Defender ATP Telemetry: Viewing MITRE ATT&CK Context

June 11, 2020

Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context

PART 1 OF A 3 PART SERIES

MITRE ATT&CK is a great framework and it has been adopted by the vast majority of the cybersecurity industry over the past few years. This can be seen on both the vendor side and on the client side. Many organizations are aligning to ATT&CK and some enterprises would like to, but just don’t know where to start. In this post, we will demonstrate how organizations can prioritize efforts based on alert information they are already receiving from Windows Defender ATP.

Microsoft Defender ATP 1

Figure 1: Defender ATP Advanced Hunting Alert Events

During this series of posts, I will explain how to turn ATP alert data seen above into the workbook seen below.

Microsoft Defender ATP 2

Figure 2: Custom MITRE visualization with an Azure Workbook

There are workbooks in Azure Sentinel that show how it can be used to align with MITRE’s ATT&CK, but what if my organization is only using Windows Defender ATP and not leveraging Sentinel? How can I get the same types of reports from my endpoints and narrow the focus of mitigation efforts?

Let’s start with Defender ATP. Defender ATP has included ATT&CK Tactic and Technique IDs in alerts for some time now. An example of this can be seen in the screenshot below. It is also important to note that not all alerts in DATP will contain an associated tactic category or technique.

Microsoft Defender ATP 3

Figure 3: Microsoft Defender Security Center Alert

There are 12 tactic categories listed in MITRE ATT&CK for Enterprise. Analysts can query “DeviceAlertEvents” and view the category column and see associated MITRE Tactic categories mixed in with those events flagged as Malware, SuspiciousActivity.

Microsoft Defender ATP 4

Figure 4: Advanced Hunting query showing ATT&CK Tactic categories

Filtering DeviceAlertsEvents with a “where” statement to only include MITRE Tactic categories will return only the DeviceAlertsEvents that we are interested in. The query below will produce these filtered results, summarize the count by category, and create a pie chart with the results.


DeviceAlertEvents
 
| where Category == "InitialAccess"

or Category == "Execution" 

or Category == "Persistence"

or Category == "PrivilegeEscalation"

or Category == "DefenseEvasion"

or Category == "CredentialAccess"

or Category == "Discovery"

or Category == "LateralMovement"

or Category == "Collection"

or Category == "CommandAndControl"

or Category == "Exfiltration"

or Category == "Impact"

| summarize count() by Category

| render piechart

Microsoft Defender ATP 5

Figure 5: Advanced Hunting query displaying pie chart by Tactic category

This pie chart can help an organization understand what ATT&CK Tactic category is appearing most often in their alerts and should probably have the highest priority in their environment. Better yet, it is based on their own alert data. This is nice, but it is still high level. Let’s drill down to the technique level and help narrow the focus. If we again query device alerts where the ATT&CK technique is not empty, we can see a list of alerts that contain one or more techniques associated with them.

Microsoft Defender ATP 6

Figure 6: Advanced Hunting query showing ATT&CK Techniques

This is helpful, but we need to split out alerts containing multiple alerts to get a true technique count. Using mvexpand todynamic helps us split out the column results with multiple techniques and make them appear in individual rows.


DeviceAlertEvents 

| where AttackTechniques != ""

| mvexpand todynamic(AttackTechniques)

The above query will split the results into individual rows as seen below.

Microsoft Defender ATP 7

Figure 7: Advanced Hunting results with separated Techniques

We can now summarize the count and create a chart with the following query.


DeviceAlertEvents 

| where AttackTechniques != ""

| mvexpand todynamic(AttackTechniques)

| summarize count() by tostring(AttackTechniques)

| render barchart

The results may provide organizations a way to prioritize efforts based specific techniques adversaries are using against them.

Microsoft Defender ATP 8

Figure 8: Advanced Hunting query displaying bar chart of Techniques

Keep in mind the results do not show if the events were prevented and additional analysis on individual alerts may be needed to ensure these alerts are true positives.

These searches can be very useful, but the analyst is limited to searching over 30 days and the query would need to be manually executed each time to get the results. What if I wanted to create a dashboard that displayed this information? This where things get a little more complex, but it can be accomplished by using an Azure Log Analytics workspace. In the next post, I will go over a process to import WDATP logs into an workspace using an Azure Logic App.

By:

Dan Kiraly

Senior Research Scientist | Optiv

Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv.

No license, express or implied, to any intellectual property or other content is granted or intended hereby.

This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.

Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.