KQL Search

Query Details

HomeAI ToolsDevice Query

Sentinel Alerts MITRE ATTCK Analysis

Query

// Sentinel Alerts & MITRE ATT&CK Analysis
// https://www.linkedin.com/posts/activity-7195301674301759488-rMQS/

// The Microsoft Sentinel MITRE ATT&CK (Preview) blade offers a comprehensive overview of all Sentinel detections aligned with the MITRE ATT&CK technique matrix. As a Security Operations Center (SOC) analyst overseeing analytic rules, are you aware of which MITRE Techniques are activated most frequently or infrequently? Running the subsequent KQL query will unveil the technique adversaries most commonly employ. Evaluate which techniques are triggered most or least often in comparison to your Microsoft Sentinel MITRE ATT&CK (preview) coverage. This analysis is crucial to determine if your analytic rules are sufficiently robust to identify these frequently used techniques.

// KQL - Summarization of Techniques Triggered

SecurityAlert
| where TimeGenerated > ago(90d)
| mv-expand todynamic(Techniques)
| extend MitreAttackTechniques = tostring(Techniques)
| where MitreAttackTechniques != ""
| summarize Technique_Count=count() by MitreAttackTechniques
| sort by Technique_Count desc

Explanation

This KQL query is designed to help Security Operations Center (SOC) analysts understand which MITRE ATT&CK techniques are most frequently triggered by alerts in Microsoft Sentinel over the past 90 days. Here's a simple summary of what the query does:

  1. Filter Alerts: It looks at security alerts generated in the last 90 days.
  2. Expand Techniques: It breaks down the alerts to list each MITRE ATT&CK technique involved.
  3. Filter Non-Empty Techniques: It removes any entries where the technique information is missing.
  4. Count Techniques: It counts how often each technique appears in the alerts.
  5. Sort Results: It sorts the techniques by their frequency, from most to least common.

This analysis helps SOC analysts determine which techniques are most and least frequently detected, allowing them to assess and improve their detection rules accordingly.

Details

Steven Lim profile picture

Steven Lim

Released: August 5, 2024

Tables

SecurityAlert

Keywords

SecurityAlertMitreAttackTechniquesTechniqueCountTimeGenerated

Operators

|>agomv-expandtodynamicextendtostring!=summarizecountbysortdesc

Actions