Forum Discussion

ajeeshneelamkavil's avatar
ajeeshneelamkavil
Copper Contributor
Jun 23, 2021

MS Defender ATP and Antivirus Rules with MITRE mapping

Team,

 

We are working on building certain correlation threat use case for Endpoints and cloud instances running with Defender and would like to know the list of rules in Defender with the MITRE Tactics and Techniques mappings.

  • pvanberlo's avatar
    pvanberlo
    Steel Contributor
    I’ve not seen this before, so not sure if this is available in an easy to consume list somewhere. Perhaps someone else knows.
  • Tiennes's avatar
    Tiennes
    Brass Contributor

    Morning,

     

    As akudrati already stated; Azure is supporting MITRE ATT&CK mapping. You can connect the Microsoft Defender for Endpoint (and also the other products like MDI, Def4O365, etc.) to Sentinel via the native built-in Data Connectors in Microsoft Sentinel.

     

    Furthermore, Microsoft Defender is also doing a mapping to the MITRE ATT&CK table. When you click on an alert, on the right side of the screen a blade comes in, and in the alert details section you see MITRE ATT&CK Techniques and below that the mapped technique.

Resources