A Single Partner for Everything You Need Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner. However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Breadcrumb Home Insights Source Zero Microsoft Defender ATP Telemetry: Workbook Visualizations (Part 3) June 11, 2020 Microsoft Defender ATP Telemetry: Workbook Visualizations PART 3 OF A 3 PART SERIES In my first post, Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context, in this series I explained how clients can visualize MITRE Tactic and Technique charts from Advanced Hunting queries in Defender ATP. In the second post, Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace, I went over how these logs can be ingested into a newly created workspace with a Logic App. In this final post I will go over creating a simple Log Analytics workbook to visualize the data in a way that I prefer. Under the General section choose “Workbooks” and then select “Empty” on the right-hand side under quick start. Figure 1: Newly created Log Analytics workspace The first thing I am going to do is add some text to describe the Workbook. This text can be anything you choose. This is just a description for the analyst. Figure 2: Workbook -Text Settings I chose to save the Workbook and edit the title at this point before moving on. Figure 3: Workbook -Text Settings Next I decided to add URL links to each of the MITRE ATT&CK Tactic sections. Add Links Figure 3: Workbook – Adding Links The link style was changed to Navigation. Figure 4: Workbook –> Adding Links -> Style -> Navigation This produces a clean links section. Figure 4: Tactic category Link Navigation Next I wanted to add two pie charts in the same group to show Tactics seen this week and Tactics seen the previous week. I accomplished this by adding a group to start. Add a group Rename the group Figure 5: Workbook –> Group Creation We are going to add a query using Add parameters Figure 6: Creation of a query with in the newly created Group The first query is going to search the DefenderTTPs_CL Logs (or whatever your custom log name is), with an event timestamp from 1 minute ago to 7 days ago, and summarize the results. The results were rendered in a pie chart as seen under the visualization drop down. This is seen in the image below. Note: I included a where statement of when the TimeGenerated was not equal to empty. I wanted to focus on the Timestamp_t field. I am sure there are other ways to do this during ingestion or with parameters, but this serves as a workaround. DefenderTTPs_CL //TimeGenerated is set to not blank because in this example we are using the Timestamp_t. | where TimeGenerated != "" | where Timestamp_t between (ago(7d) .. ago(1m)) | summarize count() by Category Figure 7: Query for Tactics with timestamps over the last seven days Under Advanced Settings I chose to have the data be CSV exportable. Figure 8: Query -> Advanced Settings Excel Export The Style of the chart needs to be changed so that an additional pie chart can be placed next to it in the workbook. Figure 9: Query -> Style Settings The results are shown in the pie chart below. Note: If “Other” is listed, is not representative of an ATT&CK category, but a consolidation of lesser values. Figure 10: Tactics Seen This Week Pie Chart Once again we need to add a query to the group. This query is similar to the one above only that the Timestamp of results is between the last 14-7 days as seen below. Also note that Time Range is set to set in query. DefenderTTPs_CL //TimeGenerated is set to not blank because in this example we are using the Timestamp_t. | where TimeGenerated !="" | where Timestamp_t between (ago(14d) .. ago(7d)) | summarize count() by Category Figure 11: Query for Tactics with timestamps between the last fourteen to seven days Figure 12: Creation of a query with in the newly created Group Figure 13: Current workbook Next we are going to create a bar chart of techniques used in the environment over a period of our choosing leveraging a drop-down box to select the time. First thing to do is to add a new parament. The new parameter will be called TimeRange and will be a Time range picker. Check that it is required. I have optionally unchecked all time under 24 hours. Figure 14: Parameter Creation Once saved you should see something like this. Next we need to add a new query. There is an added where statement to make the Timestamp value of the alert equal to the time range value. Otherwise we would be getting TimeGenerated back in the results and not the actual time of the alert. Note the green arrow. In order to test this query a time range needs to be selected. DefenderTTPs_CL | where AttackTechniques_s != "" | where Timestamp_t {TimeRange} | mvexpand todynamic(AttackTechniques_s) | summarize count() by tostring(AttackTechniques_s) | order by AttackTechniques_s desc Figure 14: Bar chart creation of techniques based on Time Range parameter When completed, the workbook should look like the one below. Figure 15: Completed workbook Now we have a workbook with links to MITRE ATT&CK categories, category charts for the current and previous weeks regarding ATT&CK and a selectable time range that shows the alerts with techniques used. This is just one example of how Defender ATP log data can be visualized. Azure workbooks allow for a lot of customization to visualize data. Keep in mind we’ve only scratched the surface on this example. Read more from this 3 part series. Microsoft Defender ATP Telemetry: Viewing MITRE ATT&CK Context (Part 1) Microsoft Defender ATP Telemetry: Azure Log Analytics Workspace (Part 2) By: Dan Kiraly Senior Research Scientist | Optiv Dan Kiraly is senior research scientist on Optiv’s R&D team. In this role he's responsible for use case development and the vetting of security products for Optiv. Share: SecOps SOC MITRE ATT&CK TTPs Blue Team Defender ATP Microsoft Azure Source Zero® Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com
Copyright © 2024 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com
Would you like to speak to an advisor? How can we help you today? Image E-Book Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation Download Now Image Events Register for an Upcoming OptivCon Learn More Ready to speak to an Optiv expert to discuss your security needs?