Feb 27 2020
- last edited on
Apr 08 2022
Feb 27 2020 09:30 AM
I don't believe we do, I think it maybe available via the Sentinel api call though - more details from the api are planned to go into Log Analytics in the future.
In the meantime you could add the Tactic as a comment to the query, so that it appears in ExtendedProperties?
SecurityAlert | where ProviderName == "ASI Scheduled Alerts" | where ExtendedProperties contains "Query" //| search "Tactic"
e.g. I used "This only happens" as a string to illustrate the method
You could then use a extend to put the tactic in its own column?