It has been some time since Part 1 of this blog has been posted, you may find it here. First part, focused mainly on the benefits and how to operationalize MITRE ATT&CK at Microsoft Defender XDR while this blog will focus on Microsoft Sentinel.

Table of contents

• Analytics
• Hunting
• The MITRE ATT&CK blade
• Workbooks
• KQL queries
• Closing remarks

Part 2: Microsoft Sentinel

Analytics

The first, and probably most fundamental place to begin with MITRE ATT&CK in Microsoft Sentinel is the Analytics blade. Eventually, all incidents’ mapping will be based on the contextualization of the Tactics and Techniques configured per rule here. Below, is the look and feel for the out-of-the-box templates, provided by Microsoft where Tactics and Techniques are present.

Choosing a template will also provide you with details about the mapping.

Of course, before creating your Active analytics rule, by clicking Create rule, you can review the Tactics and Techniques in order to map your Tactics and Techniques of preference.

Triggering a simple Analytics rule, will provide the following Alert and relevant Security Incident that for the built-in “TI map File Hash to DeviceFileEvents Event” as an example has Impact as a pre-configured Tactic.

Hunting

Next place to look into, is the Hunting blade. Hunting also incorporates MITRE ATT&CK to contextualize queries that you build and use for threat hunting.

Apart from the general categorization, which you may notice on top, each query is also contextualized based on Tactics and Techniques. Queries here can be used to build Hunts, a complete hunting capacity that can be used along known frameworks such as TaHiTI or PEAK.

Each Hunt then builds its own queries’ MITRE ATT&CK map, bringing together individualized capacity for your intelligence.

The MITRE ATT&CK blade

Having built your queries in Analytics and the Hunting blade, is the way to ingest your relevant framework capacity at the MITRE ATT&CK blade and the heatmap provided by Microsoft Sentinel.

There are some things to consider here, as the heatmap can be built by incorporating various information. You may choose between Active and Simulated coverage. By default, you may use the Active detections, this will build a heatmap of the active and currently deployed query rules you use either they fall under the Scheduled, Near-real-time (NRT) or Anomaly category. On the other hand, you can enrich the heatmap by Simulated rules which include Analytics rule templates, Hunting queries and Anomaly rules. You may also find used the Legend, a gradual coloring for each Tactic and Technique based on the rules engaged.

It’s important to remember that Active queries, are actually running at the moment and any Security Alert and Security incident raised provided that the query has been associated with the relevant Tactics and Techniques, contributes to the MITRE ATT&CK heatmap. Simulated queries reflects the same idea deriving from templates and the Hunting blade but they contribute to the heatmap as a capacity you my have over the MITRE ATT&CK framework, rather than actual coverage. Thus, for each Tactic and Technique, you can distinguish each category.

Another tool that can be used here is the the ExtractMITRE, in case you want the heatmap information exported and used from your Cyber Threat Intelligence team for various purposes including reporting etc.

Workbooks

Last, but not least, Microsoft Sentinel comes with an out-of-the-box Workbook template that maps detections coverage across the MITRE ATT&CK framework. It also comes with a set of heatmaps based on cloud platforms including Azure, Microsoft Entra ID and more.

KQL Queries

As with Part 1, a relevant KQL query for Microsoft Sentinel providing information about Techniques associated with Security Alerts, can be found below.

SecurityAlert
// Define timerange
| where TimeGenerated > ago(30d)
| where isnotempty(Techniques)
| mvexpand todynamic(Techniques) to typeof(string)
| summarize AlertCount = dcount(SystemAlertId) by Techniques
| sort by AlertCount desc
// Define graphic
| render piechart 

Closing remarks

The capacity of operationalizing MITRE ATT&CK in Microsoft Defender XDR but especially in Microsoft Sentinel, has grown significantly providing lots of capabilities for Threat Hunters and Cyber Threat Intelligence Analysts. By understanding the approach in Microsoft Sentinel along with Active and Simulated coverage, a Hunter or an Analyst could take advantage of a well disciplined path to build threat-informed defenses. Deriving from the above though, the journey of operationalizing MITRE ATT&CK begins in the queries, where Tactics and Techniques must be claimed.