Query Details
Security Alert Visualize Alertsby MITRE
Query
//Visualize your security alerts by MITRE ATT&CK tactic //Data connector required for this query - Security Alert (free table that other Defender products send alert info to) SecurityAlert | where TimeGenerated > ago(30d) //Exclude Sentinel generated alerts if you want to. This may stop you double counting alerts, i.e generated by Azure AD Identity Protection and then again in Sentinel. | where ProviderName != "ASI Scheduled Alerts" // | where isnotempty(Tactics) and Tactics != "Unknown" | summarize arg_max(TimeGenerated, *) by VendorOriginalId | summarize Count=count()by Tactics | sort by Count desc | render barchart with (title="Security alerts by MITRE ATT&CK tactic")
Explanation
This query visualizes security alerts based on the MITRE ATT&CK tactic. It uses the Security Alert data connector and filters alerts generated within the last 30 days. It excludes alerts generated by Sentinel. It then filters out alerts with unknown tactics and groups the alerts by the original vendor ID. Finally, it counts the number of alerts for each tactic, sorts them in descending order, and renders a bar chart with the title "Security alerts by MITRE ATT&CK tactic".
Details
Matt Zorich
Released: June 17, 2022
Tables
SecurityAlert
Keywords
SecurityAlert,TimeGenerated,ProviderName,Tactics,VendorOriginalId,Count
Operators
where>ago!=isnotemptysummarizearg_max*bysummarizecountsortdescrender