Forum Discussion

Copper Contributor

May 11, 2023

MITRE ATT&CK Coverage

Morning from the UK! I am trying to better understand how Defender \ Sentinel protect against the MITRE ATT&CK framework. I am particularly interested in mapping to the tactics \ techniques that ...

microsoft defender for endpoint

microsoft sentinel

threat hunting

GerryMcCafferty

Copper Contributor

May 12, 2023

Hi there and thanks for your reply.

My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?

Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?

cyb3rmik3

MVP

May 12, 2023

GerryMcCafferty

My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?

Exactly, you can check which TTPs have queries available and enable them (this raises a lot of discussion in terms of fine tuning detection opportunities for your organization). Or, you may also build custom queries as well and map them to MITRE ATT&CK framework.

Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?

This requirement is covered by visiting the MITRE ATT&CK page under Threat management and by adjusting Active and Simulated options. My next step would be KQL but queries provide information on present and past alerts and incidents and not the setup of hunts and detections.

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

GerryMcCafferty
Copper Contributor
May 15, 2023
Thanks again for your reply, but this doesn't answer my question; perhaps I am not being sufficiently clear.

Lets assume the use case where I look after a number of clients.
-I need to confirm the current coverage of the MITRE ATT&CK framework currently available for each one
-I need to give them a simple way of exporting this information from their tenant
-I need some sort of repository I can then compare the results from each client with what is currently available from Microsoft
-I can then confirm what custom controls are required

How can I achieve that?
- Kris_Deb_e2e
  Iron Contributor
  Jul 26, 2023
  I am also actively looking for any answer to this question. We all need a dedicated MS Learn/Docs page with a clear MITRE mapping to M365 Defender actions, detections etc. I understand the Sentinel tab page but it's not what we are looking for.
  - ActualCassandra
    Copper Contributor
    Nov 01, 2023
    Sorry for the 'bump', but I'm also curious here.
    
    Sentinel has the MITRE attack blade but we could use something similar in the M365 Defender security portal, too. Yes, there is the Engenuity report but that's not the level we're talking about. More a way to easily show the out of the box coverage, before you get to the customised detections, etc.