|
1 | | -MITRE ATT&CK is a publicly accessible knowledge base of tactics and techniques that are commonly used by attackers, and is created and maintained by observing real-world observations. Many organizations use the MITRE ATT&CK knowledge base to develop specific threat models and methodologies that are used to verify security status in their environments. |
| 1 | +MITRE ATT&CK is a publicly accessible knowledge base of tactics, techniques, and procedures (TTP) that are commonly used by attackers, and is created and maintained by observing real-world observations. Many organizations use the MITRE ATT&CK knowledge base to develop specific threat models and methodologies that are used to verify security status in their environments. |
2 | 2 |
|
3 | 3 | Microsoft Sentinel analyzes ingested data, not only to detect threats and help you investigate, but also to visualize the nature and coverage of your organization's security status. |
4 | 4 |
|
5 | | - |
6 | | -When developing a threat hunting hypothesis, it's critical to understand tactics and techniques you're searching for. The MITRE ATT&CK framework is used throughout Microsoft Sentinel. |
7 | | - |
| 5 | +When developing a threat hunting hypothesis, it's critical to understand the tactics (why), techniques (how), and procedures (implementations) you're searching for. The MITRE ATT&CK framework is used throughout Microsoft Sentinel. |
8 | 6 |
|
9 | 7 | Use the MITRE ATT&CK selection under Threat Management in Microsoft Sentinel to view the detections already active in your workspace, and those available for you to configure, to understand your organization's security coverage, based on the tactics and techniques from the MITRE ATT&CK® framework. |
10 | 8 |
|
11 | | - |
12 | 9 | ## View current MITRE coverage |
13 | | -In Microsoft Sentinel, in the Threat management menu on the left, select MITRE. By default, both currently active scheduled query and near real-time (NRT) rules are indicated in the coverage matrix. |
| 10 | + |
| 11 | +## [Defender portal](#tab/defender-portal) |
| 12 | + |
| 13 | +In Microsoft Sentinel, in the [Defender portal](https://security.microsoft.com/), select the *Threat management* section of the navigation menu, select MITRE ATT&CK. By default, Active scheduled query, Active near real-time (NRT) rules, and Active anomaly query rules are indicated in the coverage matrix. |
14 | 14 |
|
15 | 15 | - **Use the legend at the top-right** to understand how many detections are currently active in your workspace for specific technique. |
16 | 16 |
|
17 | | -- **Use the search bar at the top-left** to search for a specific technique in the matrix, using the technique name or ID, to view your organization's security status for the selected technique. |
| 17 | +- **Use the search bar** at the top right to search for a specific technique in the matrix, using the technique name or ID, to view your organization's security status for the selected technique. |
18 | 18 |
|
19 | | -- **Select a specific technique** in the matrix to view more details on the right. There, use the links to jump to any of the following locations: |
| 19 | +- **Select a specific technique** in the top row of the matrix to view in the details pane on the right. There, use the links to jump to any of the following locations: |
20 | 20 |
|
21 | | - - Select View technique details for more information about the selected technique in the MITRE ATT&CK framework knowledge base. |
| 21 | + - Select *View full tactic or technique details* links for more information in the MITRE ATT&CK framework knowledge base. |
22 | 22 |
|
23 | | - - Select links to any of the active items to jump to the relevant area in Microsoft Sentinel. |
| 23 | + - Select links to any of the *Active coverage* rules to jump to the relevant area in Microsoft Sentinel. |
| 24 | + |
| 25 | +- **View MITRE by threat scenarios** to view the coverage matrix by threat scenarios: |
24 | 26 |
|
25 | | -## Simulate possible coverage with available detections |
| 27 | + - Drag the **View MITRE by threat scenarios** slider to the right to view the coverage matrix by threat scenarios. The matrix is filtered to show only the techniques that are relevant to the selected scenario. |
26 | 28 |
|
27 | | -In the MITRE coverage matrix, simulated coverage refers to detections that are available, but not currently configured, in your Microsoft Sentinel workspace. View your simulated coverage to understand your organization's possible security status, were you to configure all detections available to you. |
| 29 | + :::image type="content" source="../media/mitre-threat-hunting-scenario.png" alt-text="Screenshot of the MITRE ATT&CK threat scenarios drop down menu." lightbox="../media/mitre-threat-hunting-scenario.png"::: |
| 30 | + |
| 31 | +## Simulate possible rules coverage |
| 32 | + |
| 33 | +In the MITRE matrix, simulated coverage refers to detections that are available, but not currently configured, in your Microsoft Sentinel workspace. View your simulated coverage to understand your organization's possible security status, were you to configure all detections available to you. |
| 34 | + |
| 35 | +> [!IMPORTANT] |
| 36 | +> If you have the *View MITRE by threat scenarios* slider enabled, and have selected a scenario, the Simulated rules (Product simulation) will be disabled. |
| 37 | +
|
| 38 | +- From the Microsoft Defender navigation menu, expand the Microsoft Sentinel section, and select *Threat management*, then select MITRE ATT&CK. |
| 39 | + |
| 40 | +- Select items in the Simulated rules drop-down menu to simulate your organization's possible security status. |
28 | 41 |
|
29 | | -In Microsoft Sentinel, in the General menu on the left, select MITRE. |
| 42 | +- For example, select **Hunting queries**, and then select *Hunting queries* **View** link to jump to the Microsoft Sentinel Hunting page. There, you see a filtered list of the hunting queries that are associated with the selected technique, and available for you to configure in your workspace. |
30 | 43 |
|
31 | | -Select items in the Simulate menu to simulate your organization's possible security status. |
| 44 | +## [Azure portal](#tab/azure-portal) |
32 | 45 |
|
33 | | -- **Use the legend at the top-right** to understand how many detections, including analytics rule templates or hunting queries, are available for you to configure. |
| 46 | +In Microsoft Sentinel, in the [Azure portal](https://portal.azure.com/), select the *Threat management* section of the navigation menu, then select **MITRE ATT&CK (Preview)**. By default, Active scheduled query, Active near real-time (NRT) rules, and Active anomaly query rules are indicated in the coverage matrix. |
34 | 47 |
|
35 | | -- **Use the search bar at the top-left** to search for a specific technique in the matrix, using the technique name or ID, to view your organization's simulated security status for the selected technique. |
| 48 | +- **Use the legend at the top-right** to understand how many detections are currently active in your workspace for specific technique. |
| 49 | + |
| 50 | +- **Use the search bar** At the top-left to search for a specific technique in the matrix, using the technique name or ID, to view your organization's security status for the selected technique. |
36 | 51 |
|
37 | 52 | - **Select a specific technique** in the matrix to view more details on the right. There, use the links to jump to any of the following locations: |
38 | 53 |
|
39 | | - - Select View technique details for more information about the selected technique in the MITRE ATT&CK framework knowledge base. |
| 54 | + - Select *View full tactic or technique details* links for more information in the MITRE ATT&CK framework knowledge base. |
| 55 | + |
| 56 | + - Select links to any of the *Active coverage* rules to jump to the relevant area in Microsoft Sentinel. |
| 57 | + |
| 58 | +## Simulate rule detections |
| 59 | + |
| 60 | +In the MITRE coverage matrix, simulated coverage refers to detections that are available, but not currently configured, in your Microsoft Sentinel workspace. View your simulated coverage to understand your organization's possible security status, were you to configure all detections available to you. |
| 61 | + |
| 62 | +- In Microsoft Sentinel, select the *Threat management* section of the navigation menu, select MITRE ATT&CK. |
| 63 | + |
| 64 | +- Select items in the Simulated rules drop-down menu to simulate your organization's possible security status. |
| 65 | + |
| 66 | +- For example, select **Hunting queries**, and then select *Hunting queries* **View** link to jump to the Microsoft Sentinel Hunting page. There, you see a filtered list of the hunting queries that are associated with the selected technique, and available for you to configure in your workspace. |
40 | 67 |
|
41 | | - - Select links to any of the simulation items to jump to the relevant area in Microsoft Sentinel. |
| 68 | + :::image type="content" source="../media/mitre-simulated-rules.png" alt-text="Screenshot of the MITRE ATT&CK simulated rule coverage." lightbox="../media/mitre-simulated-rules.png"::: |
42 | 69 |
|
43 | | -For example, select Hunting queries to jump to the Hunting page. There, you'll see a filtered list of the hunting queries that are associated with the selected technique, and available for you to configure in your workspace. |
| 70 | +--- |
44 | 71 |
|
45 | 72 | ## Use the MITRE ATT&CK framework in analytics rules and incidents |
46 | 73 |
|
47 | | -Having a scheduled rule with MITRE techniques applied running regularly in your Microsoft Sentinel workspace enhances the security status shown for your organization in the MITRE coverage matrix. |
| 74 | +Having a scheduled analytical rule with MITRE techniques applied running regularly in your Microsoft Sentinel workspace enhances the security status shown for your organization in the MITRE coverage matrix. |
48 | 75 |
|
49 | 76 | - **Analytics rules:** |
50 | 77 |
|
51 | | - - When configuring analytics rules, select specific MITRE techniques to apply to your rule. |
52 | | - - When searching for analytics rules, filter the rules displayed by technique to find your rules quicker. |
53 | | - |
| 78 | + - When configuring analytics rules, select specific MITRE techniques to apply to your rule. |
| 79 | + - When searching for analytics rules, filter the rules displayed by technique to find your rules quicker. |
| 80 | + |
| 81 | + image type="content" source="../media/mitre-analytic-rule-technique.png" alt-text="Screenshot of the MITRE ATT&CK analytics rules configuration." lightbox="../media/mitre-analytic-rule-technique.png"::: |
| 82 | + |
54 | 83 | - **Incidents:** |
55 | 84 |
|
56 | 85 | When incidents are created for alerts that are surfaced by rules with MITRE techniques configured, the techniques are also added to the incidents. |
57 | 86 |
|
58 | | - |
59 | 87 | - **Threat hunting:** |
60 | 88 |
|
61 | | - - When creating a new hunting query, select the specific tactics and techniques to apply to your query. |
62 | | - |
63 | | - - When searching for active hunting queries, filter the queries displayed by tactics by selecting an item from the list above the grid. Select a query to see tactic and technique details on the right. |
| 89 | + - When creating a new hunting query, select the specific tactics and techniques to apply to your query. |
64 | 90 |
|
65 | | - - When creating bookmarks, either use the technique mapping inherited from the hunting query, or create your own mapping. |
| 91 | + - When searching for active hunting queries, filter the queries displayed by tactics by selecting an item from the list above the grid. Select a query to see tactic and technique details on the right. |
66 | 92 |
|
| 93 | + - When creating bookmarks, either use the technique mapping inherited from the hunting query, or create your own mapping. |
0 commit comments