    ProtectionType = tostring(ExtendedProperties["Protection Type"]),
    ThreatID = tostring(ExtendedProperties["Threat ID"]),
    ThreatStatus = tostring(ExtendedProperties["Threat Status"]),
    ThreatName = tostring(ExtendedProperties["ThreatName"])
| mv-expand FilePath to typeof(string)
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    Categories = array_sort_asc(make_set(Category)),
    Threats = make_set(bag_pack("ThreatName", ThreatName, "FilePath", FilePath, "ThreatID", ThreatID)),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), CompromisedEntity, ProtectionType, ActionTaken, ThreatStatus
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    CompromisedEntity,
    ProtectionType,
    ActionTaken,
    ThreatStatus,
    Categories,
    Threats,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This KQL (Kusto Query Language) query is designed to analyze security alerts related to antimalware actions within Azure Security Center. Here's a simplified breakdown of what the query does:

  1. Filter Alerts: It starts by filtering the SecurityAlert table to find alerts with the name containing "Antimalware Action" and generated by "Azure Security Center".

  2. Select Earliest Alert: For each unique SystemAlertId, it selects the earliest alert based on TimeGenerated.

  3. Exclude Dismissed Alerts: It removes any alerts that have been marked as "Dismissed".

  4. Extract and Transform Data: It extracts various properties from the ExtendedProperties field, such as ActionTaken, Category, FilePath, ProtectionType, ThreatID, ThreatStatus, and ThreatName. The FilePath is split into individual paths.

  5. Expand File Paths: It expands the FilePath field so that each file path is treated as a separate entry.

  6. Clean Entities: It cleans up the Entities field by removing certain patterns using regular expressions.

  7. Summarize Data: It summarizes the data by grouping it based on several fields like AlertName, AlertSeverity, Description, ResourceId, CompromisedEntity, ProtectionType, ActionTaken, and ThreatStatus. It also aggregates other details:

    • Finds the earliest TimeGenerated and StartTime, and the latest EndTime.
    • Collects unique Categories and sorts them.
    • Gathers details about Threats, including ThreatName, FilePath, and ThreatID.
    • Compiles a list of AlertLinks and Entities.
    • Selects any available RemediationSteps, Tactics, and Techniques.
  8. Project Final Output: Finally, it selects specific fields to display in the output, including TimeGenerated, AlertName, AlertSeverity, Description, RemediationSteps, ResourceId, StartTime, EndTime, CompromisedEntity, ProtectionType, ActionTaken, ThreatStatus, Categories, Threats, AlertLinks, Tactics, Techniques, and Entities.

In summary, this query is used to analyze and summarize antimalware-related security alerts from Azure Security Center, providing detailed information about each alert, including threat details, actions taken, and associated entities.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterSystemAlertIdTimeGeneratedExtendedPropertiesActionTakenCategoryFilePathProtectionTypeThreatIDThreatStatusThreatNameEntitiesAlertNameAlertSeverityDescriptionResourceIdCompromisedEntityRemediationStepsTacticsTechniques

Operators

wherehasandsummarizearg_minbynotextendtodynamictostringsplitmv-expandtotypeofreplace_regexminmaxarray_sort_ascmake_setbag_packtake_anytolowerproject

Actions

GitHub