Entra Risk Events MITRE ATTCK Analysis

// Entra Risk Events & MITRE ATT&CK Analysis // https://www.linkedin.com/posts/activity-7195030571205476352-a2RE/ // Are you aware of which MITRE ATT&CK techniques correspond to the Entra identity protection risk events linked to your tenant? Executing the following KQL query will reveal the most prevalent technique utilized by adversaries or the risk encountered by your users upon the triggering of an identity alert. Assess the techniques that trigger most frequently in relation to your Microsoft Sentinel MITRE ATT&CK (preview) coverage to ascertain whether your analytics rules are robust enough to detect these commonly occurring techniques. AADUserRiskEvents | where TimeGenerated > ago(90d) | mv-expand AdditionalInfo | where AdditionalInfo contains "mitreTechniques" | extend MitreAttack = tostring(parse_json(tostring(AdditionalInfo)).Value) | summarize Count=count() by MitreAttack | sort by Count desc

Explanation

This KQL query is designed to help you understand which MITRE ATT&CK techniques are most frequently associated with identity protection risk events in your Microsoft Entra tenant. Here's a simplified breakdown of what the query does:

Data Source: It looks at AADUserRiskEvents, which contains information about user risk events.
Time Frame: It filters the data to include only events from the last 90 days.
Extract Information: It expands the AdditionalInfo field to find entries that contain "mitreTechniques".
Parse and Extend: It extracts the MITRE ATT&CK technique information from the AdditionalInfo field.
Summarize: It counts how often each MITRE ATT&CK technique appears.
Sort: It sorts the techniques by their frequency in descending order.

The result is a list of MITRE ATT&CK techniques, sorted by how often they are encountered in identity risk events, helping you assess the effectiveness of your security analytics rules.

KQL Search

Entra Risk Events MITRE ATTCK Analysis

Query

Explanation

Details

Actions