Query Details
Identify Mitreattack Techniques
Query
# Identify MITRE ATT&CK Techniques ## Description The following queries provide for Microsoft Sentinel and Microsoft 365 Defender a graphic representation of MITRE ATT&CK techniques from alerts within the timerange defined. ## References - https://attack.mitre.org/techniques/enterprise/ ### Microsoft 365 Defender ``` AlertInfo // Define timerange | where Timestamp > ago(30d) | where AttackTechniques != "" | mvexpand todynamic(AttackTechniques) | summarize count() by tostring(AttackTechniques) // Define graphic | render piechart ``` ### Microsoft Sentinel ``` SecurityAlert // Define timerange | where TimeGenerated > ago(30d) | where isnotempty(Techniques) | mvexpand todynamic(Techniques) to typeof(string) | summarize AlertCount = dcount(SystemAlertId) by Techniques | sort by AlertCount desc // Define graphic | render piechart ``` ### Versioning | Version | Date | Comments | | ------------- |---------------| ---------------------------------------| | 1.0 | 01/02/2023 | Initial publish | | 1.1 | 18/05/2023 | Transformed to template, minor changes |
Explanation
The query identifies and provides a visual representation of MITRE ATT&CK techniques from alerts within a specified time range. It is used in Microsoft Sentinel and Microsoft 365 Defender. The query counts the occurrences of each technique and displays them in a pie chart.
Details
Michalis Michalos
Released: August 14, 2023
Tables
AlertInfoSecurityAlert
Keywords
MITRE,ATT&CK,Techniques,Microsoft,Sentinel,365,Defender,AlertInfo,Timestamp,AttackTechniques,render,piechart,SecurityAlert,TimeGenerated,Techniques,AlertCount,SystemAlertId,sort,desc
Operators
|//>ago()!=mvexpandtodynamic()summarizecount()bytostring()renderpiechartisnotempty()typeof()dcount()sort bydesc