Query Details
Security Incident Visualize Mitre Attck
Query
//Visualize the incidents generated in Microsoft Sentinel by MITRE ATT&CK tactics //Data connector required for this query - Microsoft Sentinel Incidents (generated automatically if you create incidents in Sentinel) SecurityIncident | where TimeGenerated > ago(30d) | summarize arg_min(TimeGenerated, *) by IncidentNumber | extend Tactics = tostring(AdditionalData.tactics) | where Tactics != "[]" | mv-expand todynamic(Tactics) | summarize Count=count()by tostring(Tactics) | sort by Count | render barchart with (title="Microsoft Sentinel incidents by MITRE ATT&CK tactic")
Explanation
This query visualizes the incidents generated in Microsoft Sentinel by MITRE ATT&CK tactics. It retrieves security incidents from the past 30 days, groups them by incident number, and identifies the tactics associated with each incident. It then counts the number of incidents for each tactic and displays the results in a bar chart.
Details
Matt Zorich
Released: September 18, 2023
Tables
SecurityIncident
Keywords
Incidents,MicrosoftSentinel,MITREATT&CK,Tactics
Operators
wheresummarizearg_minbyextendwheremv-expandsummarizesortrender