Visualize MITRE ATT&CK Tactics on triggered Sentinel incidents
Visualization Incidents Triggered By Mitre Tactic
Query
SecurityIncident
// Collect last argumtent of incident
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| extend MitreTactic = todynamic(parse_json(AdditionalData).tactics)
// Filter only on Incidents that contain Mitre Tactic
| where MitreTactic != "[]"
| mv-expand MitreTactic
| extend MitreTactic = tostring(MitreTactic)
| summarize count() by MitreTactic
| sort by count_
| render columnchart with (title="Incidents triggered by MITRE ATT&CK Tactics", ytitle="Incidents Triggered")About this query
Visualize MITRE ATT&CK Tactics on triggered Sentinel incidents
Query Information
Description
This query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic. This will give an overview of the amount of incidents that have triggered for each specific tactic.
References
Sentinel
Explanation
This query is designed to provide a visual representation of security incidents in Microsoft Sentinel that are associated with different MITRE ATT&CK tactics. Here's a simplified breakdown of what the query does:
-
Data Collection: It starts by gathering the most recent information for each security incident, identified by their unique incident numbers.
-
Extracting Tactics: From each incident, it extracts the MITRE ATT&CK tactics, which are stored in a field called
AdditionalData. -
Filtering: The query filters out incidents that do not have any associated MITRE ATT&CK tactics, ensuring that only relevant incidents are considered.
-
Expanding Tactics: For incidents with multiple tactics, it expands them so each tactic is treated individually.
-
Counting Incidents: It counts how many times each tactic appears across all incidents.
-
Sorting and Visualization: The results are sorted by the count of incidents per tactic, and then displayed as a column chart. The chart is titled "Incidents triggered by MITRE ATT&CK Tactics" and shows the number of incidents on the y-axis.
Overall, this query helps security analysts quickly understand which MITRE ATT&CK tactics are most frequently associated with triggered incidents in their environment.
Details

Bert-Jan Pals
Released: December 1, 2024
Tables
Keywords
Operators