KQL Search

Query Details

HomeAI ToolsDevice Query

Measuring Sentinel Watch List Effectiveness Using Behaviour Analytics

Query

// Measuring Sentinel WatchList Effectiveness using Behaviour Analytics

// Watchlists in Microsoft Sentinel enable you to correlate data from your provided sources with events in your Sentinel environment. For instance, you can create a watchlist containing high-value assets, terminated employees, or service accounts. These watchlists can be utilized in searches, detection rules, threat hunting, and response playbooks. If Sentinel UEBA is enabled, running the following KQL will generate a dashboard chart showing the number of watchlist triggers over the past three months. Notable spikes in watchlist hits can offer valuable insights and may indicate the need for further action.

BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where ActivityType == "FailedLogOn" and EventSource == "Azure AD"
| where DevicesInsights has "ThreatIntelIndicatorType"
| extend ThreatType = tostring(DevicesInsights.ThreatIntelIndicatorType)
| where ThreatType has "WatchList"
| summarize WatchListHits=count() by bin(TimeGenerated,1d)

// Mitre ATT&CK Mapping
// Cloud Service Provider (T1078.004)
// Brute Force (T1110)
// Threat Intelligence (T1595)

Explanation

This query is designed to measure the effectiveness of watchlists in Microsoft Sentinel by analyzing behavior analytics data. Here's a simplified summary:

  1. Purpose: The query aims to generate a dashboard chart that shows how many times watchlist items were triggered over the past three months. This can help identify patterns or spikes that might need further investigation.

  2. Data Source: It looks at behavior analytics data, specifically focusing on failed login attempts sourced from Azure Active Directory.

  3. Filtering Criteria:

    • The data is filtered to include only events from the last 90 days.
    • It specifically looks at failed login attempts.
    • It further filters these events to include only those that have threat intelligence indicators related to watchlists.

  4. Output: The query counts the number of watchlist hits per day and summarizes this information in a way that can be visualized on a dashboard.

  5. Additional Context: The query also maps the findings to specific MITRE ATT&CK techniques, including:

    • Cloud Service Provider (T1078.004)
    • Brute Force (T1110)
    • Threat Intelligence (T1595)

In essence, this query helps security teams understand how often watchlisted items are being triggered, which can provide insights into potential security issues or areas that require further attention.

Details

Steven Lim profile picture

Steven Lim

Released: September 29, 2024

Tables

BehaviorAnalytics

Keywords

BehaviorAnalyticsDevicesAzureADThreatIntelWatchList

Operators

ago>==andhasextendtostringsummarizecountbybin

Actions