Behaviour Detections
MITRE Behaviors
Query
let AlertThreshold = 3;
BehaviorInfo
// Display all Techniques in a row
| mv-expand todynamic(AttackTechniques)
// Summarize results to get statistics and lists
| summarize TotalTechniques = count(), Techniques = make_set(AttackTechniques), BehaviourIds = make_set(BehaviorId), arg_max(TimeGenerated, *) by AccountObjectId
| extend UniqueTechniques = array_length(Techniques)
// Check if the AlertThreshold is met. This can also be changed to Unique Techniques, depending on your needs.
| where TotalTechniques >= AlertThreshold
// Display all Behaviour Ids in a row and collect the entities. If you only want to alert based on the amount and not get the results yet, then the rows below can be filtered.
| mv-expand todynamic(BehaviourIds)
| extend BehaviourIdsString = tostring(BehaviourIds)
| join kind=inner BehaviorEntities on $left.BehaviourIdsString == $right.BehaviorId
| project-away BehaviourIds, AccountObjectId1, AdditionalFields1, ActionType1, BehaviorId1, Categories1, DataSources1, TimeGenerated
| project-reorder AccountObjectId, TotalTechniques, UniqueTechniques, Techniques, Categories, Description, DetectionSource
| sort by AccountObjectIdAbout this query
Explanation
This query is designed to detect suspicious behavior by analyzing data from two new tables, BehaviorInfo and BehaviorEntities, in Microsoft's Advanced Hunting schema. It focuses on identifying instances where an account has executed multiple MITRE ATT&CK techniques, which could indicate a potential security threat.
Here's a simplified breakdown of what the query does:
-
Threshold Setting: It sets a threshold of 3 techniques to trigger an alert. This means it will only flag accounts that have executed at least 3 techniques.
-
Data Expansion: It expands the list of techniques for each behavior entry to analyze them individually.
-
Summarization: It summarizes the data to count the total techniques used and creates lists of techniques and behavior IDs for each account.
-
Unique Techniques: It calculates the number of unique techniques used by each account.
-
Threshold Check: It filters the results to only include accounts that meet or exceed the threshold of total techniques.
-
Entity Joining: It joins the behavior data with entity data to enrich the results with more context about the behaviors.
-
Data Presentation: It organizes and sorts the final output to display relevant information like account ID, techniques used, and other descriptive details.
The query is useful for reducing false positives by focusing on multi-technique incidents, which are more likely to indicate malicious activity. It can be adjusted to focus on unique techniques instead of total techniques, depending on the specific needs of the user.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators