RMM Hunting With Sentinel TI
Query
ThreatIntelIndicators
| where TimeGenerated > ago(365d)
| where now() between (ValidFrom .. ValidUntil)
| where isnotempty(Data.labels)
| mv-expand Data.labels
| where Data_labels has "mitre"
| extend MitreID = parse_json(tostring(Data_labels)).Alias
| where MitreID == "T1219" // Remote Access Tools
| summarize IOCcount=count() by ObservableKey, Confidence
| sort by IOCcount descExplanation
This KQL query is designed to analyze threat intelligence data, specifically looking for indicators related to a specific MITRE ATT&CK technique. Here's a simplified breakdown of what the query does:
-
Data Source: It starts by querying the
ThreatIntelIndicatorstable. -
Time Filter: It filters the data to include only records generated in the last 365 days.
-
Validity Check: It ensures that the current time (
now()) falls within the validity period of the threat indicators (ValidFromtoValidUntil). -
Label Check: It filters out records that have empty
Data.labels. -
Label Expansion: It expands the
Data.labelsfield to handle multiple labels within a single record. -
MITRE Label Filter: It further filters the records to include only those with labels containing the term "mitre".
-
MITRE ID Extraction: It extracts the MITRE technique ID from the labels and assigns it to a new field called
MitreID. -
Specific Technique Filter: It filters the records to include only those with the MITRE ID "T1219", which corresponds to "Remote Access Tools".
-
Count and Group: It counts the number of indicators (IOCcount) for each unique
ObservableKeyand groups them byConfidence. -
Sorting: Finally, it sorts the results in descending order based on the count of indicators (
IOCcount).
In summary, this query identifies and counts threat intelligence indicators related to the "Remote Access Tools" technique from the MITRE ATT&CK framework, within the last year, and sorts them by the number of occurrences.
