Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context

PART 1 OF A 3 PART SERIES

 

MITRE ATT&CK is a great framework and it has been adopted by the vast majority of the cybersecurity industry over the past few years. This can be seen on both the vendor side and on the client side. Many organizations are aligning to ATT&CK and some enterprises would like to, but just don’t know where to start. In this post, we will demonstrate how organizations can prioritize efforts based on alert information they are already receiving from Windows Defender ATP.

 

Microsoft Defender ATP 1

 

Figure 1: Defender ATP Advanced Hunting Alert Events

 

During this series of posts, I will explain how to turn ATP alert data seen above into the workbook seen below.

 

Microsoft Defender ATP 2

 

Figure 2: Custom MITRE visualization with an Azure Workbook

 

There are workbooks in Azure Sentinel that show how it can be used to align with MITRE’s ATT&CK, but what if my organization is only using Windows Defender ATP and not leveraging Sentinel? How can I get the same types of reports from my endpoints and narrow the focus of mitigation efforts?

 

Let’s start with Defender ATP. Defender ATP has included ATT&CK Tactic and Technique IDs in alerts for some time now. An example of this can be seen in the screenshot below. It is also important to note that not all alerts in DATP will contain an associated tactic category or technique.

 

Microsoft Defender ATP 3

 

Figure 3: Microsoft Defender Security Center Alert

 

There are 12 tactic categories listed in MITRE ATT&CK for Enterprise. Analysts can query “DeviceAlertEvents” and view the category column and see associated MITRE Tactic categories mixed in with those events flagged as Malware, SuspiciousActivity.

 

Microsoft Defender ATP 4

 

Figure 4: Advanced Hunting query showing ATT&CK Tactic categories

 

Filtering DeviceAlertsEvents with a “where” statement to only include MITRE Tactic categories will return only the DeviceAlertsEvents that we are interested in. The query below will produce these filtered results, summarize the count by category, and create a pie chart with the results.

 

DeviceAlertEvents
| where Category == "InitialAccess"
or Category == "Execution"
or Category == "Persistence"
or Category == "PrivilegeEscalation"
or Category == "DefenseEvasion"
or Category == "CredentialAccess"
or Category == "Discovery"
or Category == "LateralMovement"
or Category == "Collection"
or Category == "CommandAndControl"
or Category == "Exfiltration"
or Category == "Impact"
| summarize count() by Category
| render piechart

 

Microsoft Defender ATP 5

 

Figure 5: Advanced Hunting query displaying pie chart by Tactic category

 

This pie chart can help an organization understand what ATT&CK Tactic category is appearing most often in their alerts and should probably have the highest priority in their environment. Better yet, it is based on their own alert data. This is nice, but it is still high level. Let’s drill down to the technique level and help narrow the focus. If we again query device alerts where the ATT&CK technique is not empty, we can see a list of alerts that contain one or more techniques associated with them.

 

Microsoft Defender ATP 6

 

Figure 6: Advanced Hunting query showing ATT&CK Techniques

 

This is helpful, but we need to split out alerts containing multiple alerts to get a true technique count. Using mvexpand todynamic helps us split out the column results with multiple techniques and make them appear in individual rows.

 

DeviceAlertEvents
| where AttackTechniques != ""
| mvexpand todynamic(AttackTechniques)

 

The above query will split the results into individual rows as seen below.

 

Microsoft Defender ATP 7

 

Figure 7: Advanced Hunting results with separated Techniques

 

We can now summarize the count and create a chart with the following query.

 

DeviceAlertEvents
| where AttackTechniques != ""
| mvexpand todynamic(AttackTechniques)
| summarize count() by tostring(AttackTechniques)
| render barchart

 

The results may provide organizations a way to prioritize efforts based specific techniques adversaries are using against them.

 

Microsoft Defender ATP 8

 

Figure 8: Advanced Hunting query displaying bar chart of Techniques

 

Keep in mind the results do not show if the events were prevented and additional analysis on individual alerts may be needed to ensure these alerts are true positives.

 

These searches can be very useful, but the analyst is limited to searching over 30 days and the query would need to be manually executed each time to get the results. What if I wanted to create a dashboard that displayed this information? This where things get a little more complex, but it can be accomplished by using an Azure Log Analytics workspace. In the next post, I will go over a process to import WDATP logs into an workspace using an Azure Logic App.

 

Read more from this 3 part series.
Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace (Part 2)
Microsoft Defender ATP Telemetry: Workbook Visualizations (Part 3)

Dan Kiraly
Senior Research Scientist | Optiv
Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv.