MITRE ATT&CK Technique Coverage

Copper Contributor

Hi All,

I have been mapping our capabilities to the ATT&CK framework to be able to display coverage and where hot spots may exist. I am having a very difficult time finding any reference to what techniques 365 Defender covers. 

Does anyone know of a way to get this list from the console? I can export the alerts that have fired but I'm looking for a list of all that "could" fire, if that makes sense.


5 Replies
I'm also interested and having a hard time finding this information. The incidents that come across into Sentinel also don't carry over the MITRE fields, so we can't even query based on that.
Is there any update on this? I am particularly interested in mapping to the tactics \ techniques that tools such as Bloodhound and PingCastle highlight for Active Directory \ Azure Active Directory:
Thanks for that Vytas, the KQL query is a great help to be able to report on what is there.

I think what Bob and I are both looking for is a way of comparing that with what is currently available to ensure everything is configured and switched on in the tenant?
I'm also interested in any reference document about MITRE mapping vs M365 Defender, I am surprised that it looks like there is no such thing in official documentation already.