Blog Post

Microsoft Defender for Endpoint Blog
1 MIN READ

MITRE ATT&CK Techniques now available in the device timeline

Yonit_Glozshtein's avatar
Feb 18, 2021

We are excited to announce the public preview of MITRE ATT&CK techniques and sub-techniques in the Microsoft Defender for Endpoint device timeline.

 

Techniques are an additional data type that provides valuable insight regarding behaviors observed on the device. You can find them on the device timeline alongside device events. They are marked in bold, with a blue icon, and MITRE tags.

 

Techniques enrich the timeline with information about which MITRE ATT&CK techniques and sub-techniques were observed, making the investigation experience even more efficient and easier for analysts.

 

 

 

Techniques are available in the device timeline by default for public preview customers. You can use the Data type and Event group filters, apart from the search bar, to easily control your timeline verbosity.

 

Selecting a certain technique will open the details side pane with more information on the technique, related tactics, and a link to the MITRE website. Analysts can then learn more about the observed behavior and expand the investigation if necessary.

 

To learn more about the techniques in the device timeline, see the Techniques in the device timeline documentation.

 

Turn on preview features in the Microsoft Defender Security Center to try it out today. We welcome your feedback and are looking forward to hearing it!

 

 

 

 
Updated Apr 20, 2021
Version 2.0
  • zwojtonD8's avatar
    zwojtonD8
    Copper Contributor

    Awesome for trend analysis and working with detections (blue teams).