Count Detection Events by Tactics

Visualize MITRE ATT&CK tactics distribution

This is a query example for the Tactics widget in the Summary Dashboard dashboard of the crowdstrike/siem-connector package.

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result
logscale
metadata.eventType = DetectionSummaryEvent
| event.ComputerName=* AND metadata.customerIDString = *
| top(event.Tactic)

Introduction

This widget is used to display the distribution of detection events across different MITRE ATT&CK tactics, visualized as a pie chart.

In this widget, the top() function is used to aggregate and count events by their associated MITRE ATT&CK tactics.

Example incoming data might look like this:

@timestamp#error#humioBackfill#repo#type@error@error_msg@error_msg[0]@id@ingesttimestamp@rawstring@timestamp.nanos@timezoneaffected_hosts[0].detection_countaffected_hosts[0].first_seenaffected_hosts[0].hostnameaffected_hosts[0].ip_addressaffected_hosts[0].last_seenaffected_hosts[0].sensor_idaffected_hosts[1].detection_countaffected_hosts[1].first_seenaffected_hosts[1].hostnameaffected_hosts[1].ip_addressaffected_hosts[1].last_seenaffected_hosts[1].sensor_idaffected_hosts[2].detection_countaffected_hosts[2].first_seenaffected_hosts[2].hostnameaffected_hosts[2].ip_addressaffected_hosts[2].last_seenaffected_hosts[2].sensor_idcontext.falcon_intel_reports[0]context.falcon_intel_reports[1]context.mitre_attack_urlcontext.risk_scoreevent.AgentIdStringevent.Attributes.execution_idevent.Attributes.report_metadata.subtypeevent.Attributes.scheduled_report_idevent.AuditKeyValues[0].Keyevent.AuditKeyValues[0].Valueevent.AuditKeyValues[0].ValueStringevent.AuditKeyValues[1].Keyevent.AuditKeyValues[1].Valueevent.AuditKeyValues[1].ValueStringevent.AuditKeyValues[2].Keyevent.AuditKeyValues[2].Valueevent.AuditKeyValues[2].ValueStringevent.ComputerNameevent.CustomerIdStringevent.EventTypeevent.EventUUIDevent.ExternalAPITypeevent.Nonceevent.OperationNameevent.ServiceNameevent.UTCTimestampevent.UserIdevent.UserIpevent.cidevent.eidevent.timestampmetadata.aidmetadata.aipmetadata.cidmetadata.customerIDStringmetadata.eventCreationTimemetadata.eventPlatformmetadata.eventTypemetadata.event_idmetadata.idmetadata.namemetadata.offsetmetadata.severitymetadata.versionpotential_actors[0].actor_namepotential_actors[0].confidencepotential_actors[0].evidencerecommendations[0]recommendations[1]recommendations[2]recommendations[3]related_detections[0]related_detections[1]related_detections[2]summary.affected_hosts_countsummary.confidencesummary.detection_countsummary.first_detection_timesummary.last_detection_timesummary.severitysummary.titletechniques[0].descriptiontechniques[0].objectivetechniques[0].tactictechniques[0].technique_idtechniques[0].technique_nametechniques[1].descriptiontechniques[1].objectivetechniques[1].tactictechniques[1].technique_idtechniques[1].technique_nametechniques[2].descriptiontechniques[2].objectivetechniques[2].tactictechniques[2].technique_idtechniques[2].technique_name
2026-01-20T08:44:43true0auto-dashboard-queriessiem-connectortruetimestamp was not set to a value after 1971. Setting it to nowtimestamp was not set to a value after 1971. Setting it to nowsd6u8WImB06fMtTL7gzFlqYX_2_13_17688986832026-01-20T08:44:43{"metadata":{"eventType":"UserActivityAuditEvent","eventCreationTime":1710340124,"offset":341.111,"customerIDString":"a1b2c3d4e5f6g7h8i9j0","version":"1.0"},"event":{"UserId":"adamsb","UserIp":"192.168.2.143","OperationName":"delete_report_execution","ServiceName":"scheduled_reports","AuditKeyValues":[{"Key":"scheduled_report_id","ValueString":"123456781234567812345678"},{"Key":"execution_id","ValueString":"123456781234567812345678"},{"Key":"report_metadata.subtype","ValueString":"detection_summary"}],"UTCTimestamp":1710343724,"Attributes":{"execution_id":"234567892345678923456789","report_metadata.subtype":"host_inventory","scheduled_report_id":"234567892345678923456789"},"CustomerIdString":"b2c3d4e5f6g7h8i9j0k1","Nonce":1,"AgentIdString":"12345678123456781234567812345678","EventUUID":"12345678-1234-5678-1234-123456781234","cid":"c3d4e5f6g7h8i9j0k1l2","eid":118,"timestamp":"2025-03-13:15:48:44 +0000","EventType":"Event_ExternalApiEvent","ExternalAPIType":"Event_UserActivityAuditEvent"}} c8976e33e73b8bffbf1cefbb7e6f84030Z                      12345678123456781234567812345678234567892345678923456789host_inventory234567892345678923456789scheduled_report_id 123456781234567812345678execution_id 123456781234567812345678report_metadata.subtype detection_summary b2c3d4e5f6g7h8i9j0k1Event_ExternalApiEvent12345678-1234-5678-1234-123456781234Event_UserActivityAuditEvent1delete_report_executionscheduled_reports1710343724adamsb192.168.2.143c3d4e5f6g7h8i9j0k1l21182025-03-13:15:48:44 +0000   a1b2c3d4e5f6g7h8i9j01710340124 UserActivityAuditEvent   341.111 1.0                                
2026-01-20T08:44:43  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_282_17688986832026-01-20T08:44:44{ "metadata" : { "eventType": "ReconNotificationSummary", "eventCreationTime": "1768898683967", "event_id": "rns-f47ac10b-58cc-4372-a567-0e02b2c3d479", "customerIDString": "d4e5f6g7h8i9j0k1l2m3" }, "summary": { "title": "Reconnaissance Activity Detected", "severity": "4", "confidence": "3", "detection_count": 3, "first_detection_time": "2026-01-08T14:27:31.456Z", "last_detection_time": "2026-01-08T15:30:12.789Z", "affected_hosts_count": 3 }, "techniques": [ { "technique_id": "T1059.001", "technique_name": "PowerShell", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected suspicious PowerShell command execution with encoded arguments" }, { "technique_id": "T1003.001", "technique_name": "LSASS Memory", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected potential credential dumping from LSASS memory" }, { "technique_id": "T1021.002", "technique_name": "SMB/Windows Admin Shares", "tactic": "Discovery", "objective": "Internal Reconnaissance", "description": "Detected suspicious access to administrative shares" } ], "affected_hosts": [ { "hostname": "PROD-WEB01", "ip_address": "192.168.0.87", "sensor_id": "e5f6g7h8i9j0k1l2m3n4", "first_seen": "2026-01-15T13:25:32.000Z", "last_seen": "2026-01-17T17:43:20.000Z", "detection_count": 7 }, { "hostname": "PROD-APP02", "ip_address": "192.168.3.211", "sensor_id": "f6g7h8i9j0k1l2m3n4o5", "first_seen": "2026-01-20T06:13:09.000Z", "last_seen": "2026-01-25T02:00:54.000Z", "detection_count": 1 }, { "hostname": "PROD-DB01", "ip_address": "192.168.1.54", "sensor_id": "g7h8i9j0k1l2m3n4o5p6", "first_seen": "2026-01-14T13:04:37.000Z", "last_seen": "2026-01-16T13:59:20.000Z", "detection_count": 4 } ], "potential_actors": [ { "actor_name": "APT29", "confidence": "2", "evidence": "Command and control infrastructure matches known APT29 domains" } ], "recommendations": [ "Isolate affected hosts from the network", "Review authentication logs for suspicious access attempts", "Enable multi-factor authentication for all privileged accounts", "Update antivirus signatures and perform a full system scan" ], "related_detections": [ "det-6ba7b810-9dad-11d1-80b4-00c04fd430c8", "det-3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2c", "det-9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b" ], "context": { "risk_score": 87, "mitre_attack_url": "https://attack.mitre.org/techniques/T1078.002/", "falcon_intel_reports": [ "INTEL-T_SHORT_MD5_T", "INTEL-T_SHORT_MD5_T" ] } } c8976e33e73b8bffbf1cefbb7e6f84030Z72026-01-15T13:25:32.000ZPROD-WEB01192.168.0.872026-01-17T17:43:20.000Ze5f6g7h8i9j0k1l2m3n412026-01-20T06:13:09.000ZPROD-APP02192.168.3.2112026-01-25T02:00:54.000Zf6g7h8i9j0k1l2m3n4o542026-01-14T13:04:37.000ZPROD-DB01192.168.1.542026-01-16T13:59:20.000Zg7h8i9j0k1l2m3n4o5p6INTEL-T_SHORT_MD5_TINTEL-T_SHORT_MD5_Thttps://attack.mitre.org/techniques/T1078.002/87                              d4e5f6g7h8i9j0k1l2m31768898683967 ReconNotificationSummaryrns-f47ac10b-58cc-4372-a567-0e02b2c3d479     APT292Command and control infrastructure matches known APT29 domainsIsolate affected hosts from the networkReview authentication logs for suspicious access attemptsEnable multi-factor authentication for all privileged accountsUpdate antivirus signatures and perform a full system scandet-6ba7b810-9dad-11d1-80b4-00c04fd430c8det-3d6f4e2a-8b9c-4f1e-a2d5-7c8e9f0a1b2cdet-9e8d7c6b-5a4f-4e3d-2c1b-0a9f8e7d6c5b3332026-01-08T14:27:31.456Z2026-01-08T15:30:12.789Z4Reconnaissance Activity DetectedDetected suspicious PowerShell command execution with encoded argumentsInternal ReconnaissanceDiscoveryT1059.001PowerShellDetected potential credential dumping from LSASS memoryInternal ReconnaissanceDiscoveryT1003.001LSASS MemoryDetected suspicious access to administrative sharesInternal ReconnaissanceDiscoveryT1021.002SMB/Windows Admin Shares
2026-01-20T08:44:44  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_283_17688986842026-01-20T08:44:45{ "metadata":{ "eventCreationTime":"1768898684540", "eventPlatform": "Identity", "eventType": "IdentityProtectionEvent", "name": "IdentityProtectionEvent", "severity": "9", "aid": "h8i9j0k1l2m3n4o5p6q7", "aip": "192.168.4.198", "cid": "i9j0k1l2m3n4o5p6q7r8", "id": "AUD-T_SHORT_MD5_T" } } c8976e33e73b8bffbf1cefbb7e6f84030Z                                                 h8i9j0k1l2m3n4o5p6q7192.168.4.198i9j0k1l2m3n4o5p6q7r8 1768898684540IdentityIdentityProtectionEvent AUD-T_SHORT_MD5_TIdentityProtectionEvent 9                                 
2026-01-20T08:44:45  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_284_17688986852026-01-20T08:44:46{"metadata":{ "eventType":"UserActivityAuditEvent","eventCreationTime":"1768898685309","customerIDString":"j0k1l2m3n4o5p6q7r8s9" }, "event":{"UserId":"andersonk","ComputerName":"PROD-FILE01","ServiceName":"CrowdStrike Authentication", "AuditKeyValues":[{"Key":"AUD-7f92e3b1","Value":"Modified rule FW-3782 in policy 'Corporate Perimeter Defense'"},{"Key":"AUD-c45d8a6e","Value":"Added exception for host 192.168.45.12 to policy 'Data Center Access'"},{"Key":"AUD-21b9f037","Value":"Deleted user account 'mwilliams' from Active Directory group 'Finance-Users'"}]}} c8976e33e73b8bffbf1cefbb7e6f84030Z                          AUD-7f92e3b1Modified rule FW-3782 in policy 'Corporate Perimeter Defense' AUD-c45d8a6eAdded exception for host 192.168.45.12 to policy 'Data Center Access' AUD-21b9f037Deleted user account 'mwilliams' from Active Directory group 'Finance-Users' PROD-FILE01      CrowdStrike Authentication andersonk       j0k1l2m3n4o5p6q7r8s91768898685309 UserActivityAuditEvent                                      
2026-01-20T08:44:46  auto-dashboard-queriessiem-connector   QTsJCoPniAANCCdKBxWdooCq_14_285_17688986862026-01-20T08:44:46{"metadata":{ "eventType":"UserActivityAuditEvent","eventCreationTime":"1768898686099","customerIDString":"k1l2m3n4o5p6q7r8s9t0" }, "event":{"UserId":"bakerm","ComputerName":"PROD-SQL01","OperationName":"create_policy", "AuditKeyValues":[{"Key":"AUD-9e3d5c8a","Value":"Changed password expiration policy from 60 to 45 days"},{"Key":"AUD-56f1a7d2","Value":"Exported configuration backup of firewall cluster 'edge-fw-01'"}]}} c8976e33e73b8bffbf1cefbb7e6f84030Z                          AUD-9e3d5c8aChanged password expiration policy from 60 to 45 days AUD-56f1a7d2Exported configuration backup of firewall cluster 'edge-fw-01'    PROD-SQL01     create_policy  bakerm       k1l2m3n4o5p6q7r8s9t01768898686099 UserActivityAuditEvent                                      

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    metadata.eventType = DetectionSummaryEvent

    Filters events to include only those where metadata.eventType equals DetectionSummaryEvent.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 2 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | event.ComputerName=* AND metadata.customerIDString = *

    Ensures both event.ComputerName and metadata.customerIDString fields exist in the events.

  4. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 1[/Filter/] 2[/Filter/] 3{{Aggregate}} result{{Result Set}} repo --> 1 1 --> 2 2 --> 3 3 --> result style 3 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | top(event.Tactic)

    Aggregates events by the event.Tactic field and counts their occurrences. The top() function automatically sorts the results by count in descending order.

  5. Event Result set.

Summary and Results

The widget is used to provide visibility into the most common MITRE ATT&CK tactics observed in detection events.

This widget is useful to identify prevalent attack patterns and prioritize security controls based on the most frequently observed tactics.

Sample output from the incoming example data:

_countevent.Tactic
3Execution
3Credential Access
2Defense Evasion
2Lateral Movement
2Persistence

The results are displayed in a pie chart where each slice represents a MITRE ATT&CK tactic, and the size of each slice corresponds to the number of events associated with that tactic.