KQL Search

Query Details

Visualization Incidents Triggered By Mitre Tactic

Query

# Visualize MITRE ATT&CK Tactics on triggered Sentinel incidents

## Query Information

#### Description
This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic. This will give an overview of the amount of incidents that have triggered for each specific tactic. 

#### References
- https://attack.mitre.org/tactics/enterprise/

## Sentinel
```
SecurityIncident
// Collect last argumtent of incident
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| extend MitreTactic = todynamic(parse_json(AdditionalData).tactics)
// Filter only on Incidents that contain Mitre Tactic
| where MitreTactic != "[]"
| mv-expand MitreTactic
| extend MitreTactic = tostring(MitreTactic)
| summarize count() by MitreTactic
| sort by count_
| render columnchart  with (title="Incidents triggered by MITRE ATT&CK Tactics", ytitle="Incidents Triggered")
```

Explanation

This query visualizes the number of incidents triggered for each MITRE ATT&CK Tactic. It collects the last argument of each incident, filters out incidents that do not contain a MITRE Tactic, and then counts the number of incidents for each tactic. The results are displayed in a column chart.

Details

Bert-Jan Pals

Released: February 14, 2023

Tables

SecurityIncident

Keywords

Sentinel,SecurityIncident,IncidentNumber,TimeGenerated,AdditionalData,MitreTactic,count_

Operators

|//summarizearg_maxbyextendtodynamicparse_jsonwheremv-expandtostringsort byrender

KQL Search

Visualization Incidents Triggered By Mitre Tactic

Query

Explanation

Details

Actions