Forum Discussion

GerryMcCafferty's avatar
GerryMcCafferty
Copper Contributor
May 11, 2023

MITRE ATT&CK Coverage

Morning from the UK!
I am trying to better understand how Defender \ Sentinel protect against the MITRE ATT&CK framework.


I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory, but am struggling to see what is available in the product and what is still on the roadmap:

https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html

In terms of what coverage exists within a Tenant, I know there is improvements planned in the roadmap to the current MITRE coverage in Microsoft Sentinel, but is there any way that I could use a Graph query to get what is currently covered?

  • cyb3rmik3's avatar
    cyb3rmik3
    Iron Contributor

    Hey Gerry,

    Greetings from Greece 🙂

    Good question, well if you head to Sentinel > Threat management > MITRE ATT&CK you can see the whole MITRE ATT&CK framework. Now if you adjust the options in "Active" and "Simulated" you will be able to see which queries are part of rules and are scheduled to run and which are available as queries (templates) but haven't been assigned to scheduled rules.

    Choose all options available under "Active" and then in "Simulated" choose "Hunting queries", then choose a TTP from the framework below and on your right you will see a new window"
    - Active coverage: has queries actively hunting and basically covering the TTP you chose.
    - Simulated coverage: has queries in templates which can be enabled in order to actively threat hunt and thus cover the TTP.

    Now, if you want to have the whole picture of the framework, if you see each TTP box, on the upper left you have all queries active and simulated and on the upper right you have only the simulated. So if there is a difference, then you know that you have active queries running and covering this TTP.

    There is another option, you may use the MITRE ATT&CK Workbook (Workbooks > Templates) and head to the last tab at Heatmaps where you can see what is you current coverage.

    I hope I helped!

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please consider giving it a like

    • SaeedNouri2021's avatar
      SaeedNouri2021
      Brass Contributor
      Love that workbook !!
      Ideally a CISO can now review the coverage against his threat modelling and do a bit of gap analysis.
      is there any plan for later versions of Attack Nav ? V13 is released now
    • GerryMcCafferty's avatar
      GerryMcCafferty
      Copper Contributor
      Hi there and thanks for your reply.

      My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?

      Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?
      • cyb3rmik3's avatar
        cyb3rmik3
        Iron Contributor

        GerryMcCafferty 

         

        My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?

        Exactly, you can check which TTPs have queries available and enable them (this raises a lot of discussion in terms of fine tuning detection opportunities for your organization). Or, you may also build custom queries as well and map them to MITRE ATT&CK framework.

         

        Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?

        This requirement is covered by visiting the MITRE ATT&CK page under Threat management and by adjusting Active and Simulated options. My next step would be KQL but queries provide information on present and past alerts and incidents and not the setup of hunts and detections.

         

        If I have answered your question, please mark your post as Solved

        If you like my response, please consider giving it a like

Resources