Forum Discussion
MITRE ATT&CK Technique Coverage
Hi All,
I have been mapping our capabilities to the ATT&CK framework to be able to display coverage and where hot spots may exist. I am having a very difficult time finding any reference to what techniques 365 Defender covers.
Does anyone know of a way to get this list from the console? I can export the alerts that have fired but I'm looking for a list of all that "could" fire, if that makes sense.
Thanks
5 Replies
- I'm also interested in any reference document about MITRE mapping vs M365 Defender, I am surprised that it looks like there is no such thing in official documentation already.
Vytas_BoyevMicrosoft
https://github.com/vboyev-MSFT/KQL-queries/blob/main/M365-%20Mitre-chart%20of%20alerts for MDE
Sentinel has a MITRE dashboard https://learn.microsoft.com/en-us/azure/sentinel/mitre-coverage- Thanks for that Vytas, the KQL query is a great help to be able to report on what is there.
I think what Bob and I are both looking for is a way of comparing that with what is currently available to ensure everything is configured and switched on in the tenant?
- Is there any update on this? I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory:
https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html - I'm also interested and having a hard time finding this information. The incidents that come across into Sentinel also don't carry over the MITRE fields, so we can't even query based on that.
