Query Details

Visualize MITRE ATT&CK Tactics on triggered Sentinel incidents

Visualization Incidents Triggered By Mitre Tactic

Query

SecurityIncident
// Collect last argumtent of incident
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| extend MitreTactic = todynamic(parse_json(AdditionalData).tactics)
// Filter only on Incidents that contain Mitre Tactic
| where MitreTactic != "[]"
| mv-expand MitreTactic
| extend MitreTactic = tostring(MitreTactic)
| summarize count() by MitreTactic
| sort by count_
| render columnchart  with (title="Incidents triggered by MITRE ATT&CK Tactics", ytitle="Incidents Triggered")

About this query

Visualize MITRE ATT&CK Tactics on triggered Sentinel incidents

Query Information

Description

This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic. This will give an overview of the amount of incidents that have triggered for each specific tactic.

References

Sentinel

Explanation

This query is designed to provide a visual representation of security incidents in Microsoft Sentinel that are associated with different MITRE ATT&CK tactics. Here's a simplified breakdown of what the query does:

  1. Data Collection: It starts by gathering the most recent information for each security incident, identified by their unique incident numbers.

  2. Extracting Tactics: From each incident, it extracts the MITRE ATT&CK tactics, which are stored in a field called AdditionalData.

  3. Filtering: The query filters out incidents that do not have any associated MITRE ATT&CK tactics, ensuring that only relevant incidents are considered.

  4. Expanding Tactics: For incidents with multiple tactics, it expands them so each tactic is treated individually.

  5. Counting Incidents: It counts how many times each tactic appears across all incidents.

  6. Sorting and Visualization: The results are sorted by the count of incidents per tactic, and then displayed as a column chart. The chart is titled "Incidents triggered by MITRE ATT&CK Tactics" and shows the number of incidents on the y-axis.

Overall, this query helps security analysts quickly understand which MITRE ATT&CK tactics are most frequently associated with triggered incidents in their environment.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 1, 2024

Tables

SecurityIncident

Keywords

SecurityIncidentMitreTacticTimeGeneratedNumberAdditionalDataCountIncidentsTriggeredColumnchartTitleYtitle

Operators

summarizearg_maxbyextendtodynamicparse_jsonwhere!=mv-expandtostringcountsortrenderwith

Actions

GitHub