MITRE ATT&CK Coverage

Copper Contributor

Morning from the UK!
I am trying to better understand how Defender \ Sentinel protect against the MITRE ATT&CK framework.


I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory, but am struggling to see what is available in the product and what is still on the roadmap:

https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html

In terms of what coverage exists within a Tenant, I know there is improvements planned in the roadmap to the current MITRE coverage in Microsoft Sentinel, but is there any way that I could use a Graph query to get what is currently covered?

7 Replies

Hey Gerry,

Greetings from Greece 🙂

Good question, well if you head to Sentinel > Threat management > MITRE ATT&CK you can see the whole MITRE ATT&CK framework. Now if you adjust the options in "Active" and "Simulated" you will be able to see which queries are part of rules and are scheduled to run and which are available as queries (templates) but haven't been assigned to scheduled rules.

Choose all options available under "Active" and then in "Simulated" choose "Hunting queries", then choose a TTP from the framework below and on your right you will see a new window"
- Active coverage: has queries actively hunting and basically covering the TTP you chose.
- Simulated coverage: has queries in templates which can be enabled in order to actively threat hunt and thus cover the TTP.

Now, if you want to have the whole picture of the framework, if you see each TTP box, on the upper left you have all queries active and simulated and on the upper right you have only the simulated. So if there is a difference, then you know that you have active queries running and covering this TTP.

There is another option, you may use the MITRE ATT&CK Workbook (Workbooks > Templates) and head to the last tab at Heatmaps where you can see what is you current coverage.

I hope I helped!

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

Hi there and thanks for your reply.

My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?

Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?

@GerryMcCafferty 

 

My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?

Exactly, you can check which TTPs have queries available and enable them (this raises a lot of discussion in terms of fine tuning detection opportunities for your organization). Or, you may also build custom queries as well and map them to MITRE ATT&CK framework.

 

Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?

This requirement is covered by visiting the MITRE ATT&CK page under Threat management and by adjusting Active and Simulated options. My next step would be KQL but queries provide information on present and past alerts and incidents and not the setup of hunts and detections.

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

Love that workbook !!
Ideally a CISO can now review the coverage against his threat modelling and do a bit of gap analysis.
is there any plan for later versions of Attack Nav ? V13 is released now
Thanks again for your reply, but this doesn't answer my question; perhaps I am not being sufficiently clear.

Lets assume the use case where I look after a number of clients.
-I need to confirm the current coverage of the MITRE ATT&CK framework currently available for each one
-I need to give them a simple way of exporting this information from their tenant
-I need some sort of repository I can then compare the results from each client with what is currently available from Microsoft
-I can then confirm what custom controls are required

How can I achieve that?

I am also actively looking for any answer to this question. We all need a dedicated MS Learn/Docs page with a clear MITRE mapping to M365 Defender actions, detections etc. I understand the Sentinel tab page but it's not what we are looking for.

Sorry for the 'bump', but I'm also curious here.

Sentinel has the MITRE attack blade but we could use something similar in the M365 Defender security portal, too. Yes, there is the Engenuity report but that's not the level we're talking about. More a way to easily show the out of the box coverage, before you get to the customised detections, etc.