A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Breadcrumb Home Insights Source Zero Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context (Part 1) June 11, 2020 Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context PART 1 OF A 3 PART SERIES MITRE ATT&CK is a great framework and it has been adopted by the vast majority of the cybersecurity industry over the past few years. This can be seen on both the vendor side and on the client side. Many organizations are aligning to ATT&CK and some enterprises would like to, but just don’t know where to start. In this post, we will demonstrate how organizations can prioritize efforts based on alert information they are already receiving from Windows Defender ATP. Figure 1: Defender ATP Advanced Hunting Alert Events During this series of posts, I will explain how to turn ATP alert data seen above into the workbook seen below. Figure 2: Custom MITRE visualization with an Azure Workbook There are workbooks in Azure Sentinel that show how it can be used to align with MITRE’s ATT&CK, but what if my organization is only using Windows Defender ATP and not leveraging Sentinel? How can I get the same types of reports from my endpoints and narrow the focus of mitigation efforts? Let’s start with Defender ATP. Defender ATP has included ATT&CK Tactic and Technique IDs in alerts for some time now. An example of this can be seen in the screenshot below. It is also important to note that not all alerts in DATP will contain an associated tactic category or technique. Figure 3: Microsoft Defender Security Center Alert There are 12 tactic categories listed in MITRE ATT&CK for Enterprise. Analysts can query “DeviceAlertEvents” and view the category column and see associated MITRE Tactic categories mixed in with those events flagged as Malware, SuspiciousActivity. Figure 4: Advanced Hunting query showing ATT&CK Tactic categories Filtering DeviceAlertsEvents with a “where” statement to only include MITRE Tactic categories will return only the DeviceAlertsEvents that we are interested in. The query below will produce these filtered results, summarize the count by category, and create a pie chart with the results. DeviceAlertEvents | where Category == "InitialAccess" or Category == "Execution" or Category == "Persistence" or Category == "PrivilegeEscalation" or Category == "DefenseEvasion" or Category == "CredentialAccess" or Category == "Discovery" or Category == "LateralMovement" or Category == "Collection" or Category == "CommandAndControl" or Category == "Exfiltration" or Category == "Impact" | summarize count() by Category | render piechart Figure 5: Advanced Hunting query displaying pie chart by Tactic category This pie chart can help an organization understand what ATT&CK Tactic category is appearing most often in their alerts and should probably have the highest priority in their environment. Better yet, it is based on their own alert data. This is nice, but it is still high level. Let’s drill down to the technique level and help narrow the focus. If we again query device alerts where the ATT&CK technique is not empty, we can see a list of alerts that contain one or more techniques associated with them. Figure 6: Advanced Hunting query showing ATT&CK Techniques This is helpful, but we need to split out alerts containing multiple alerts to get a true technique count. Using mvexpand todynamic helps us split out the column results with multiple techniques and make them appear in individual rows. DeviceAlertEvents | where AttackTechniques != "" | mvexpand todynamic(AttackTechniques) The above query will split the results into individual rows as seen below. Figure 7: Advanced Hunting results with separated Techniques We can now summarize the count and create a chart with the following query. DeviceAlertEvents | where AttackTechniques != "" | mvexpand todynamic(AttackTechniques) | summarize count() by tostring(AttackTechniques) | render barchart The results may provide organizations a way to prioritize efforts based specific techniques adversaries are using against them. Figure 8: Advanced Hunting query displaying bar chart of Techniques Keep in mind the results do not show if the events were prevented and additional analysis on individual alerts may be needed to ensure these alerts are true positives. These searches can be very useful, but the analyst is limited to searching over 30 days and the query would need to be manually executed each time to get the results. What if I wanted to create a dashboard that displayed this information? This where things get a little more complex, but it can be accomplished by using an Azure Log Analytics workspace. In the next post, I will go over a process to import WDATP logs into an workspace using an Azure Logic App. Read more from this 3 part series. Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace (Part 2) Microsoft Defender ATP Telemetry: Workbook Visualizations (Part 3) By: Dan Kiraly Senior Research Scientist | Optiv Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv. Share: SecOps SOC MITRE ATT&CK TTPs Blue Team Defender ATP Source Zero® Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com
Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com