Security Alert Logon Activity From A Potentially Harmful Application
Query
SecurityAlert
| where AlertName has "Logon activity from a potentially harmful application" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
CompromisedEntity = tostring(ExtendedProperties["CompromisedEntity"]),
ClientApplication = tostring(ExtendedProperties["Client application"]),
ClientPrincipalName = tostring(ExtendedProperties["Client principal name"]),
ClientIPAddress = tostring(ExtendedProperties["Client IP address"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
TimeGenerated = min(TimeGenerated),
StartTime = min(StartTime),
EndTime = max(EndTime),
CompromisedEntities = make_set(CompromisedEntity, 250),
ClientPrincipalNames = make_set(ClientPrincipalName, 250),
ClientIPAddresses = make_set(ClientIPAddress, 250),
ResourceIds = make_set(tolower(ResourceId), 250),
AlertLinks = make_set(AlertLink, 250),
Entities = make_set(todynamic(Entities)),
take_any(RemediationSteps, Tactics, Techniques)
by AlertName, AlertSeverity, Description, ClientApplication
| project
TimeGenerated,
AlertName,
AlertSeverity,
Description,
RemediationSteps,
ResourceIds,
StartTime,
EndTime,
ClientApplication,
ClientIPAddresses,
ClientPrincipalNames,
CompromisedEntities,
AlertLinks,
Tactics,
Techniques,
EntitiesExplanation
This KQL (Kusto Query Language) query is designed to analyze security alerts related to suspicious logon activities from potentially harmful applications, specifically those detected by Azure Security Center. Here's a simplified breakdown of what the query does:
-
Filter Alerts: It starts by filtering the
SecurityAlerttable to find alerts with the name "Logon activity from a potentially harmful application" and where the provider is "Azure Security Center". -
Summarize Alerts: It groups the alerts by
SystemAlertIdand selects the earliest occurrence of each alert. -
Extract Properties: The query extracts specific details from the
ExtendedPropertiesfield, such as the compromised entity, client application, client principal name, and client IP address. -
Clean Up Entities: It cleans up the
Entitiesfield by removing certain patterns using regular expressions. -
Aggregate Data: The query aggregates various details:
- Finds the earliest and latest times (
TimeGenerated,StartTime,EndTime) for the alerts. - Collects unique sets of compromised entities, client principal names, client IP addresses, resource IDs, and alert links.
- Gathers any remediation steps, tactics, and techniques associated with the alerts.
- Finds the earliest and latest times (
-
Select and Project Data: Finally, it selects and organizes the relevant fields to be displayed, including time generated, alert name, severity, description, remediation steps, and other extracted and aggregated details.
The result is a summarized view of suspicious logon activity alerts, providing key information about each alert, including when it occurred, what entities were compromised, and any suggested remediation actions.
Details

Jose Sebastián Canós
Released: February 5, 2024
Tables
Keywords
Operators