Visualize Detection Events by Technique in Bar Chart

Display MITRE ATT&CK techniques frequency in bar chart format

This is a query example for the Detections by Technique widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
metadata.eventType = DetectionSummaryEvent
| event.ComputerName=* AND metadata.customerIDString = *
| top(event.Technique)

Introduction

This widget is used to create a bar chart visualization of MITRE ATT&CK techniques detected in the environment, providing a clear graphical representation of the most frequently observed attack methods.

In this widget, the top() function is used to generate data for a bar chart showing the frequency distribution of MITRE ATT&CK techniques in detection events.

Example incoming data might look like this:

@timestamp#repo#type@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.LocalIPevent.Objectiveevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_300_17682133652026-01-12T10:22:45{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365060", "customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-WEB01","UserName":"adamsb","SensorId":"b2c3d4e5f6g7h8i9j0k1","LocalIP":"192.168.2.143","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-WEB01Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line192.168.2.143Command and Controlb2c3d4e5f6g7h8i9j0k1MediumExecutionT1059.001 - PowerShelladamsba1b2c3d4e5f6g7h8i9j01768213365060DetectionSummaryEvent
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_301_17682133652026-01-12T10:22:46{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365928", "customerIDString":"c3d4e5f6g7h8i9j0k1l2" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-APP02","UserName":"andersonk","SensorId":"d4e5f6g7h8i9j0k1l2m3","LocalIP":"192.168.0.87","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-APP02Detected potential credential dumping from LSASS memorySuspicious Registry Modification192.168.0.87Credential Theftd4e5f6g7h8i9j0k1l2m3LowCredential AccessT1003.001 - LSASS Memoryandersonkc3d4e5f6g7h8i9j0k1l21768213365928DetectionSummaryEvent
2026-01-12T10:22:46auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_302_17682133662026-01-12T10:22:47{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213366748", "customerIDString":"e5f6g7h8i9j0k1l2m3n4" }, "event":{"SeverityName":"High", "DetectName":"Credential Dumping via Mimikatz","ComputerName":"PROD-DB01","UserName":"bakerm","SensorId":"f6g7h8i9j0k1l2m3n4o5","LocalIP":"192.168.3.211","Tactic":"Lateral Movement","Technique":"T1021.002 - SMB/Windows Admin Shares","DetectDescription":"Detected suspicious access to administrative shares","Objective":"Internal Reconnaissance"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-DB01Detected suspicious access to administrative sharesCredential Dumping via Mimikatz192.168.3.211Internal Reconnaissancef6g7h8i9j0k1l2m3n4o5HighLateral MovementT1021.002 - SMB/Windows Admin Sharesbakerme5f6g7h8i9j0k1l2m3n41768213366748DetectionSummaryEvent
2026-01-12T10:22:47auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_303_17682133672026-01-12T10:22:48{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213367566", "customerIDString":"g7h8i9j0k1l2m3n4o5p6" }, "event":{"SeverityName":"Critical", "DetectName":"Suspicious Service Creation","ComputerName":"PROD-FILE01","UserName":"blackj","SensorId":"h8i9j0k1l2m3n4o5p6q7","LocalIP":"192.168.1.54","Tactic":"Defense Evasion","Technique":"T1078.002 - Domain Accounts","DetectDescription":"Detected authentication using potentially compromised domain account","Objective":"Privilege Escalation"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-FILE01Detected authentication using potentially compromised domain accountSuspicious Service Creation192.168.1.54Privilege Escalationh8i9j0k1l2m3n4o5p6q7CriticalDefense EvasionT1078.002 - Domain Accountsblackjg7h8i9j0k1l2m3n4o5p61768213367566DetectionSummaryEvent
2026-01-12T10:22:48auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_304_17682133682026-01-12T10:22:49{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213368386", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Medium", "DetectName":"Lateral Movement via WMI","ComputerName":"PROD-SQL01","UserName":"brownr","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.4.198","Tactic":"Persistence","Technique":"T1053.005 - Scheduled Task","DetectDescription":"Detected suspicious scheduled task creation for persistence","Objective":"Persistence Establishment"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-SQL01Detected suspicious scheduled task creation for persistenceLateral Movement via WMI192.168.4.198Persistence Establishmentj0k1l2m3n4o5p6q7r8s9MediumPersistenceT1053.005 - Scheduled Taskbrownri9j0k1l2m3n4o5p6q7r81768213368386DetectionSummaryEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.eventType = DetectionSummaryEvent

    Filters for events where metadata.eventType equals DetectionSummaryEvent.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.ComputerName=* AND metadata.customerIDString = *

    Further filters to include only events that have both an event.ComputerName field and a metadata.customerIDString field.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | top(event.Technique)

    Groups events by unique values in event.Technique and counts occurrences of each technique to determine bar heights.

    The top() function automatically groups and counts events by technique, then sorts them in descending order, making it ideal for visualizing the most frequently occurring techniques in a bar chart format.

  5. Event Result set.

Summary and Results

The widget is used to display a bar chart of MITRE ATT&CK techniques, with the height of each bar representing the frequency of occurrence.

This widget is useful to visually identify the most common attack techniques, quickly spot unusual patterns in technique frequency, and present security data in an easily digestible format.

Sample output from the incoming example data:

_countevent.Technique
13T1053.005 - Scheduled Task
21T1003.001 - LSASS Memory
13T1218.011 - Rundll32
13T1021.002 - SMB/Windows Admin Shares
13T1078.002 - Domain Accounts

The output data is visualized as a bar chart where each technique is represented by a bar, with the height corresponding to the count value.

The techniques are identified by both their ID (for example, T1053.005) and descriptive name for clear reference in the chart labels.

Example of a Detections by Technique widget