Query Details

Security Alert Possible Exploitation Of Hadoop Yarn

Query

SecurityAlert
| where AlertName has "Possible exploitation of Hadoop Yarn" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Compromised Host"]),
    Account = tostring(ExtendedProperties["User Name"]),
    Process = tostring(ExtendedProperties["Suspicious Process"]),
    CommandLine = tostring(ExtendedProperties["Suspicious Command Line"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    Processes = make_set(Process, 250),
    CommandLines = make_set(CommandLine, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    Computer,
    Account,
    Processes,
    CommandLines,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This KQL (Kusto Query Language) query is designed to analyze security alerts related to potential exploitation of Hadoop Yarn, specifically those generated by Azure Security Center. Here's a simplified breakdown of what the query does:

  1. Filter Alerts: It starts by filtering the SecurityAlert table to find alerts with the name "Possible exploitation of Hadoop Yarn" and ensures these alerts are from the "Azure Security Center" provider.

  2. Select Earliest Alert: For each unique system alert, it selects the earliest occurrence based on the TimeGenerated field.

  3. Extract Details: It extracts specific details from the ExtendedProperties field, such as the compromised host (Computer), user name (Account), suspicious process (Process), and suspicious command line (CommandLine).

  4. Clean Entities: The query cleans up the Entities field by removing certain patterns using regular expressions.

  5. Summarize Data: It summarizes the data by:

    • Finding the earliest and latest times (TimeGenerated, StartTime, EndTime).
    • Collecting unique sets of processes, command lines, and alert links.
    • Grouping by alert name, severity, description, resource ID, computer, and account.
    • Selecting any available remediation steps, tactics, and techniques.
  6. Project Final Output: Finally, it projects (selects) the relevant fields to be displayed in the output, including the time generated, alert details, remediation steps, resource ID, time range, computer, account, processes, command lines, alert links, tactics, techniques, and entities.

In essence, this query is used to identify and summarize key information about specific security alerts related to Hadoop Yarn exploitation, providing a concise overview of the incidents for further analysis or action.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterSystemAlertIdTimeGeneratedExtendedPropertiesComputerAccountProcessCommandLineEntitiesAlertNameAlertSeverityDescriptionResourceIdStartTimeEndTimeRemediationStepsTacticsTechniquesAlertLinks

Operators

wherehas==summarizearg_minbyextendtodynamictostringreplace_regexminmaxmake_settake_anytolowerproject

Actions

GitHub