Query Details

Entra Risk Events MITRE ATTCK Analysis

Query

// Entra Risk Events & MITRE ATT&CK Analysis
// https://www.linkedin.com/posts/activity-7195030571205476352-a2RE/

// Are you aware of which MITRE ATT&CK techniques correspond to the Entra identity protection risk events linked to your tenant? Executing the following KQL query will reveal the most prevalent technique utilized by adversaries or the risk encountered by your users upon the triggering of an identity alert. Assess the techniques that trigger most frequently in relation to your Microsoft Sentinel MITRE ATT&CK (preview) coverage to ascertain whether your analytics rules are robust enough to detect these commonly occurring techniques.

AADUserRiskEvents
| where TimeGenerated > ago(90d)
| mv-expand AdditionalInfo
| where AdditionalInfo contains "mitreTechniques"
| extend MitreAttack = tostring(parse_json(tostring(AdditionalInfo)).Value)
| summarize Count=count() by MitreAttack
| sort by Count desc

// MITRE ATT&CK Mapping
//The query is designed to identify and count the occurrences of different MITRE ATT&CK techniques found in the AADUserRiskEvents. The MitreAttack field will contain the specific techniques, such as T1078 (Valid Accounts), T1110 (Brute Force), etc.

Explanation

This KQL query is designed to analyze identity protection risk events in your Microsoft environment, specifically focusing on mapping these events to MITRE ATT&CK techniques. Here's a simple breakdown of what the query does:

  1. Data Source: It looks at the AADUserRiskEvents table, which logs risk events related to Azure Active Directory users.

  2. Time Frame: The query filters events from the last 90 days.

  3. Extracting Techniques: It expands the AdditionalInfo field to find entries that contain "mitreTechniques," which are specific methods used by attackers.

  4. Parsing Data: It extracts and converts these techniques into a readable format, storing them in a new field called MitreAttack.

  5. Counting Occurrences: The query counts how often each MITRE ATT&CK technique appears in the risk events.

  6. Sorting Results: Finally, it sorts these techniques by their frequency, from most to least common.

The purpose of this query is to help you understand which attack techniques are most frequently associated with identity alerts in your environment. By identifying these, you can evaluate whether your security measures and analytics rules in Microsoft Sentinel are effective at detecting these common threats.

Details

Steven Lim profile picture

Steven Lim

Released: August 5, 2024

Tables

AADUserRiskEvents

Keywords

AADUserRiskEventsMitreAttackAdditionalInfoTimeGeneratedCount

Operators

wheremv-expandcontainsextendtostringparse_jsonsummarizecountbysortdesc

MITRE Techniques

Actions

GitHub