May 11 2023 02:29 AM
Morning from the UK!
I am trying to better understand how Defender \ Sentinel protect against the MITRE ATT&CK framework.
I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory, but am struggling to see what is available in the product and what is still on the roadmap:
https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html
In terms of what coverage exists within a Tenant, I know there is improvements planned in the roadmap to the current MITRE coverage in Microsoft Sentinel, but is there any way that I could use a Graph query to get what is currently covered?
May 12 2023 02:23 AM - edited May 12 2023 02:26 AM
Hey Gerry,
Greetings from Greece 🙂
Good question, well if you head to Sentinel > Threat management > MITRE ATT&CK you can see the whole MITRE ATT&CK framework. Now if you adjust the options in "Active" and "Simulated" you will be able to see which queries are part of rules and are scheduled to run and which are available as queries (templates) but haven't been assigned to scheduled rules.
Choose all options available under "Active" and then in "Simulated" choose "Hunting queries", then choose a TTP from the framework below and on your right you will see a new window"
- Active coverage: has queries actively hunting and basically covering the TTP you chose.
- Simulated coverage: has queries in templates which can be enabled in order to actively threat hunt and thus cover the TTP.
Now, if you want to have the whole picture of the framework, if you see each TTP box, on the upper left you have all queries active and simulated and on the upper right you have only the simulated. So if there is a difference, then you know that you have active queries running and covering this TTP.
There is another option, you may use the MITRE ATT&CK Workbook (Workbooks > Templates) and head to the last tab at Heatmaps where you can see what is you current coverage.
I hope I helped!
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
May 12 2023 02:58 AM
May 12 2023 03:17 AM
My understanding is that not everything in the MITRE ATT&CK framework is covered yet, is that correct?
Exactly, you can check which TTPs have queries available and enable them (this raises a lot of discussion in terms of fine tuning detection opportunities for your organization). Or, you may also build custom queries as well and map them to MITRE ATT&CK framework.
Also even using the heatmap it is not easy to export a list of the TTP that are covered to be able to easily perform a gap analysis of what other controls are required?
This requirement is covered by visiting the MITRE ATT&CK page under Threat management and by adjusting Active and Simulated options. My next step would be KQL but queries provide information on present and past alerts and incidents and not the setup of hunts and detections.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
May 14 2023 05:13 PM
May 15 2023 07:48 AM
Jul 26 2023 04:46 AM - edited Jul 26 2023 04:47 AM
I am also actively looking for any answer to this question. We all need a dedicated MS Learn/Docs page with a clear MITRE mapping to M365 Defender actions, detections etc. I understand the Sentinel tab page but it's not what we are looking for.
Nov 01 2023 07:39 AM