For folks that have joined the MTR Connector EAP and enabled the MS Graph Security connector I wanted to provide a simple set of instructions for how you can view all your detections.
More detailed queries are available in the query section, but for a quick look at what the MTR team is now able to see I have the instructions below.
Simply log into central and navigate to the Threat Analysis Center
Then to Live Discover
Turn on Designer Mode
Select Create new query
This will be a data lake query so select that modal
Now paste in the following SQL Code
SELECT id, event_date_time, severity, CASE severity WHEN 'HIGH' THEN 5 WHEN 'MEDIUM' THEN 3 ELSE 1 END Sophos_Risk_Score, category, status, title, description, processes, recommended_actions, incident_ids, malware_states, host_states, user_states, network_connections, registry_key_states, vulnerability_states, cloud_app_states, additional_fields, security_resources, source_materials, '--------------' "Additional_fields-->", activity_group_name, assigned_to azure_subscription_id, azure_tenant_id, -- category, closed_date_time, -- cloud_app_states, comments, confidence, created_date_time, -- description, detection_ids, -- event_date_time, -- feedback file_states, -- host_states, -- id, incident_ids, last_modified_date_time, -- malware_states, -- network_connections, -- processes, -- recommended_actions, -- registry_key_states, -- security_resources, -- severity, -- source_materials, -- status, tags, -- title, triggers, -- user_states, vendor_information, -- vulnerability_states, message_identifier, customer_id, ingestion_timestamp, sensor_id, sensor, sensor_version, schema_version, record_size, -- additional_fields, customer_bucket, ingest_date FROM mdr_ms_graph_api_data ORDER BY category ASC, Sophos_Risk_Score DESC, event_date_time DESC
And then select RUN
The results of the query should take a few seconds and you will see a list of all detections
This summer we will be updating central to automatically show the detection in the the main detections dashboard. For now know that these detections are reaching the MTR Security team and we are evaluating if an investigation is warranted given the alert information.
Thanks
Karl