Query Details
Defender XDR MITRE ATTCK Technique Analysis
Query
// DefenderXDR MITRE ATT&CK Technique Analysis AlertEvidence |where Timestamp > ago(30d) | mv-expand parse_json(AttackTechniques) | where isnotempty(AttackTechniques) | summarize TechniqueCount=count() by tostring(AttackTechniques) | sort by TechniqueCount // Export the result as a CSV // Copilot Prompt: // Can you help me generate MITRE ATT&CK Techniques heatmap using standard MITRE ATT&CK Enterprise framework with the attached CSV data?
Explanation
Sure! Here's a simple summary of the query:
- Data Source: The query is analyzing data from the
AlertEvidencetable. - Time Filter: It only looks at records from the last 30 days.
- Expand Techniques: It expands the
AttackTechniquesfield, which is in JSON format, into individual records. - Filter Non-Empty: It filters out any records where
AttackTechniquesis empty. - Count Techniques: It counts how many times each attack technique appears.
- Sort Results: It sorts the results by the count of each technique in descending order.
The final result is a list of attack techniques and how often each one was observed in the last 30 days, sorted by frequency. This result can then be exported as a CSV file.
The Copilot prompt is asking for help to generate a heatmap of MITRE ATT&CK Techniques using the standard MITRE ATT&CK Enterprise framework and the data from the CSV file generated by this query.
Details
Steven Lim
Released: September 8, 2024
Tables
AlertEvidence
Keywords
DefenderXDRAlertEvidenceMITREATTACKTechniques
Operators
whereagomv-expandparse_jsonisnotemptysummarizecounttostringsort