From 45f98344f0dd57cf0a1fd8de52c43aca5997b142 Mon Sep 17 00:00:00 2001 From: Oliver Lennartsson <54884640+ol1v@users.noreply.github.com> Date: Wed, 26 Nov 2025 13:36:56 +0100 Subject: [PATCH 1/2] Create drapeindex.kql --- drapeindex.kql | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 drapeindex.kql diff --git a/drapeindex.kql b/drapeindex.kql new file mode 100644 index 0000000..c08e272 --- /dev/null +++ b/drapeindex.kql @@ -0,0 +1,27 @@ +// Get FPs and TPs +let timestamp = 60d; +SecurityIncident +| where TimeGenerated >= ago(timestamp) +| where Status == "Closed" +| where isnotempty(Classification) +| where Classification has_any("TruePostive", "FalsePositive", "BenignPositive") +| summarize + TP = countif(Classification == "TruePositive" or Classification == "BenignPositive"), // Alter depending on how you use Benign classification + FP = countif(Classification == "FalsePositive") + by Title +//********************* +//** Add DRAPE INDEX ** +//********************* +// Add weights +| extend + k = 0.18, + w = 0.22 +// Apply scoring formula +| extend indexscore = + ( log(TP + 1) * (1 + (w * (TP / (TP + FP)))) ) + - ( (k * log(FP + 1)) / (log(TP + 1) + 1) ) +// Handle divide-by-zero +| extend indexscore = iff(TP + FP > 0, indexscore, real(null)) +// Scale & round +| extend indexscore = round(indexscore * 10, 2) +| project-away k, w From 002045f2c83124428429075b232d151ffbfb752b Mon Sep 17 00:00:00 2001 From: Oliver Lennartsson <54884640+ol1v@users.noreply.github.com> Date: Wed, 26 Nov 2025 13:37:43 +0100 Subject: [PATCH 2/2] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 241012f..d6f3d19 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,7 @@ This mirrors actual triage experience so I encourage you to try it out. ## Implementations - Python: [drapeindex.py](drapeindex.py) - Splunk (SPL): [drapeindex.spl](/drapeindex.spl) +- Sentinel (KQL): [drapeindex.kql](/drapeindex.kql) ### Outpout Sample (v1.0)