KQL Search

Query Details

HomeAI ToolsDevice Query

Use Cases By MITRE

Query

//Shows Sentinel use cases count by MITRE tactics.

Anomalies
| extend tactics = split(Tactics, ",")
| mv-expand tactics
| summarize UseCasesCount = count() by tostring(tactics)
| order by UseCasesCount desc

Explanation

This query is designed to count and display the number of Sentinel use cases associated with each MITRE tactic. Here's a step-by-step breakdown in simple terms:

  1. Anomalies: Start with the 'Anomalies' table.
  2. extend tactics = split(Tactics, ","): Split the 'Tactics' column (which contains comma-separated values) into individual tactics.
  3. mv-expand tactics: Expand the list of tactics so that each tactic gets its own row.
  4. summarize UseCasesCount = count() by tostring(tactics): Count the number of use cases for each tactic.
  5. order by UseCasesCount desc: Sort the results in descending order based on the count of use cases.

In summary, this query lists each MITRE tactic along with the number of Sentinel use cases associated with it, sorted from the most to the least frequent.

Details

Rod Trent profile picture

Rod Trent

Released: August 16, 2024

Tables

Anomalies

Keywords

Sentinel Anomalies Tactics UseCases

Operators

extendsplitmv-expandsummarizecounttostringorder bydesc

Actions