Visualize Tactics in Time Chart Format

Track MITRE ATT&CK tactics frequency in time chart with hourly intervals

This is a query example for the Tactic over Time widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
metadata.eventType = DetectionSummaryEvent
| event.ComputerName=* AND metadata.customerIDString = *
| timechart(span=1h, event.Tactic)

Introduction

This widget is used to create a time chart visualization showing the distribution of MITRE ATT&CK tactics across hourly intervals, helping to identify patterns and trends in attack tactics over time.

In this widget, the timeChart() function is used to generate data for a time chart visualization of attack tactics, showing their frequency of occurrence in one-hour time spans. This helps track how different tactics are being employed throughout the monitored period.

Example incoming data might look like this:

@timestamp#repo#type@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneevent.ComputerNameevent.DetectDescriptionevent.DetectNameevent.LocalIPevent.Objectiveevent.SensorIdevent.SeverityNameevent.Tacticevent.Techniqueevent.UserNamemetadata.customerIDStringmetadata.eventCreationTimemetadata.eventType
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_300_17682133652026-01-12T10:22:45{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365060", "customerIDString":"a1b2c3d4e5f6g7h8i9j0" }, "event":{"SeverityName":"Medium", "DetectName":"Suspicious PowerShell Command Line","ComputerName":"PROD-WEB01","UserName":"adamsb","SensorId":"b2c3d4e5f6g7h8i9j0k1","LocalIP":"192.168.2.143","Tactic":"Execution","Technique":"T1059.001 - PowerShell","DetectDescription":"Detected suspicious PowerShell command execution with encoded arguments","Objective":"Command and Control"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-WEB01Detected suspicious PowerShell command execution with encoded argumentsSuspicious PowerShell Command Line192.168.2.143Command and Controlb2c3d4e5f6g7h8i9j0k1MediumExecutionT1059.001 - PowerShelladamsba1b2c3d4e5f6g7h8i9j01768213365060DetectionSummaryEvent
2026-01-12T10:22:45auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_301_17682133652026-01-12T10:22:46{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213365928", "customerIDString":"c3d4e5f6g7h8i9j0k1l2" }, "event":{"SeverityName":"Low", "DetectName":"Suspicious Registry Modification","ComputerName":"PROD-APP02","UserName":"andersonk","SensorId":"d4e5f6g7h8i9j0k1l2m3","LocalIP":"192.168.0.87","Tactic":"Credential Access","Technique":"T1003.001 - LSASS Memory","DetectDescription":"Detected potential credential dumping from LSASS memory","Objective":"Credential Theft"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-APP02Detected potential credential dumping from LSASS memorySuspicious Registry Modification192.168.0.87Credential Theftd4e5f6g7h8i9j0k1l2m3LowCredential AccessT1003.001 - LSASS Memoryandersonkc3d4e5f6g7h8i9j0k1l21768213365928DetectionSummaryEvent
2026-01-12T10:22:46auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_302_17682133662026-01-12T10:22:47{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213366748", "customerIDString":"e5f6g7h8i9j0k1l2m3n4" }, "event":{"SeverityName":"High", "DetectName":"Credential Dumping via Mimikatz","ComputerName":"PROD-DB01","UserName":"bakerm","SensorId":"f6g7h8i9j0k1l2m3n4o5","LocalIP":"192.168.3.211","Tactic":"Lateral Movement","Technique":"T1021.002 - SMB/Windows Admin Shares","DetectDescription":"Detected suspicious access to administrative shares","Objective":"Internal Reconnaissance"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-DB01Detected suspicious access to administrative sharesCredential Dumping via Mimikatz192.168.3.211Internal Reconnaissancef6g7h8i9j0k1l2m3n4o5HighLateral MovementT1021.002 - SMB/Windows Admin Sharesbakerme5f6g7h8i9j0k1l2m3n41768213366748DetectionSummaryEvent
2026-01-12T10:22:47auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_303_17682133672026-01-12T10:22:48{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213367566", "customerIDString":"g7h8i9j0k1l2m3n4o5p6" }, "event":{"SeverityName":"Critical", "DetectName":"Suspicious Service Creation","ComputerName":"PROD-FILE01","UserName":"blackj","SensorId":"h8i9j0k1l2m3n4o5p6q7","LocalIP":"192.168.1.54","Tactic":"Defense Evasion","Technique":"T1078.002 - Domain Accounts","DetectDescription":"Detected authentication using potentially compromised domain account","Objective":"Privilege Escalation"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-FILE01Detected authentication using potentially compromised domain accountSuspicious Service Creation192.168.1.54Privilege Escalationh8i9j0k1l2m3n4o5p6q7CriticalDefense EvasionT1078.002 - Domain Accountsblackjg7h8i9j0k1l2m3n4o5p61768213367566DetectionSummaryEvent
2026-01-12T10:22:48auto-dashboard-queriessiem-connectorQTsJCoPniAANCCdKBxWdooCq_3_304_17682133682026-01-12T10:22:49{"metadata":{ "eventType":"DetectionSummaryEvent","eventCreationTime":"1768213368386", "customerIDString":"i9j0k1l2m3n4o5p6q7r8" }, "event":{"SeverityName":"Medium", "DetectName":"Lateral Movement via WMI","ComputerName":"PROD-SQL01","UserName":"brownr","SensorId":"j0k1l2m3n4o5p6q7r8s9","LocalIP":"192.168.4.198","Tactic":"Persistence","Technique":"T1053.005 - Scheduled Task","DetectDescription":"Detected suspicious scheduled task creation for persistence","Objective":"Persistence Establishment"}} 86beba81b4553c59c7a125eea1100bca0ZPROD-SQL01Detected suspicious scheduled task creation for persistenceLateral Movement via WMI192.168.4.198Persistence Establishmentj0k1l2m3n4o5p6q7r8s9MediumPersistenceT1053.005 - Scheduled Taskbrownri9j0k1l2m3n4o5p6q7r81768213368386DetectionSummaryEvent

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.eventType = DetectionSummaryEvent

    Filters for events where metadata.eventType equals DetectionSummaryEvent.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.ComputerName=* AND metadata.customerIDString = *

    Further filters to include only events that have both a event.ComputerName field and a metadata.customerIDString field.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | timechart(span=1h, event.Tactic)

    Creates a time chart visualization by organizing events into one-hour intervals using span=1h, grouping the events by event.Tactic within each interval, and calculating the frequency of each tactic to show their distribution over time.

  5. Event Result set.

Summary and Results

The widget is used to create a time chart visualizing how different MITRE ATT&CK tactics are distributed over time, enabling analysis of tactical patterns and trends.

This widget is useful to identify shifts in attacker tactics through time chart visualization, detect concentrated tactical activities, and understand the temporal distribution of different attack approaches.

Sample output from the incoming example data:

_bucket_countevent.Tactic
176821200000021Credential Access
176821200000026Defense Evasion
176821200000027Execution
176821200000013Lateral Movement
176821200000013Persistence

Note that the output data generates a time chart where each tactic's frequency is tracked over hourly intervals. The timestamp is provided in the _bucket field, with counts for each tactic showing their relative frequency during that time period in the time chart.

Example of a Tactic over Time widget