Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft Defender for EndpointMicrosoft SentinelSECURE

List Most Triggered MITRE Techniques

Wayne Andes 5 min read

Description

The results of this KQL query provide insight in the top 10 MITRE ATT&CK Techniques that have been triggered in the past 10 days. This can indicate that adversaries use specific techniques to gain access to your environment. On the other hand if this information is combined with FP/BP statistics it can give insight into the detections that need to be improved.

Query

Microsoft Defender For Endpoint
Kusto
let timeframe = 7d;
AlertInfo
| where Timestamp > ago(timeframe)
// Collect the last entry of each alert
| summarize arg_max(Timestamp, *) by AlertId
// Ensure that events with multiple techniques can be counted
| extend MitreTechnique = todynamic(AttackTechniques)
| mv-expand MitreTechnique
| summarize TriggerCount = count() by tostring(MitreTechnique)
| top 10 by TriggerCount

Microsoft Sentinel
Kusto
// Timeframe to collect incident statistics
let timeframe = 7d;
SecurityIncident
| where TimeGenerated > ago(timeframe)
// Collect the last entry of each alert
| summarize arg_max(TimeGenerated, *) by IncidentNumber
// Ensure that events with multiple techniques can be counted
| extend MitreTechnique = todynamic(AdditionalData).techniques
| mv-expand MitreTechnique
| summarize TriggerCount = count() by tostring(MitreTechnique)
| top 10 by TriggerCount

You May Also Like

List Top 10 Users With The Most IP Addresses Used To Successfully Sign-in

Wayne Andes

List Ingestion Delays In Syslog

Wayne Andes

List Tamper Protection Alert Triggered By VMware Carbon Black App Control

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *