KQL Search

Query Details

HomeAI ToolsDevice Query

Mapping Threat Intelligence To MITRE ATTCK Using KQL

Query

// Mapping Threat Intelligence to MITRE ATT&CK Using KQL

// Starting in April, Microsoft Sentinel will ingest all threat intelligence into the newly introduced ThreatIntelIndicator and ThreatIntelObjects tables. These tables support the STIX 2.1 schema, enabling the ingestion and querying of various threat intelligence objects, including identity, attack-patterns, threat-actors, and relationships.

// To enhance threat analysis, I developed a KQL query that maps ThreatIntelIndicator IOCs to their respective MITRE ATT&CK techniques. As demonstrated in the query below, Sentinel threat intelligence IOCs are most commonly associated with "Web Protocols" (T1071.001).

// This crucial MITRE ATT&CK technique information allows us to leverage specific techniques and IOC ObservableValues for targeted threat hunting, refining our approach based on adversary tactics and behaviors.

ThreatIntelIndicators
| where TimeGenerated > ago(365d)
| where now() between (ValidFrom .. ValidUntil)
| where isnotempty(Data.labels)
| mv-expand Data.labels
| where Data_labels has "mitre"
| extend MitreID = parse_json(tostring(Data_labels)).Alias
| extend MitreTechnique = parse_json(tostring(Data_labels)).FullName
| extend MitreTechniqueName = parse_json(tostring(Data_labels)).Name
| summarize TechniqueCount=count() by tostring(MitreID), tostring(MitreTechniqueName)
| sort by TechniqueCount desc

Explanation

This query is designed to analyze threat intelligence data in Microsoft Sentinel by mapping Indicators of Compromise (IOCs) to MITRE ATT&CK techniques. Here's a simplified breakdown of what the query does:

  1. Data Source: It uses the ThreatIntelIndicators table, which contains threat intelligence data.

  2. Time Frame: It filters the data to include only entries from the past year.

  3. Validity Check: It ensures that the data is still valid by checking if the current date falls within the validity period (ValidFrom to ValidUntil).

  4. Label Filtering: It looks for entries that have non-empty labels and specifically checks for labels related to "mitre."

  5. Data Extraction: It extracts and parses MITRE ATT&CK information from these labels, including the technique ID, full name, and technique name.

  6. Counting Techniques: It counts how often each MITRE ATT&CK technique appears in the data.

  7. Sorting: Finally, it sorts the techniques by their frequency of occurrence in descending order.

The purpose of this query is to identify which MITRE ATT&CK techniques are most commonly associated with the threat intelligence data, with a particular emphasis on techniques related to "Web Protocols" (T1071.001). This information can be used to focus threat hunting efforts on specific adversary tactics and behaviors.

Details

Steven Lim profile picture

Steven Lim

Released: April 26, 2025

Tables

ThreatIntelIndicators

Keywords

ThreatIntelIndicators

Operators

agobetweenisnotemptymv-expandhasextendparse_jsontostringsummarizecountbysortdesc

Actions