Monday, May 19, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

KQL Query for MITRE ATT&CK Techniques on Microsoft Sentinel Incidents

Wayne Andes 4 min read

Using KQL, this query provides a clear visualization of MITRE ATT&CK techniques triggered by incidents in Microsoft Sentinel. It breaks down how many incidents correspond to each technique under different MITRE ATT&CK tactics. This overview helps identify which techniques are frequently involved in triggering incidents, offering insight into potential threat trends and areas requiring focused security attention.

Risk

Monitoring triggered MITRE ATT&CK techniques is crucial for understanding attacker behavior and improving detection strategies. Overlooking frequent techniques may result in blind spots within your security monitoring, leading to delayed incident response or undetected threats.

Query

Microsoft Sentinel

Kusto
SecurityIncident
// Collect last argumtent of incident
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| extend
     MitreTactic = todynamic(parse_json(AdditionalData).tactics),
     MitreTechnique = todynamic(parse_json(AdditionalData).techniques)
// Filter only on incidents that contain Mitre Tactic and Technique
| where MitreTactic != "[]" and MitreTechnique != "[]"
// Add a row for each MitreTactic and MitreTechnique
| mv-expand MitreTactic, MitreTechnique
| extend MitreTactic = tostring(MitreTactic), MitreTechnique = tostring(MitreTechnique)
| project MitreTactic, MitreTechnique
// Count the total incidents by tactic and technique
| summarize count() by MitreTactic, MitreTechnique
| render columnchart with (title="MITRE ATT&CK Techniques triggered by Tactic", ytitle="Total Incidents")

This query starts by gathering the most recent data for each incident, extracting the MITRE ATT&CK tactics and techniques from the incident’s additional data. It filters out incidents that do not have this information, then expands the list of tactics and techniques so each can be counted individually. Finally, it summarizes the total count of incidents triggered by each combination of tactic and technique, displaying the results in a column chart for easy visualization.

You May Also Like

Detect Suspicious Files with VMware Carbon Black Using KQL Query

Wayne Andes

List Guest Users with Azure Active Directory Roles

Wayne Andes

Detect Malicious Files Using KQL in VMware Carbon Black App Control

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *