This post is part of an update series highlighting new https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-access?tabs=defender-portal capabilities designed to help SOC teams maximize security value with less manual effort. In this post, we focus on AI-powered MITRE ATT&CK Tagging, which streamlines the process of aligning your detections with the MITRE framework. For an overview of our other recent updates, stay tuned for related posts in this series.
Security teams rely on precise, consistent tagging to understand detection coverage, align with frameworks like MITRE ATT&CK, and respond effectively to threats. Yet in practice, tagging detections manually is error-prone, inconsistent, and resource-intensive — leaving gaps in coverage and missed opportunities for insight.
To address this challenge, we’re excited to introduce a powerful new capability within SOC Optimization: AI MITRE ATT&CK Tagging.
Problem Statement
In today’s evolving threat landscape, aligning detection rules with the MITRE ATT&CK framework is critical for understanding and improving an organization’s security posture. MITRE tagging provides a common language to describe attacker behaviour, enabling security teams to assess their threat coverage, identify detection gaps, and drive a threat-informed defence. It powers key SOC experiences in Microsoft Sentinel, such as MITRE coverage views, use case recommendations, incident investigation context, and coverage optimization workflows.
When tagging is missing or incomplete — for example, when only tactics are mapped without corresponding techniques — the ability to accurately assess protection against known adversary behaviours is weakened. This limits visibility into which threats are covered, complicates incident correlation, and prevents clear communication of coverage gaps to stakeholders. As a result, security teams struggle to prioritize detection improvements and risk leaving critical areas under protected.
These gaps lead to:
- Incomplete visibility into coverage against known threats
- Limited ability to recommend or prioritize relevant use cases
- Fragmented alignment between detection rules and incident response workflows
Without consistent MITRE tagging, teams spend valuable time manually reviewing and mapping rules — delaying threat response and reducing overall SOC efficiency.
The Solution
AI MITRE ATT&CK Tagging automates this process using artificial intelligence models that run directly in your workspace. The model scans your detection content and identifies which MITRE ATT&CK tactics and techniques apply, offering recommended tags for detections that are currently untagged.
These recommendations can be easily reviewed and applied, allowing you to:
- Achieve complete detection coverage aligned with the MITRE ATT&CK framework
- Eliminate manual effort and reduce human error in tagging
- Enhance detection clarity and response workflows
- Gain insights into security posture with more structured and actionable data
“AI-based tagging helps us to reduce manual workload that previously we tagged detections manually, as well as helps faster triage. Besides, AI-based tagging will be standardized, helping to reduce inconsistencies due to human error”.
Farid Kalaidji, Security Lead at Pink Elephant
How it looks like
Let’s say you’re reviewing your detection posture and come across a new card in SOC Optimization: “Coverage improvement by AI MITRE Tagging”.
The card highlights a list of detection rules in your environment that are missing MITRE ATT&CK mappings and offers AI-suggested tags to help close those gaps.
You click into the experience and the relevant rules, each with recommended tactic and technique tags. Now you can quickly get a sense of where coverage is missing and what can be improved.
If you’re looking for efficiency, you can simply click “Apply All” to tag every recommended rule at once. It’s a quick way to bring your rules up to date and ensure your MITRE coverage reflects your true detection posture – no manual tagging required.
This improves not just the MIRTE blade, but also use case recommendation, incident investigation context, and overall visibility into your threat coverage.
Please note that by selecting "choose rule", you also have the option to review and tag individual rules from the list.By clicking into a detection, you can explore rule logic, thresholds, and configurations to ensure tagging fits your use case.By heading to the MITRE ATT&CK blade, you can validate the improved coverage. The updated view includes newly applied tactics and techniques, reflecting your improved posture.Next Steps
Get started with SOC Optimization today. We hope this detailed walkthrough helps you understand the benefits of this feature and improve your security coverage. Microsoft will continue to invest in this feature to assist our customers in defending against evolving security threats.
Learn More
SOC optimization documentation: https://learn.microsoft.com/azure/sentinel/soc-optimization/soc-optimization-access ; https://learn.microsoft.com/azure/sentinel/soc-optimization/soc-optimization-reference
Short overview and demo: https://www.youtube.com/watch?v=b0rbPZwBuc0
In depth webinar: https://www.youtube.com/watch?v=Uk9x60grT-o
SOC optimization API: Introducing SOC Optimization API | Microsoft Community Hub
MITRE ATT&CK coverage: https://learn.microsoft.com/en-us/azure/sentinel/mitre-coverage
