Column Name for MITRE Tactic in Log Analytics Workspace

%3CLINGO-SUB%20id%3D%22lingo-sub-1198118%22%20slang%3D%22en-US%22%3EColumn%20Name%20for%20MITRE%20Tactic%20in%20Log%20Analytics%20Workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198118%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Team%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20provide%20me%20the%20table%2Fcolumn%20name%20where%26nbsp%3BMITRE%20Tactic%20is%20stored%20in%26nbsp%3BLog%20Analytics%20Workspace%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20wanted%20to%20created%20a%20dashboard%20to%20map%20the%26nbsp%3BMITRE%20Tactic%20and%20security%20incidents.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKindly%20help%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22user-login%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F239477%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Clive%26nbsp%3BWatson%26nbsp%3B(%40Clive%20Watson)%3C%2FA%3E%3CDIV%20class%3D%22user-login%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F54923%22%20target%3D%22_blank%22%20rel%3D%22noopener%22%3E%40Noa%26nbsp%3BKuperberg%26nbsp%3B(%40Noa%20Kuperberg)%3C%2FA%3E%3C%2FDIV%3E%3CDIV%20class%3D%22post-author-login%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1198118%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMITRE%20Tactic%20storage%20in%26nbsp%3BLog%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1198892%22%20slang%3D%22en-US%22%3ERe%3A%20Column%20Name%20for%20MITRE%20Tactic%20in%20Log%20Analytics%20Workspace%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1198892%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503472%22%20target%3D%22_blank%22%3E%40kmanish%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20don't%20believe%20we%20do%2C%20I%20think%20it%20maybe%20available%20via%20the%20Sentinel%20api%20call%20though%20-%20more%20details%20from%20the%20api%20are%20planned%20to%20go%20into%20Log%20Analytics%20in%20the%20future.%26nbsp%3B%20%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20the%20meantime%20you%20could%20add%20the%20Tactic%20as%20a%20comment%20to%20the%20query%2C%20so%20that%20it%20appears%20in%20ExtendedProperties%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-python%22%3E%3CCODE%3ESecurityAlert%0A%7C%20where%20ProviderName%20%3D%3D%20%22ASI%20Scheduled%20Alerts%22%20%0A%7C%20where%20ExtendedProperties%20contains%20%22Query%22%0A%2F%2F%7C%20search%20%22Tactic%22%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3Ee.g.%20I%20used%20%22This%20only%20happens%22%20as%20a%20string%20to%20illustrate%20the%20method%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-02-27%20172839.jpg%22%20style%3D%22width%3A%20699px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F173932iB92900318C8CEAC2%2Fimage-dimensions%2F699x309%3Fv%3D1.0%22%20width%3D%22699%22%20height%3D%22309%22%20title%3D%22Annotation%202020-02-27%20172839.jpg%22%20alt%3D%22Annotation%202020-02-27%20172839.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20could%20then%20use%20a%20extend%20to%20put%20the%20tactic%20in%20its%20own%20column%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi Team, 

 

Could you provide me the table/column name where MITRE Tactic is stored in Log Analytics Workspace

 

I wanted to created a dashboard to map the MITRE Tactic and security incidents.

 

Kindly help

 

1 Reply
Highlighted

@kmanish 

 

I don't believe we do, I think it maybe available via the Sentinel api call though - more details from the api are planned to go into Log Analytics in the future.   

 

In the meantime you could add the Tactic as a comment to the query, so that it appears in ExtendedProperties?

 

SecurityAlert
| where ProviderName == "ASI Scheduled Alerts" 
| where ExtendedProperties contains "Query"
//| search "Tactic"

e.g. I used "This only happens" as a string to illustrate the method

 Annotation 2020-02-27 172839.jpg

 

You could then use a extend to put the tactic in its own column?

 

Thanks