Top MITRE Techniques Triggered Using KQL in Sentinel and Defender
Understanding which MITRE ATT&CK techniques are most frequently triggered helps in identifying current attacker patterns and potential gaps in your security stack. Using KQL, this analysis pulls the top 10 most triggered techniques from both Microsoft Defender for Endpoint and Microsoft Sentinel over the past week. These insights support fine-tuning of detection rules and distinguishing between legitimate threats and possible false positives.
Risk
Failing to identify trending MITRE techniques can lead to blind spots in threat detection. Attackers often reuse effective tactics, and overlooking them may give adversaries a free pass. Frequent triggers of specific techniques could also suggest tuning issues, generating noise that hides real attacks.
Query
Microsoft Defender For Endpoint
let timeframe = 7d;
AlertInfo
| where Timestamp > ago(timeframe)
// Collect the last entry of each alert
| summarize arg_max(Timestamp, *) by AlertId
// Ensure that events with multiple techniques can be counted
| extend MitreTechnique = todynamic(AttackTechniques)
| mv-expand MitreTechnique
| summarize TriggerCount = count() by tostring(MitreTechnique)
| top 10 by TriggerCountMicrosoft Sentinel
// Timeframe to collect incident statistics
let timeframe = 7d;
SecurityIncident
| where TimeGenerated > ago(timeframe)
// Collect the last entry of each alert
| summarize arg_max(TimeGenerated, *) by IncidentNumber
// Ensure that events with multiple techniques can be counted
| extend MitreTechnique = todynamic(AdditionalData).techniques
| mv-expand MitreTechnique
| summarize TriggerCount = count() by tostring(MitreTechnique)
| top 10 by TriggerCountBoth queries operate by filtering alerts or incidents from the past 7 days, grabbing the latest record per alert or incident, then expanding and counting each MITRE technique involved. The result? A prioritized list of techniques used most often—your hit list for focused threat hunting and rule hardening.