MITRE ATT&CK Technique Coverage

%3CLINGO-SUB%20id%3D%22lingo-sub-3067260%22%20slang%3D%22en-US%22%3EMITRE%20ATT%26amp%3BCK%20Technique%20Coverage%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3067260%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3EI%20have%20been%20mapping%20our%20capabilities%20to%20the%20ATT%26amp%3BCK%20framework%20to%20be%20able%20to%20display%20coverage%20and%20where%20hot%20spots%20may%20exist.%20I%20am%20having%20a%20very%20difficult%20time%20finding%20any%20reference%20to%20what%20techniques%20365%20Defender%20covers.%26nbsp%3B%3C%2FP%3E%3CP%3EDoes%20anyone%20know%20of%20a%20way%20to%20get%20this%20list%20from%20the%20console%3F%20I%20can%20export%20the%20alerts%20that%20have%20fired%20but%20I'm%20looking%20for%20a%20list%20of%20all%20that%20%22could%22%20fire%2C%20if%20that%20makes%20sense.%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3067260%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAlerts%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Defender%20for%20Endpoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Sentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Senior Member

Hi All,

I have been mapping our capabilities to the ATT&CK framework to be able to display coverage and where hot spots may exist. I am having a very difficult time finding any reference to what techniques 365 Defender covers. 

Does anyone know of a way to get this list from the console? I can export the alerts that have fired but I'm looking for a list of all that "could" fire, if that makes sense.

Thanks

1 Reply
I'm also interested and having a hard time finding this information. The incidents that come across into Sentinel also don't carry over the MITRE fields, so we can't even query based on that.