Query Details
Visualization Threat Intelligence Threat Types
Query
# Threat Intelligence Threat Types ## Query Information #### Description The query can be used to visualize the different threat types you get from the MDTI connector to Sentinel. Some examples coult be botnet, phishing, MaliciousUrl or from a watchlist. This query can only be used in Sentinel. ### References - https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-threat-intelligence - https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/threatintelligenceindicator ## Sentinel ```KQL ThreatIntelligenceIndicator | summarize Total = count() by ThreatType | render piechart with(title="Threat Intelligence Threat Types") ```
Explanation
This query is designed to be used in Microsoft Sentinel, a security information and event management (SIEM) system. It focuses on analyzing threat intelligence data obtained from the Microsoft Defender Threat Intelligence (MDTI) connector. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
ThreatIntelligenceIndicatortable, which contains information about various cyber threats. -
Summarization: The query counts the total number of threat indicators for each type of threat. These threat types could include categories like botnet, phishing, MaliciousUrl, or entries from a watchlist.
-
Visualization: The results are displayed as a pie chart, which provides a visual representation of the distribution of different threat types. The chart is titled "Threat Intelligence Threat Types."
In summary, this query helps security analysts quickly understand the composition of different threat types detected by the MDTI connector in their environment, using a pie chart for easy visualization.
Details
Bert-Jan Pals
Released: October 20, 2024
Tables
Keywords
Operators