Query Details

Security Alert Suspicious Request To Kubernetes API

Query

SecurityAlert
| where AlertName has "Suspicious request to Kubernetes API" and ProviderName == "Azure Security Center"
| summarize arg_min(TimeGenerated, *) by SystemAlertId
| extend ExtendedProperties = todynamic(ExtendedProperties)
| extend
    APIRequest = tostring(ExtendedProperties["API Request"]),
    ContainerID = tostring(ExtendedProperties["Container ID"]),
    ImageName = tostring(ExtendedProperties["Image Name"]),
    UserName = tostring(ExtendedProperties["User Name"]),
    ResourceType = tostring(ExtendedProperties["resourceType"])
// Clean Entities
| extend Entities = replace_regex(Entities, @'(\,\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}|\"\w+\"\:\{\"\$ref\"\:\"\d+\"\}\,|\,\{\"\$ref\"\:\"\d+\"\})|\"\$id\"\:\"\d+\"\,', '')
| summarize
    TimeGenerated = min(TimeGenerated),
    StartTime = min(StartTime),
    EndTime = max(EndTime),
    ContainerIDs = make_set(ContainerID, 250),
    AlertLinks = make_set(AlertLink, 250),
    Entities = make_set(todynamic(Entities)),
    take_any(RemediationSteps, Tactics, Techniques)
    by AlertName, AlertSeverity, Description, ResourceId = tolower(ResourceId), APIRequest, ImageName, UserName, ResourceType
| project
    TimeGenerated,
    AlertName,
    AlertSeverity,
    Description,
    RemediationSteps,
    ResourceId,
    ResourceType,
    StartTime,
    EndTime,
    ImageName,
    UserName,
    APIRequest,
    ContainerIDs,
    AlertLinks,
    Tactics,
    Techniques,
    Entities

Explanation

This KQL (Kusto Query Language) query is designed to analyze security alerts related to suspicious requests to the Kubernetes API, specifically those generated by Azure Security Center. Here's a simplified breakdown of what the query does:

  1. Filter Alerts: It starts by filtering the SecurityAlert table to find alerts with the name "Suspicious request to Kubernetes API" and where the provider is "Azure Security Center".

  2. Summarize Alerts: For each unique alert (identified by SystemAlertId), it selects the earliest occurrence (arg_min(TimeGenerated, *)).

  3. Extract Properties: It extracts specific details from the ExtendedProperties field, such as APIRequest, ContainerID, ImageName, UserName, and ResourceType.

  4. Clean Entities: It cleans up the Entities field by removing certain patterns using regular expressions to make the data more readable.

  5. Aggregate Data: It summarizes the data by:

    • Finding the earliest (min) and latest (max) times for the alerts.
    • Collecting unique ContainerID and AlertLink values into sets.
    • Compiling a set of cleaned Entities.
    • Selecting any available RemediationSteps, Tactics, and Techniques.
  6. Project Results: Finally, it selects and organizes specific fields to display in the output, including details like TimeGenerated, AlertName, AlertSeverity, Description, RemediationSteps, ResourceId, ResourceType, StartTime, EndTime, ImageName, UserName, APIRequest, ContainerIDs, AlertLinks, Tactics, Techniques, and Entities.

In essence, this query is used to identify and summarize key details about suspicious Kubernetes API requests detected by Azure Security Center, providing a concise view of the alerts and associated metadata.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertAzureSecurityCenterKubernetesAPISystemAlertIdTimeGeneratedExtendedPropertiesAPIRequestContainerIDImageNameUserNameResourceTypeEntitiesAlertNameAlertSeverityDescriptionResourceIdStartTimeEndTimeRemediationStepsAlertLinksTacticsTechniques

Operators

wherehasandsummarizearg_minbyextendtodynamictostringreplace_regexminmaxmake_settake_anytolowerproject

Actions

GitHub