Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Kusto Query LanguageMicrosoft SentinelSECURE

Visualize MITRE ATT&CK Tactics Triggered On Microsoft Sentinel Incidents

Wayne Andes 3 min read

Description

This KQL query visualizes the incidents that have been triggered for each MITRE ATT&CK Tactic. This will give an overview of the amount of incidents that have triggered for each specific tactic.

Query

Microsoft Sentinel
Kusto
SecurityIncident
// Collect last argumtent of incident
| summarize arg_max(TimeGenerated, *) by IncidentNumber
| extend MitreTactic = todynamic(parse_json(AdditionalData).tactics)
// Filter only on Incidents that contain Mitre Tactic
| where MitreTactic != "[]"
| mv-expand MitreTactic
| extend MitreTactic = tostring(MitreTactic)
| summarize count() by MitreTactic
| sort by count_
| render columnchart  with (title="Incidents triggered by MITRE ATT&CK Tactics", ytitle="Incidents Triggered")

You May Also Like

List Azure Monitor Agent Connector Failures In Syslog

Wayne Andes

List Domain User Account Added To Sensitive Group Using Command-line

Wayne Andes

List Unblocked Ngrok Activity Logged By Symantec Endpoint Protection

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *