Transforming businesses with cloud technology.

Where we are

Melbourne - 534 Church St, Richmond VIC 3121
Sydney
Brisbane
Adelaide
Perth

Feb 26, 2022

MITRE ATT&CK® framework

Important

The MITRE page in Microsoft Sentinel is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

 

MITRE ATT&CK is a publicly accessible knowledge base of tactics and techniques that are commonly used by attackers, and is created and maintained by observing real-world observations. Many organizations use the MITRE ATT&CK knowledge base to develop specific threat models and methodologies that are used to verify security status in their environments.

Microsoft Sentinel analyzes ingested data, not only to detect threats and help you investigate, but also to visualize the nature and coverage of your organization's security status.

This article describes how to use the MITRE page in Microsoft Sentinel to view the detections already active in your workspace, and those available for you to configure, to understand your organization's security coverage, based on the tactics and techniques from the MITRE ATT&CK® framework.

mitre coverage

Microsoft Sentinel is currently aligned to The MITRE ATT&CK framework, version 9.


View current MITRE coverage

In Microsoft Sentinel, in the Threat management menu on the left, select MITRE. By default, both currently active scheduled query and near real-time (NRT) rules are indicated in the coverage matrix.

Simulate possible coverage with available detections

In the MITRE coverage matrix, simulated coverage refers to detections that are available, but not currently configured, in your Microsoft Sentinel workspace. View your simulated coverage to understand your organization's possible security status, were you to configure all detections available to you.

In Microsoft Sentinel, in the General menu on the left, select MITRE.

Select items in the Simulate menu to simulate your organization's possible security status.

Use the MITRE ATT&CK framework in analytics rules and incidents

Having a scheduled rule with MITRE techniques applied running regularly in your Microsoft Sentinel workspace enhances the security status shown for your organization in the MITRE coverage matrix.

Related News

Jun 4, 2020

Azure Sentinel Threat Hunting Enhan…


This installment is part of a broader series to keep you up to date with the latest features/enhancements in Azure Sentinel. The installments will be bite-sized to enable you to easily digest the new content. This blog post is a collaboration between @Cristhofer Munoz and @Juliango (Julian Gonzalez).

Read More

Dec 4, 2020

Azure Sentinel, our cloud-native S…


The XDR capabilities of Microsoft Defender delivered through Azure Defender and Microsoft 365 Defender provides rich insights and prioritized alerts, but to gain visibility across your entire environment and include data from other security solutions such as firewalls and existing security tools, we connect Microsoft Defender to Azure Sentinel, our cloud-native SIEM.

Read More

Read More