Query Details

Security Alert Script Extension Mismatch Detected

Query

SecurityAlert
| where AlertName has "Script extension mismatch detected" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    Computer = tostring(ExtendedProperties["Compromised Host"]),
    UserName = tostring(ExtendedProperties["User Name"]),
    Process = tostring(ExtendedProperties["Suspicious Process"]),
    CommandLine = tostring(ExtendedProperties["Suspicious Command Line"]),
    ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    UserNames = make_set(UserName, 250),
    Processes = make_set(Process, 250),
    CommandLines = make_set(CommandLine, 250), 
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), Computer, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    Computer,
    UserNames,
    Processes,
    CommandLines,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This KQL (Kusto Query Language) query is designed to analyze security alerts from Azure Security Center, specifically focusing on alerts related to "Script extension mismatch detected." Here's a simplified breakdown of what the query does:

  1. Filter Alerts: It starts by filtering security alerts to only include those with the name "Script extension mismatch detected" and that are provided by Azure Security Center.

  2. Summarize Alerts: For each unique alert (identified by SystemAlertId), it selects the earliest occurrence (arg_min) of the alert and includes all associated data.

  3. Extract Properties: It extracts specific details from the alert's extended properties, such as the compromised host's name, the user involved, the suspicious process, and the command line used.

  4. Clean Up Entities: It cleans up the Entities field by removing certain patterns to make the data more readable.

  5. Aggregate Data: It aggregates the data further by:

    • Finding the earliest (min) and latest (max) times for the alerts.
    • Collecting unique sets of usernames, processes, command lines, and alert links associated with each alert.
    • Collecting unique entities related to the alerts.
    • Selecting any available remediation steps, tactics, and techniques.
  6. Project Results: Finally, it selects and organizes the relevant fields to display, including the time generated, alert details, remediation steps, resource information, and associated entities.

In summary, this query is used to filter, clean, and summarize specific security alerts related to script extension mismatches, providing a concise overview of the incidents, including details about the affected systems, users, and processes involved.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterComputerUserNameProcessCommandLineResourceTypeEntitiesAlertNameAlertSeverityDescriptionRemediationStepsResourceIdStartTimeEndTimeTacticsTechniques

Operators

wherehasandsummarizearg_minbyextendtodynamictostringreplace_regexminmaxmake_settake_anytolowerproject

Actions

GitHub