Microsoft Defender ATP alerts include an alert category, which loosely identifies the kill chain stage associated with the alerted activity. For example, an alert like “Suspicious communication to an IP address” will be categorized as “Command and Control”, while “Use of living-off-the-land binary” will be categorized as “Execution”. Using the alert categories, security operators can:
We’ve recently completed a set of improvements to our alert categorization, simplifying and standardizing the alert categories to align with MITRE ATT&CK Framework Tactics.
We believe this alignment will help users better understand threat activities, correlate with additional data sources, and benefit from community enrichments to these categories over time.
Alert categories appear in different areas of the portal where alerts are displayed, queried or, used.
First, the alert category appears on each alert page:
It also appears in lists of alerts—in the alert queue and in alert lists for incidents and other entities—enabling easy filtering of alerts by their categories:
Alert categories are available in advanced hunting, where you can query for alerts based on categories:
And when creating your own alerts (i.e., custom detections) from advanced hunting queries, you get to pick an appropriate category for your custom detection as well.
Finally, the Threat Protection reports include a report of alert activity in the last 30 days, sliced by the different alert categories:
Two other Microsoft Defender ATP features where alert categories appear are particularly notable—you might have processes or systems that use the actual alert category values and might need to perform a one-time adjustment to use the new values:
Note: To allow for a period of adjustment to the new categories and preserve reporting, filtering, hunting etc., the Microsoft Defender ATP portal will continue to show both old and new categories for the next 30 days. As a result, you may notice a longer list of categories (e.g. in the alerts filters pane) representing both old and new together. After this adjustment period, old categories will be removed from view and only the new category values will appear.
We believe Security Operations teams will benefit from this alignment in alert categories, and we look forward to introducing more areas where we leverage the MITRE ATT&CK framework throughout Microsoft Defender ATP over the coming months.
@Corina Feuerstein @Hadar Feldman
Microsoft Defender ATP Team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.