Query Details

Security Alert Logon Activity From A Potentially Harmful Application

Query

SecurityAlert
| where AlertName has "Logon activity from a potentially harmful application" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    CompromisedEntity = tostring(ExtendedProperties["CompromisedEntity"]),
    ClientApplication = tostring(ExtendedProperties["Client application"]),
    ClientPrincipalName = tostring(ExtendedProperties["Client principal name"]),
    ClientIPAddress = tostring(ExtendedProperties["Client IP address"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    CompromisedEntities = make_set(CompromisedEntity, 250),
    ClientPrincipalNames = make_set(ClientPrincipalName, 250),
    ClientIPAddresses = make_set(ClientIPAddress, 250),
    ResourceIds = make_set(tolower(ResourceId), 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ClientApplication
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceIds,
    StartTime,
    EndTime,
    ClientApplication,
    ClientIPAddresses,
    ClientPrincipalNames,
    CompromisedEntities,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This KQL (Kusto Query Language) query is designed to analyze security alerts related to suspicious logon activities from potentially harmful applications, specifically those detected by Azure Security Center. Here's a simplified breakdown of what the query does:

  1. Filter Alerts: It starts by filtering the SecurityAlert table to find alerts with the name "Logon activity from a potentially harmful application" and where the provider is "Azure Security Center".

  2. Summarize Alerts: It groups the alerts by SystemAlertId and selects the earliest occurrence of each alert.

  3. Extract Properties: The query extracts specific details from the ExtendedProperties field, such as the compromised entity, client application, client principal name, and client IP address.

  4. Clean Up Entities: It cleans up the Entities field by removing certain patterns using regular expressions.

  5. Aggregate Data: The query aggregates various details:

    • Finds the earliest and latest times (TimeGenerated, StartTime, EndTime) for the alerts.
    • Collects unique sets of compromised entities, client principal names, client IP addresses, resource IDs, and alert links.
    • Gathers any remediation steps, tactics, and techniques associated with the alerts.
  6. Select and Project Data: Finally, it selects and organizes the relevant fields to be displayed, including time generated, alert name, severity, description, remediation steps, and other extracted and aggregated details.

The result is a summarized view of suspicious logon activity alerts, providing key information about each alert, including when it occurred, what entities were compromised, and any suggested remediation actions.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterLogonActivityApplicationSystemAlertIdTimeGeneratedCompromisedEntityClientApplicationClientPrincipalNameClientIPAddressEntitiesStartTimeEndTimeResourceIdsAlertLinksRemediationStepsTacticsTechniquesAlertNameAlertSeverityDescription

Operators

wherehas==summarizearg_minbyextendtodynamictostringreplace_regex@minmaxmake_settolowertake_anyproject

Actions

GitHub