Query Details
Endpoint MITRE ATTCK Report
Query
name : Endpoint - MDE/MDAV detection MITRE ATT&CK list
description :
- Case1 - Columnchart / MDE & MDAV detection with MITRE ATT&CK MITRE_ATTACK_list
- Case2 - Sort number / MDE & MDAV detection with MITRE ATT&CK MITRE_ATTACK_list
table :
- AlertInfo
- https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-alertinfo-table?view=o365-worldwide
query: |
//Case1 - Columnchart / MDE & MDAV detection with MITRE ATT&CK MITRE_ATTACK_list
AlertInfo
| where Timestamp > ago(7d)
| where ServiceSource == "Microsoft Defender for Endpoint"
| where isnotempty(AttackTechniques)
| mv-expand DetailedAttackTechniques= parse_json(AttackTechniques)
| summarize MITRE_ATTACK_list = count() by tostring(DetailedAttackTechniques)
| render columnchart
//Case2 - Sort number / MDE & MDAV detection with MITRE ATT&CK MITRE_ATTACK_list
AlertInfo
| where Timestamp > ago(7d)
| where ServiceSource == "Microsoft Defender for Endpoint"
| where isnotempty(AttackTechniques)
| mv-expand DetailedAttackTechniques= parse_json(AttackTechniques)
| summarize MITRE_ATTACK_list = count() by tostring(DetailedAttackTechniques)
| sort by MITRE_ATTACK_list desc
Explanation
The query is analyzing the detection of MDE (Microsoft Defender for Endpoint) and MDAV (Microsoft Defender Antivirus) using the MITRE ATT&CK list. It retrieves data from the AlertInfo table and filters for alerts within the last 7 days from Microsoft Defender for Endpoint. It then expands the DetailedAttackTechniques column, counts the occurrences of each technique, and visualizes the results in a column chart. In the second case, the results are sorted in descending order based on the count of each technique.
Details
Kijo Girardi
Released: February 6, 2023
Tables
AlertInfo
Keywords
Endpoint,MDE,MDAV,MITRE_ATTACK_list,Columnchart,Sort,Number
Operators
toscalar()arg_max()count()mv-expandwhereisnotempty()parse_json()summarizerendersort by