KQL Search

This query is designed to analyze threat intelligence data to identify specific cybersecurity threats related to credential theft from web browsers. Here's a simplified breakdown of what the query does:

1. Data Source: It starts by accessing the ThreatIntelIndicators table, which contains threat intelligence data.

2. Time Filter: It filters the data to include only records generated in the past year (365 days).

3. Validity Check: It ensures that the current time (now()) falls within the validity period of the threat indicators (ValidFrom to ValidUntil).

4. Label Check: It filters for records that have non-empty labels in the Data.labels field.

5. Label Expansion: It expands the Data.labels field to handle multiple labels per record.

6. MITRE Label Filter: It further filters the data to include only those records where the labels contain the term "mitre".

7. MITRE ID Extraction: It extracts the MITRE technique ID from the labels and assigns it to a new field called MitreID.

8. Specific Threat Filter: It filters the data to focus specifically on the MITRE technique ID "T1555.003", which corresponds to "Credentials from Web Browsers".

9. Summarization: It counts the number of occurrences (IOCcount) of each unique observable key (ObservableKey) and groups them by their confidence level (Confidence).

10. Sorting: Finally, it sorts the results in descending order based on the count of indicators of compromise (IOCcount).

In summary, this query identifies and counts instances of a specific credential theft technique from web browsers, as defined by the MITRE framework, over the past year, and sorts the results by frequency.