Workload ID Protection Alerts With Enriched Information
Query
SecurityAlert
| where ProviderName == "IPC"
| where parse_json(ExtendedProperties).State == "Open" and Status == "New"
| mv-apply todynamic(Entities) on (where Entities.Type == "service-principal")
| extend ServicePrincipalObjectId = tostring(Entities.ServicePrincipalObjectId)
| project
TimeGenerated,
SystemAlertId,
AlertName,
AlertSeverity,
Description,
Tactics,
Techniques,
ProviderName,
ProductName,
AlertType,
DetailedDescription = parse_json(ExtendedProperties).["Detail Description"],
ServicePrincipalObjectId
| join kind=inner (
PrivilegedWorkloadIdentityInfo
| project
WorkloadIdentityName,
WorkloadIdentityType,
IsFirstPartyApp,
tostring(ApplicationId),
tostring(ServicePrincipalObjectId),
EnterpriseAccessModelTiering,
EntraIdRoles,
AppRolePermissions
)
on ServicePrincipalObjectId
| join kind=innerunique (
SecurityIncident
| mv-expand AlertIds
| extend SystemAlertId = tostring(AlertIds)
| summarize arg_max(TimeGenerated, *) by SystemAlertId
| project
SystemAlertId,
IncidentUrl = AdditionalData.providerIncidentUrl,
IncidentStatus = Status,
IncidentName = IncidentNumber,
// Use Tactics from M365D Data Connector, original Alert Provider contains values which not matches with Sentinel TTPs (e.g., PreAttack)
IncidentTactics = parse_json(tostring(AdditionalData.tactics))
)
on SystemAlertIdExplanation
This query is part of a scheduled analytic rule designed to create incidents from existing Workload ID Protection alerts. Here's a simplified breakdown of what it does:
-
Purpose: The rule generates incidents based on alerts related to Workload ID Protection, enriching them with additional information about cloud applications and other relevant data.
-
Severity: The alerts have a medium severity level.
-
Frequency: The query runs every hour and looks at data from the past hour.
-
Query Logic:
- It starts by filtering security alerts from a provider named "IPC" that are new and open.
- It extracts information about service principals (a type of identity used in cloud applications).
- It gathers various details about the alert, such as its name, severity, description, and tactics.
- It joins this data with additional information about workload identities, such as their name, type, and roles.
- It further joins with security incident data to get details like the incident URL, status, and tactics.
-
Incident Creation:
- Incidents are created from these alerts, with specific configurations for grouping and details.
- Grouping is enabled to combine related alerts into a single incident if they share common entities or details.
-
Alert Details:
- The alert's display name, description, tactics, and severity are customized based on the data extracted.
- Additional custom details are added, such as workload identity name, type, and application ID.
-
Entity Mapping:
- The rule maps certain fields to cloud application entities, such as the workload identity name and application ID.
-
Suppression: Alerts are not suppressed, but there is a suppression duration set to 5 hours, which might be used to prevent duplicate alerts within that timeframe.
Overall, this rule helps in identifying and managing security incidents related to workload identities in cloud environments by enriching alerts with detailed information and creating incidents for further investigation.
Details

Thomas Naunheim
Released: December 17, 2023
Tables
Keywords
Operators
Severity
MediumFrequency: 1h
Period: 1h