Query Details

Sentinel Alerts MITRE ATTCK Analysis

Query

// Sentinel Alerts & MITRE ATT&CK Analysis
// https://www.linkedin.com/posts/activity-7195301674301759488-rMQS/

// The Microsoft Sentinel MITRE ATT&CK (Preview) blade offers a comprehensive overview of all Sentinel detections aligned with the MITRE ATT&CK technique matrix. As a Security Operations Center (SOC) analyst overseeing analytic rules, are you aware of which MITRE Techniques are activated most frequently or infrequently? Running the subsequent KQL query will unveil the technique adversaries most commonly employ. Evaluate which techniques are triggered most or least often in comparison to your Microsoft Sentinel MITRE ATT&CK (preview) coverage. This analysis is crucial to determine if your analytic rules are sufficiently robust to identify these frequently used techniques.

// KQL - Summarization of Techniques Triggered

SecurityAlert
| where TimeGenerated > ago(90d)
| mv-expand todynamic(Techniques)
| extend MitreAttackTechniques = tostring(Techniques)
| where MitreAttackTechniques != ""
| summarize Technique_Count=count() by MitreAttackTechniques
| sort by Technique_Count desc

// MITRE ATT&CK Mapping

//The KQL code is designed to map security alerts to specific MITRE ATT&CK techniques. Each technique identified in the Techniques field corresponds to a specific tactic or technique in the MITRE ATT&CK framework. Here are some common techniques that might be detected:

// T1078: Valid Accounts: Detection of compromised accounts.
// T1059: Command and Scripting Interpreter: Detection of script execution.
// T1105: Ingress Tool Transfer: Detection of tools being transferred into the environment.
// T1027: Obfuscated Files or Information: Detection of obfuscated files or information.

Explanation

This KQL query is designed to analyze security alerts in Microsoft Sentinel and determine which MITRE ATT&CK techniques are most frequently triggered. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at security alerts generated in the last 90 days.

  2. Techniques Extraction: For each alert, it extracts the MITRE ATT&CK techniques involved.

  3. Filtering: It removes any entries where no technique is specified.

  4. Counting Occurrences: It counts how often each technique appears in the alerts.

  5. Sorting: It sorts the techniques by their frequency, from most to least common.

The purpose of this analysis is to help Security Operations Center (SOC) analysts understand which attack techniques are most commonly detected in their environment. This can inform them whether their detection rules are effective and if they need to adjust their focus on certain techniques. The query also helps in mapping these alerts to specific tactics or techniques in the MITRE ATT&CK framework, such as detecting compromised accounts, script execution, tool transfers, or obfuscated files.

Details

Steven Lim profile picture

Steven Lim

Released: August 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertTechniquesMitreAttackTechniquesTechniqueCount

Operators

wheremv-expandtodynamicextendtostringsummarizecountbysortdescago

MITRE Techniques

Actions

GitHub