Understand security coverage by the MITRE ATT&CK® framework

MITRE ATT&CK is a publicly accessible knowledge base of tactics and techniques that are commonly used by attackers, and is created and maintained by observing real-world observations. Many organizations use the MITRE ATT&CK knowledge base to develop specific threat models and methodologies that are used to verify security status in their environments.

Microsoft Sentinel analyzes ingested data, not only to detect threats and help you investigate, but also to visualize the nature and coverage of your organization's security status.

This article describes how to use the MITRE page in Microsoft Sentinel to view the detections already active in your workspace, and those available for you to configure, to understand your organization's security coverage, based on the tactics and techniques from the MITRE ATT&CK® framework.

Important

The MITRE page in Microsoft Sentinel is currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Prerequisites

Before you can view the MITRE coverage for your organization in Microsoft Sentinel, ensure you have the following:

MITRE ATT&CK framework version

Microsoft Sentinel is currently aligned to The MITRE ATT&CK framework, version 13.

View current MITRE coverage

  1. In Microsoft Sentinel, under Threat management, select MITRE ATTA&CK (Preview). By default, both currently active scheduled query and near real-time (NRT) rules are indicated in the coverage matrix.

    Screenshot of the MITRE coverage page with both active and simulated indicators selected.

  2. Do any of the following:

    • Use the legend to understand how many detections are currently active in your workspace for specific technique.

    • Use the search bar to search for a specific technique in the matrix, using the technique name or ID, to view your organization's security status for the selected technique.

    • Select a specific technique in the matrix to view more details in the details pane. There, use the links to jump to any of the following locations:

      • In the Description area, select View full technique details ... for more information about the selected technique in the MITRE ATT&CK framework knowledge base.

      • Scroll down in the pane and select links to any of the active items to jump to the relevant area in Microsoft Sentinel.

      For example, select Hunting queries to jump to the Hunting page. There, you see a filtered list of the hunting queries that are associated with the selected technique, and available for you to configure in your workspace.

Simulate possible coverage with available detections

In the MITRE coverage matrix, simulated coverage refers to detections that are available, but not currently configured in your Microsoft Sentinel workspace. View your simulated coverage to understand your organization's possible security status, were you to configure all detections available to you.

  1. In Microsoft Sentinel, under Threat management, select MITRE ATTA&CK (Preview), and then select items in the Simulated rules menu to simulate your organization's possible security status.

  2. From there, use the page's elements as you would otherwise to view the simulated coverage for a specific technique.

Use the MITRE ATT&CK framework in analytics rules and incidents

Having a scheduled rule with MITRE techniques applied running regularly in your Microsoft Sentinel workspace enhances the security status shown for your organization in the MITRE coverage matrix.

For more information, see: