Query Details

Security Alert Ps Exec Execution Detected

Query

SecurityAlert
| where AlertName has "PsExec execution detected" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Machine Name"]),
    Account = tostring(ExtendedProperties["Account"]),
    AccountSID = tostring(ExtendedProperties["User SID"]),
    AccountLogonId = tostring(ExtendedProperties["Account Logon Id"]),
    ProcessName = tostring(ExtendedProperties["Process Name"]),
    CommandLine = tostring(ExtendedProperties["Command Line"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    AccountLogonIds = make_set(AccountLogonId, 250),
    CommandLines = make_set(CommandLine, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, Account, AccountSID, ProcessName
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    StartTime,
    EndTime,
    Computer,
    Account,
    AccountSID,
    ProcessName,
    CommandLines,
    AccountLogonIds,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This query is designed to analyze security alerts related to "PsExec execution detected" from Azure Security Center. Here's a simplified breakdown of what it does:

  1. Filter Alerts: It starts by filtering the SecurityAlert table to find alerts with the name "PsExec execution detected" and ensures they are from the "Azure Security Center" provider.

  2. Summarize Alerts: It groups these alerts by SystemAlertId and selects the earliest occurrence of each alert.

  3. Extract Properties: It extracts various properties from the ExtendedProperties field, such as the computer name, account details, process name, and command line used.

  4. Clean Entities: It cleans up the Entities field by removing certain patterns using regular expressions.

  5. Aggregate Data: It summarizes the data by:

    • Finding the earliest and latest times for each alert.
    • Collecting unique sets of account logon IDs, command lines, and alert links.
    • Gathering related entities.
    • Selecting any available remediation steps, tactics, and techniques.
  6. Project Results: Finally, it selects and organizes specific fields to display, including the alert name, severity, description, remediation steps, resource ID, time details, computer and account information, process name, command lines, account logon IDs, alert links, tactics, techniques, and entities.

In essence, this query is used to identify and summarize detailed information about specific security alerts related to PsExec executions, providing insights into the affected systems, accounts, and processes involved.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterSystemAlertIdMachineNameAccountUserSIDLogonIdProcessCommandLineEntitiesAlertNameAlertSeverityDescriptionResourceIdComputerAccountSIDProcessNameCommandLinesAccountLogonIdsAlertLinksTacticsTechniques

Operators

wherehasandsummarizearg_minbyextendtodynamictostringreplace_regexminmaxmake_settake_anytolowerproject

Actions

GitHub