Forum Discussion
MITRE ATT&CK Coverage
Hey Gerry,
Greetings from Greece 🙂
Good question, well if you head to Sentinel > Threat management > MITRE ATT&CK you can see the whole MITRE ATT&CK framework. Now if you adjust the options in "Active" and "Simulated" you will be able to see which queries are part of rules and are scheduled to run and which are available as queries (templates) but haven't been assigned to scheduled rules.
Choose all options available under "Active" and then in "Simulated" choose "Hunting queries", then choose a TTP from the framework below and on your right you will see a new window"
- Active coverage: has queries actively hunting and basically covering the TTP you chose.
- Simulated coverage: has queries in templates which can be enabled in order to actively threat hunt and thus cover the TTP.
Now, if you want to have the whole picture of the framework, if you see each TTP box, on the upper left you have all queries active and simulated and on the upper right you have only the simulated. So if there is a difference, then you know that you have active queries running and covering this TTP.
There is another option, you may use the MITRE ATT&CK Workbook (Workbooks > Templates) and head to the last tab at Heatmaps where you can see what is you current coverage.
I hope I helped!
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?
Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?
My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?
Exactly, you can check which TTPs have queries available and enable them (this raises a lot of discussion in terms of fine tuning detection opportunities for your organization). Or, you may also build custom queries as well and map them to MITRE ATT&CK framework.
Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?
This requirement is covered by visiting the MITRE ATT&CK page under Threat management and by adjusting Active and Simulated options. My next step would be KQL but queries provide information on present and past alerts and incidents and not the setup of hunts and detections.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
- Thanks again for your reply, but this doesn't answer my question; perhaps I am not being sufficiently clear.
Lets assume the use case where I look after a number of clients.
-I need to confirm the current coverage of the MITRE ATT&CK framework currently available for each one
-I need to give them a simple way of exporting this information from their tenant
-I need some sort of repository I can then compare the results from each client with what is currently available from Microsoft
-I can then confirm what custom controls are required
How can I achieve that?I am also actively looking for any answer to this question. We all need a dedicated MS Learn/Docs page with a clear MITRE mapping to M365 Defender actions, detections etc. I understand the Sentinel tab page but it's not what we are looking for.
