We are excited to announce the public preview of MITRE ATT&CK techniques and sub-techniques in the Microsoft Defender for Endpoint device timeline.
Techniques are an additional data type that provides valuable insight regarding behaviors observed on the device. You can find them on the device timeline alongside device events. They are marked in bold, with a blue icon, and MITRE tags.
Techniques enrich the timeline with information about which MITRE ATT&CK techniques and sub-techniques were observed, making the investigation experience even more efficient and easier for analysts.
Techniques are available in the device timeline by default for public preview customers. You can use the Data type and Event group filters, apart from the search bar, to easily control your timeline verbosity.
Selecting a certain technique will open the details side pane with more information on the technique, related tactics, and a link to the MITRE website. Analysts can then learn more about the observed behavior and expand the investigation if necessary.