mapping_objects: - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-apis2 licensing - https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-apis related_score: T1059 score_category: protect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions score_category: protect score_value: partial - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation score_category: protect score_value: partial - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions related_score: T1586 score_category: protect score_value: partial - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions score_category: protect score_value: partial - attack_object_id: T1074 attack_object_name: Data Staged capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control only provides the ability to restrict file downloads for a limited set of applications and therefore its overall Coverage score is minimal. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: minimal - attack_object_id: T1074.001 attack_object_name: Local Data Staging capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1074 score_category: protect score_value: minimal - attack_object_id: T1074.002 attack_object_name: Remote Data Staging capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1074 score_category: protect score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control only provides minimal protection for this technique's procedure examples along and also only protects one of its sub-techniques resulting in an overall Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: minimal - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection). Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1078 score_category: protect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which provides significant protection against password compromises, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: minimal - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files. Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict cut, copy and paste operations. This can impede an adversary's ability to collect valuable information and/or files from the application. This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1213 score_category: protect score_value: partial - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access, when granting (risky) users access to cloud storage, specifically OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to exfiltrate data from OneDrive. The protection coverage provided by this control is Minimal as it doesn't provide protection for other storage services available on Azure such as the Azure Storage service. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: minimal - attack_object_id: T1074 attack_object_name: Data Staged capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control only provides the ability to restrict file downloads for a limited set of applications and therefore its overall Coverage score is minimal. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: minimal - attack_object_id: T1074.001 attack_object_name: Local Data Staging capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1074 score_category: protect score_value: minimal - attack_object_id: T1074.002 attack_object_name: Remote Data Staging capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to collect and stage files. This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1074 score_category: protect score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control only provides minimal protection for this technique's procedure examples along and also only protects one of its sub-techniques resulting in an overall Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: minimal - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection). Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1078 score_category: protect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which provides significant protection against password compromises, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: minimal - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files. Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict cut, copy and paste operations. This can impede an adversary's ability to collect valuable information and/or files from the application. This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1213 score_category: protect score_value: partial - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access, when granting (risky) users access to cloud storage, specifically OneDrive, can restrict what they can do in these applications using its app-enforced restrictions. For example, it can enforce that users on unmanaged devices will have browser-only access to OneDrive with no ability to download, print, or sync files. This can impede an adversary's ability to exfiltrate data from OneDrive. The protection coverage provided by this control is Minimal as it doesn't provide protection for other storage services available on Azure such as the Azure Storage service. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview score_category: protect score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control only protects cloud accounts and therefore its overall coverage is minimal resulting in a Minimal respond score for this technique. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation score_category: respond score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: This control only protects cloud accounts and therefore its overall coverage is minimal resulting in a Minimal respond score for this technique. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation score_category: respond score_value: minimal - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Security controls like Azure AD Identity Protection can raise a user''s risk level asynchronously after they have used a valid account to access organizational data. This CAE control can respond to this change in the users risky state to terminate the user''s access within minutes or enforce an additional authentication method such as MFA. This mitigates the impact of an adversary using a valid account. This is control only forces the user to re-authenticate and doesn''t resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1078 score_category: respond score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: 'Security controls like Azure AD Identity Protection can raise a user''s risk level asynchronously after they have used a valid account to access organizational data. This CAE control can respond to this change in the users risky state to terminate the user''s access within minutes or enforce an additional authentication method such as MFA. This mitigates the impact of an adversary using a valid account. This is control only forces the user to re-authenticate and doesn''t resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1078 score_category: respond score_value: partial - attack_object_id: T1496.001 attack_object_name: Compute Hijacking capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: In the event that a session is hijacked, continuous access evaluation can be used to terminate the session, potentially before any malicious actions can occur. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1496 score_category: protect score_value: partial - attack_object_id: T1496.004 attack_object_name: Cloud Service Hijacking capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: In the event that a session is hijacked, continuous access evaluation can be used to terminate the session, potentially before any malicious actions can occur. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1496 score_category: protect score_value: partial - attack_object_id: T1557.004 attack_object_name: Evil Twin capability_description: Conditional Access capability_group: entra-id capability_id: EID-CA-E3 comments: Conditional Access policies can restrict devices, potentially stopping them from connecting to an Evil Twin network. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview related_score: T1557 score_category: protect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1098 score_category: detect score_value: significant - attack_object_id: T1098.006 attack_object_name: Additional Container Cluster Roles capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide - 'https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation ' related_score: T1098 score_category: detect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1114 score_category: detect score_value: significant - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1134 score_category: detect score_value: significant - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1548 score_category: detect score_value: significant - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: [] related_score: T1548 score_category: detect score_value: significant - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide - https://learn.microsoft.com/en-us/entra/identity-platform/app-resilience-continuous-access-evaluation?tabs=dotnet - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation-strict-enforcement - https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation related_score: T1556 score_category: detect score_value: significant - attack_object_id: T1585 attack_object_name: Establish Accounts capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1585.002 attack_object_name: Email Accounts capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1585 score_category: detect score_value: significant - attack_object_id: T1585.003 attack_object_name: Cloud Accounts capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1585 score_category: detect score_value: significant - attack_object_id: T1586 attack_object_name: Compromise Accounts capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1586.002 attack_object_name: Email Accounts capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1586 score_category: detect score_value: significant - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1586 score_category: detect score_value: significant - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide related_score: T1586 score_category: detect score_value: significant - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Continuous Access Evaluation capability_group: entra-id capability_id: EID-CAE-E3 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1218.015 attack_object_name: Electron Applications capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1218 score_category: protect score_value: partial - attack_object_id: T1546.017 attack_object_name: Udev Rules capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: Audit Solutions can be used to continuously monitor the Udev rules for modifications or additions, allowing for detection of abnormalities. mapping_type: technique_score references: [] related_score: T1546 score_category: detect score_value: significant - attack_object_id: T1556.009 attack_object_name: Conditional Access Policies capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: Audit Solutions can be used to continuously monitor the conditional access policies for modifications or additions, allowing for detection of abnormalities. mapping_type: technique_score references: [] related_score: T1556 score_category: detect score_value: significant - attack_object_id: T1574.014 attack_object_name: AppDomainManager capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1574 score_category: detect score_value: partial - attack_object_id: T1665 attack_object_name: Hide Infrastructure capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: Use of Audit Solutions can reveal unusual activity occurring in the environment, potentially allowing for identification of C2 infrastructure or other malicious infrastructure. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: detect score_value: partial - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: Audit Solutions can be used to continuously monitor the cloud resource hierarchy for modifications or additions, allowing for detection of abnormalities. mapping_type: technique_score references: [] score_category: detect score_value: partial - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions detects Command and Scripting Interpreter attacks due to Audit Solutions providing the visibility to monitor log files for process execution and monitor contextual data about a running process. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: detect score_value: partial - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions detects Cloud API attacks due to Audit Solutions providing the visibility to review command history and history of executed API commands in cloud audit logs to determine if unauthorized or suspicious commands were executed. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1059 score_category: detect score_value: partial - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks\ \ due to the File and Page Audit Log activities which monitors for newly constructed\ \ files, for contextual data about files, and for changes made to files.\n\nLicense\ \ Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: detect score_value: partial - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks\ \ due to the File and Page Audit Log activities which monitors for newly constructed\ \ files, for contextual data about files, and for changes made to files.\n\nLicense\ \ Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1070 score_category: detect score_value: partial - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks\ \ due to the File and Page Audit Log activities which monitors for newly constructed\ \ files, for contextual data about files, and for changes made to files.\n\nLicense\ \ Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1070 score_category: detect score_value: partial - attack_object_id: T1070.003 attack_object_name: Clear Command History capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks\ \ due to the File and Page Audit Log activities which monitors for newly constructed\ \ files, for contextual data about files, and for changes made to files.\n\nLicense\ \ Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1070 score_category: detect score_value: partial - attack_object_id: T1070.008 attack_object_name: Clear Mailbox Data capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Clear Mailbox Data Rule attacks due to administrators can use use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1070 score_category: protect score_value: partial - attack_object_id: T1070.009 attack_object_name: Clear Persistence capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks\ \ due to the File and Page Audit Log activities which monitors for newly constructed\ \ files, for contextual data about files, and for changes made to files.\n\nLicense\ \ Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1070 score_category: detect score_value: partial - attack_object_id: T1070.009 attack_object_name: Clear Persistence capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks\ \ due to the File and Page Audit Log activities which monitors for newly constructed\ \ files, for contextual data about files, and for changes made to files.\n\nLicense\ \ Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1070 score_category: detect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions protects from Valid Account attacks\ \ due to Audit Solutions providing the visibility to allow admins to regularly\ \ audit user accounts for activity and deactivate or remove any that are no longer\ \ needed.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions protects from Cloud Account attacks\ \ due to Audit Solutions providing the visibility to allow admins to regularly\ \ audit user accounts for activity and deactivate or remove any that are no longer\ \ needed.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1078 score_category: protect score_value: partial - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions detects Account Discovery attacks due to the File and Page Audit Log activities which monitors for access to file resources that contain local accounts and groups information and looks for non-admin objects (such as users or processes) attempting to access restricted file resources. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: detect score_value: partial - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Cloud Account attacks due to Audit Solution allowing admins to search and routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1087 score_category: protect score_value: partial - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Email Collection attacks due to in an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions detects Remote Email Collection attacks due to in O365 environments, admins can consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1114 score_category: detect score_value: partial - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Email Forwarding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1114 score_category: protect score_value: partial - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Data from Information Repository attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1213 score_category: protect score_value: partial - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions protects from Steal Application\ \ Access Token attacks due to Audit Solutions providing the visibility to allow\ \ admins to audit all cloud accounts to ensure that they are necessary and that\ \ the permissions granted to them are appropriate. Additionally, admins can perform\ \ an audit of all OAuth applications and the permissions they have been granted\ \ to access organizational data.\n\nLicense Requirements: \nMicrosoft 365 E3 and\ \ E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Data from Cloud Storage attacks due to Audit Solutions providing the visibility to frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Event Triggered Execution\ \ attacks due to the File and Page Audit Log activities which monitors for newly\ \ constructed files, for contextual data about files, and for changes made to\ \ files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: detect score_value: partial - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions detects Abuse Elevation Control Mechanism attacks due to it''s DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: detect score_value: partial - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions detects Temporary Elevated Cloud Access attacks due to it''s DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1548 score_category: detect score_value: partial - attack_object_id: T1548.006 attack_object_name: TCC Manipulation capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions detects Temporary Elevated Cloud Access attacks due to it''s DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: [] related_score: T1548 score_category: detect score_value: partial - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions protects from Unsecured Credential\ \ attacks due to Audit Solutions providing the visibility to allow admins to preemptively\ \ search for files containing passwords or other credentials and take actions\ \ to reduce the exposure risk when found.\n\nLicense Requirements: \nMicrosoft\ \ 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1552.008 attack_object_name: Chat Messages capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions protects from Chat Messages attacks\ \ due to Audit Solutions providing the visibility to allow admins to preemptively\ \ search through communication services to find shared unsecured credentials.\n\ \nLicense Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1552 score_category: protect score_value: partial - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Modify Authentication Process attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Multi-Factor Authentication attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1556 score_category: protect score_value: partial - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Impair Defense attacks due to Audit Solutions providing the visibility to allow admins to routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions detects Disable or Modify Cloud Log attacks due to the user administration Audit Log activities which monitors for changes to account settings associated with users that may impact defensive logging capabilities. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1562 score_category: detect score_value: partial - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Hide Artifacts attacks\ \ due to the File and Page Audit Log activities which monitors for newly constructed\ \ files, for contextual data about files, and for changes made to files.\n\nLicense\ \ Requirements: \nMicrosoft 365 E3 and E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: detect score_value: partial - attack_object_id: T1564.008 attack_object_name: Email Hiding Rules capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Email Hiding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1564 score_category: protect score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: "Microsoft Purview auditing solutions provide an integrated solution to\ \ help organizations effectively respond to security events, forensic investigations,\ \ internal investigations, and compliance obligations. Thousands of user and admin\ \ operations performed in dozens of Microsoft 365 services and solutions are captured,\ \ recorded, and retained in your organization's unified audit log. Audit records\ \ for these events are searchable by security ops, IT admins, insider risk teams,\ \ and compliance and legal investigators in your organization. This capability\ \ provides visibility into the activities performed across your Microsoft 365\ \ organization.\n\nMicrosoft's Audit Solutions detects Phishing attacks due to\ \ the File and Page Audit Log activities which monitors for newly constructed\ \ files from phishing messages.\n\nLicense Requirements: \nMicrosoft 365 E3 and\ \ E5" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-log-activities - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: detect score_value: partial - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Spearphishing Link Process attacks due to Audit Solutions providing the visibility to allow admins to audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview related_score: T1566 score_category: protect score_value: partial - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: 'Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization''s unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization. Microsoft''s Audit Solutions protects from Forge Web Credential attacks due to Audit Solutions providing the visibility to allow administrators to perform an audit of all access lists and the permissions they have been granted to access web applications and services. License Requirements: Microsoft 365 E3 and E5' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/audit-solutions-overview score_category: protect score_value: partial - attack_object_id: T1485.001 attack_object_name: Lifecycle-Triggered Deletion capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: Purview's auditing solutions may be able to detect if lifecycle settings have been altered, allowing the changes to potentially be reverted before deletion occurs. mapping_type: technique_score references: [] related_score: T1485 score_category: protect score_value: partial - attack_object_id: T1546.017 attack_object_name: Udev Rules capability_description: Audit Solutions capability_group: purview capability_id: PUR-AUS-E5 comments: Audit Solutions can be used to continuously monitor the Udev rules for modifications or additions, allowing for detection of abnormalities. mapping_type: technique_score references: [] related_score: T1546 score_category: detect score_value: significant - attack_object_id: T1578.005 attack_object_name: Modify Cloud Compute Configurations capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify anomalous admin activity. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1578 score_category: detect score_value: minimal - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides significant and partial detection for a few of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal coverage score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1003.003 attack_object_name: NTDS capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: The documentation for this control's "Data exfiltration over SMB (external ID 2030)" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers. This is specific to domain controllers and therefore results in a reduced coverage score. mapping_type: technique_score references: [] related_score: T1003 score_category: detect score_value: minimal - attack_object_id: T1003.006 attack_object_name: DCSync capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Suspected DCSync attack (replication of directory services) (external ID 2006)" alert can detect DCSync attacks. The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag. mapping_type: technique_score references: [] related_score: T1003 score_category: detect score_value: significant - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1021.002 attack_object_name: SMB/Windows Admin Shares capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage. This control''s "Data exfiltration over SMB (external ID 2030)" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB. ' mapping_type: technique_score references: [] related_score: T1021 score_category: detect score_value: minimal - attack_object_id: T1047 attack_object_name: Windows Management Instrumentation capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via WMI. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1048.003 attack_object_name: Exfiltration Over Unencrypted Non-C2 Protocol capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Suspicious communication over DNS (external ID 2031)" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial. mapping_type: technique_score references: [] related_score: T1048 score_category: detect score_value: partial - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Powershell. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage. mapping_type: technique_score references: [] related_score: T1059 score_category: detect score_value: minimal - attack_object_id: T1069 attack_object_name: Permission Groups Discovery capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1069.002 attack_object_name: Domain Groups capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Security principal reconnaissance (LDAP) (external ID 2038)" alert can be used to detect when an adversary "perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that use methods not previously observed." This alert employs machine learning which should reduce the number of false positives. Additionally, this control''s "User and Group membership reconnaissance (SAMR) (external ID 2021)" alert can detect this sub-technique and also employs machine learning which should reduce the false-positive rate.' mapping_type: technique_score references: [] related_score: T1069 score_category: detect score_value: significant - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1071.004 attack_object_name: DNS capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Suspicious communication over DNS (external ID 2031)" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions. The accuracy of this control is unknown and therefore its score has been assessed as Partial. mapping_type: technique_score references: [] related_score: T1071 score_category: detect score_value: partial - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'The following alert of this control is able to detect domain account discovery: "Account enumeration reconnaissance (external ID 2003)". This shouldn''t occur frequently and therefore the false positive rate should be minimal. The "Security principal reconnaissance (LDAP) (external ID 2038)" alert is also relevant and its machine learning capabilities should reduce the false positive rate. The "User and IP address reconnaissance (SMB) (external ID 2012)" alert can also provide a detection on a variation of this sub-technique.' mapping_type: technique_score references: [] related_score: T1087 score_category: detect score_value: significant - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: "This controls's \"Suspicious additions to sensitive groups (external\ \ ID 2024)\" alert can utilize machine learning to detect when an attacker adds\ \ users to highly privileged groups. Adding users is done to gain access to more\ \ resources, and gain persistency. This detection relies on profiling the group\ \ modification activities of users, and alerting when an abnormal addition to\ \ a sensitive group is observed. Defender for Identity profiles continuously.\ \ \nThis alert provides Partial coverage of this technique with a reduced false-positive\ \ rate by utilizing machine learning models." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: partial - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides significant detection of some of the sub-techniques of this technique and has therefore been assessed an overall score of Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: partial - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert can detect brute force attacks using LDAP simple binds. The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant but the details are sparse.' mapping_type: technique_score references: [] related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)" alert can detect these brute force sub-techniques. It incorporates a machine learning feature that should reduce the number of false positives. Similarly, its "Suspected Brute Force attack (LDAP) (external ID 2004)" alert can detect brute force attacks using LDAP simple binds. The "Suspected Brute Force attack (SMB) (external ID 2033)" alert is also relevant but the details are sparse.' mapping_type: technique_score references: [] related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Suspicious VPN connection (external ID 2025)" alert utilizes machine learning models to learn normal VPN connections for a user and detect deviations from the norm. This detection is specific to VPN traffic and therefore its overall coverage is Minimal. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1201 attack_object_name: Password Policy Discovery capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1207 attack_object_name: Rogue Domain Controller capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Suspected DCShadow attack (domain controller promotion) (external ID 2028)" and "Suspected DCShadow attack (domain controller replication request) (external ID 2029)" alerts can detect this technique. Also should be a low false positive rate as the quantity and identity of domain controllers on the network should change very infrequently. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: significant - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: "This control's \"Remote code execution over DNS (external ID 2036)\"\ \ alert can look for an attacker attempting to exploit CVE-2018-8626, a remote\ \ code execution vulnerability exists in Windows Domain Name System (DNS) servers.\ \ In this detection, a Defender for Identity security alert is triggered when\ \ DNS queries suspected of exploiting the CVE-2018-8626 security vulnerability\ \ are made against a domain controller in the network. \nLikewise this controls\ \ \"Suspected SMB packet manipulation (CVE-2020-0796 exploitation)\" alert can\ \ detect a remote code execution vulnerability with SMBv3.\nBecause these detections\ \ are specific to a few CVEs, its coverage is Minimal resulting in a Minimal score." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1482 attack_object_name: Domain Trust Discovery capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Active Directory attributes reconnaissance (LDAP) (external ID 2210)" alert may be able to detect this operation. There are statements in the documentation for the alert, such as: "Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...", that may indicate support for detecting this technique. The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1543 attack_object_name: Create or Modify System Process capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1543.003 attack_object_name: Windows Service capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Suspicious service creation (external ID 2026)" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization. As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection. mapping_type: technique_score references: [] related_score: T1543 score_category: detect score_value: minimal - attack_object_id: T1543.005 attack_object_name: Container Service capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Suspicious service creation (external ID 2026)" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization. As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection. mapping_type: technique_score references: [] related_score: T1543 score_category: detect score_value: minimal - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides partial detection for some of this technique's sub-techniques (due to unknown false-positive/true-positive rate), resulting in a Partial score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: partial - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. This control''s "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.' mapping_type: technique_score references: [] related_score: T1550 score_category: detect score_value: partial - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: 'This control''s "Suspected identity theft (pass-the-hash) (external ID 2017)" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned. This control''s "Suspected identity theft (pass-the-ticket) (external ID 2018)" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.' mapping_type: technique_score references: [] related_score: T1550 score_category: detect score_value: partial - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides minimal detection for some of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1555.003 attack_object_name: Credentials from Web Browsers capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Malicious request of Data Protection API master key (external ID 2020)" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. DPAPI is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data. This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score. mapping_type: technique_score references: [] related_score: T1555 score_category: detect score_value: minimal - attack_object_id: T1555.004 attack_object_name: Windows Credential Manager capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Malicious request of Data Protection API master key (external ID 2020)" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. Windows Credential Manager utilizes DPAPI to securely store sensitive information like passwords. This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score. mapping_type: technique_score references: [] related_score: T1555 score_category: detect score_value: minimal - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Suspected skeleton key attack (encryption downgrade) (external ID 2010)" alert can detect skeleton attacks. This alert provides partial protection as it detects on a specific type of malware, Skeleton malware, and its usage of weaker encryption algorithms to hash the user's passwords on the domain controller. The description of the alert implies it utilizes machine learning to look for anomalous usage of weak encryption algorithms which should result in a reduced false positive rate. mapping_type: technique_score references: [] related_score: T1556 score_category: detect score_value: partial - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the other, resulting in an overall Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Suspected NTLM relay attack (Exchange account) (external ID 2037)" alert can detect NTLM relay attack specific to the Exchange service. Because this detection is limited to this variation of the sub-technique, its coverage score is Minimal resulting in an overall Minimal score. mapping_type: technique_score references: [] related_score: T1557 score_category: detect score_value: minimal - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides partial detection for most of this technique's sub-techniques, resulting in an overall Partial score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: partial - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control has numerous alerts that can detect Golden Ticket attacks from multiple perspectives. The accuracy of these alerts is unknown resulting in a partial score. mapping_type: technique_score references: [] related_score: T1558 score_category: detect score_value: partial - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\"\ \ alert is able to detect when an attacker use tools to enumerate service accounts\ \ and their respective SPNs (Service principal names), request a Kerberos service\ \ ticket for the services, capture the Ticket Granting Service (TGS) tickets from\ \ memory and extract their hashes, and save them for later use in an offline brute\ \ force attack. \nSimilarly its \"Suspected AS-REP Roasting attack (external\ \ ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy\ \ of these alerts is unknown and therefore its score has been assessed as Partial." mapping_type: technique_score references: [] related_score: T1558 score_category: detect score_value: partial - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\"\ \ alert is able to detect when an attacker use tools to enumerate service accounts\ \ and their respective SPNs (Service principal names), request a Kerberos service\ \ ticket for the services, capture the Ticket Granting Service (TGS) tickets from\ \ memory and extract their hashes, and save them for later use in an offline brute\ \ force attack. \nSimilarly its \"Suspected AS-REP Roasting attack (external\ \ ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy\ \ of these alerts is unknown and therefore its score has been assessed as Partial." mapping_type: technique_score references: [] related_score: T1558 score_category: detect score_value: partial - attack_object_id: T1569 attack_object_name: System Services capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/what-is score_category: detect score_value: minimal - attack_object_id: T1569.002 attack_object_name: Service Execution capability_description: Microsoft Defender for Identity capability_group: m365-defender capability_id: DEF-ID-E5 comments: This control's "Remote code execution attempt (external ID 2019)" alert can detect Remote code execution via Psexec. This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers. Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage. mapping_type: technique_score references: [] related_score: T1569 score_category: detect score_value: minimal - attack_object_id: T1003 attack_object_name: OS Credential Dumping capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts score_category: detect score_value: significant - attack_object_id: T1003.006 attack_object_name: DCSync capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1003 score_category: detect score_value: significant - attack_object_id: T1011 attack_object_name: Exfiltration Over Other Network Medium capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts score_category: detect score_value: significant - attack_object_id: T1018 attack_object_name: Remote System Discovery capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts score_category: detect score_value: significant - attack_object_id: T1046 attack_object_name: Network Service Discovery capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts score_category: detect score_value: significant - attack_object_id: T1049 attack_object_name: System Network Connections Discovery capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts score_category: detect score_value: significant - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1069 attack_object_name: Permission Groups Discovery capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts score_category: detect score_value: significant - attack_object_id: T1069.002 attack_object_name: Domain Groups capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts related_score: T1069 score_category: detect score_value: significant - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts score_category: detect score_value: significant - attack_object_id: T1087.002 attack_object_name: Domain Account capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts related_score: T1087 score_category: detect score_value: significant - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts score_category: detect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts score_category: detect score_value: significant - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1134 score_category: detect score_value: significant - attack_object_id: T1134.001 attack_object_name: Token Impersonation/Theft capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts related_score: T1134 score_category: detect score_value: significant - attack_object_id: T1134.005 attack_object_name: SID-History Injection capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts related_score: T1134 score_category: detect score_value: significant - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts score_category: detect score_value: significant - attack_object_id: T1202 attack_object_name: Indirect Command Execution capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - ' https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts' score_category: detect score_value: significant - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1484.001 attack_object_name: Group Policy Modification capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts related_score: T1484 score_category: detect score_value: significant - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts score_category: detect score_value: significant - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1550 score_category: detect score_value: significant - attack_object_id: T1552.004 attack_object_name: Private Keys capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1552 score_category: detect score_value: significant - attack_object_id: T1555 attack_object_name: Credentials from Password Stores capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview score_category: detect score_value: significant - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1556.001 attack_object_name: Domain Controller Authentication capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts related_score: T1556 score_category: detect score_value: significant - attack_object_id: T1557 attack_object_name: Adversary-in-the-Middle capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts score_category: detect score_value: significant - attack_object_id: T1557.001 attack_object_name: LLMNR/NBT-NS Poisoning and SMB Relay capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1557 score_category: detect score_value: significant - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts score_category: detect score_value: significant - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1558 score_category: detect score_value: significant - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts related_score: T1558 score_category: detect score_value: significant - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1558 score_category: detect score_value: significant - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts related_score: T1558 score_category: detect score_value: significant - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Security Alerts capability_group: m365-defender capability_id: DEF-SECA-E3 comments: "Microsoft Defender security alerts explain the suspicious activities\ \ detected by Defender for Identity sensors on your network, and the actors and\ \ computers involved in each threat. Alert evidence lists contain direct links\ \ to the involved users and computers, to help make your investigations easy and\ \ direct.\n\nDefender security alerts are divided into the following categories\ \ or phases, like the phases seen in a typical cyber-attack kill chain. Learn\ \ more about each phase, the alerts designed to detect each attack, and how to\ \ use the alerts to help protect your network using the following links:\n\nReconnaissance\ \ and discovery alerts\nPersistence and privilege escalation alerts\nCredential\ \ access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft\ \ 365 security product license entitles customer use \n of Microsoft Defender\ \ XDR." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts score_category: detect score_value: significant - attack_object_id: T1016.001 attack_object_name: Internet Connection Discovery capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery related_score: T1016 score_category: detect score_value: minimal - attack_object_id: T1016.002 attack_object_name: Wi-Fi Discovery capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery related_score: T1016 score_category: detect score_value: partial - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: Defender for Cloud leverages anomaly detection policies and Audit logging to mitigate Cloud Services based attacks. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - ' https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy' related_score: T1021 score_category: protect score_value: significant - attack_object_id: T1027.006 attack_object_name: HTML Smuggling capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: 'File policies in Microsoft Defender for Cloud perform content inspection which can provide continuous scans for detect and remediate any violations. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/data-protection-policies related_score: T1027 score_category: detect score_value: significant - attack_object_id: T1027.007 attack_object_name: Dynamic API Resolution capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can protect against abuse of dynamic API resolution. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-apis-deploy - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-apis-introduction' related_score: T1027 score_category: protect score_value: partial - attack_object_id: T1027.008 attack_object_name: Stripped Payloads capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: 'Defender utilizes File Policies which allows file sandboxing and filtering based on file metadata. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy - ' https://learn.microsoft.com/en-us/defender-cloud-apps/data-protection-policies' related_score: T1027 score_category: detect score_value: significant - attack_object_id: T1027.009 attack_object_name: Embedded Payloads capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect embedded payloads through DLP content inspection mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/content-inspection related_score: T1027 score_category: detect score_value: significant - attack_object_id: T1027.010 attack_object_name: Command Obfuscation capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect command obsfucation attacks through anomaly detection policies mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy related_score: T1027 score_category: detect score_value: partial - attack_object_id: T1071 attack_object_name: Application Layer Protocol capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: minimal - attack_object_id: T1071.003 attack_object_name: Mail Protocols capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule". mapping_type: technique_score references: [] related_score: T1071 score_category: detect score_value: partial - attack_object_id: T1071.005 attack_object_name: Publish/Subscribe Protocols capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1071 score_category: detect score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: "This control can identify anomalous behavior such as geographically impossible\ \ logins and out-of-character activity. \nRelevant alerts include \"Activity from\ \ anonymous IP address\" , \"Activity from infrequent country\", \"Activity from\ \ suspicious IP address\", \"Impossible Travel\", and \"Activity performed by\ \ terminated user\"." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: "This control can identify anomalous behavior such as geographically impossible\ \ logins and out-of-character activity. \nRelevant alerts include \"Activity from\ \ anonymous IP address\" , \"Activity from infrequent country\", \"Activity from\ \ suspicious IP address\", \"Impossible Travel\", and \"Activity performed by\ \ terminated user\"." mapping_type: technique_score references: [] related_score: T1078 score_category: detect score_value: partial - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: "This control can identify anomalous behavior such as geographically impossible\ \ logins and out-of-character activity. \nRelevant alerts include \"Activity from\ \ anonymous IP address\" , \"Activity from infrequent country\", \"Activity from\ \ suspicious IP address\", \"Impossible Travel\", and \"Activity performed by\ \ terminated user\"." mapping_type: technique_score references: [] related_score: T1078 score_category: detect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: "This control can identify anomalous behavior such as geographically impossible\ \ logins and out-of-character activity. \nRelevant alerts include \"Activity from\ \ anonymous IP address\" , \"Activity from infrequent country\", \"Activity from\ \ suspicious IP address\", \"Impossible Travel\", and \"Activity performed by\ \ terminated user\"." mapping_type: technique_score references: [] related_score: T1078 score_category: detect score_value: partial - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: minimal - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". mapping_type: technique_score references: [] related_score: T1098 score_category: detect score_value: minimal - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". mapping_type: technique_score references: [] related_score: T1098 score_category: detect score_value: minimal - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app". mapping_type: technique_score references: [] related_score: T1098 score_category: detect score_value: minimal - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts". mapping_type: technique_score references: [] related_score: T1110 score_category: detect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts". mapping_type: technique_score references: [] related_score: T1110 score_category: detect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts". mapping_type: technique_score references: [] related_score: T1110 score_category: detect score_value: partial - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control's Information protection policies can detect and encrypt sensitive information at rest on supported platforms, which can inhibit automated data collection activities. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: protect score_value: partial - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect sensitive information at rest, which may be indicative of data collection activities. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control's polices for access control can limit abuse of external facing remote services. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: protect score_value: partial - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. mapping_type: technique_score references: [] related_score: T1213 score_category: detect score_value: partial - attack_object_id: T1649 attack_object_name: Steal or Forge Authentication Certificates capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: "This control can protect authentication certificates by\_allowing you\ \ to create access and session policies that leverage device tags and valid client\ \ certificates" mapping_type: technique_score references: - https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/hunt-for-compromised-azure-subscriptions-using-microsoft-defender-for-cloud-apps/3607121 - ' https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/' score_category: protect score_value: partial - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can provide significant protection against forced authentication methods by restricting actions associated with multiple file access methods such as SMB. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: protect score_value: significant - attack_object_id: T1187 attack_object_name: Forced Authentication capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can alert on anomalous sharing attempts of confidential data. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: significant - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect outdated client browser software, which is a common target of exploitation in drive-by compromises. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can provide fine-grained access control to information sharing repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: protect score_value: minimal - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: minimal - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. mapping_type: technique_score references: [] related_score: T1213 score_category: protect score_value: partial - attack_object_id: T1213.001 attack_object_name: Confluence capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. mapping_type: technique_score references: [] related_score: T1213 score_category: detect score_value: partial - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. mapping_type: technique_score references: [] related_score: T1213 score_category: protect score_value: partial - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. mapping_type: technique_score references: [] related_score: T1213 score_category: detect score_value: partial - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can limit potential C2 via unapproved remote access software. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: protect score_value: significant - attack_object_id: T1219 attack_object_name: Remote Access Software capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify potential malicious activity associated with the use or attempted use of unapproved remote access software. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect admin activity from risky IP addresses. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: minimal - attack_object_id: T1484.001 attack_object_name: Group Policy Modification capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect admin activity from risky IP addresses. mapping_type: technique_score references: [] related_score: T1484 score_category: detect score_value: minimal - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect admin activity from risky IP addresses. mapping_type: technique_score references: [] related_score: T1484 score_category: detect score_value: minimal - attack_object_id: T1485 attack_object_name: Data Destruction capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: 'This control can identify deletion activity which could be potential malicious data destruction. Relevant Alerts include "Multiple storage deletion activities", "Multiple VM deletion activity", "Unusual file deletion activity (by user), "Suspicous email deletion activiy", and "Ransomware activity". ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1486 attack_object_name: Data Encrypted for Impact capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect a range of ransomware-related activities including encryption. Relevant alert include "Ransomware activities" and "Unusual file deletion activity (by user)". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1496 attack_object_name: Resource Hijacking capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1496.001 attack_object_name: Compute Hijacking capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1496 score_category: detect score_value: partial - attack_object_id: T1496.002 attack_object_name: Bandwidth Hijacking capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1496 score_category: detect score_value: partial - attack_object_id: T1496.003 attack_object_name: SMS Pumping capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1496 score_category: detect score_value: partial - attack_object_id: T1496.004 attack_object_name: Cloud Service Hijacking capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region". mapping_type: technique_score references: [] related_score: T1496 score_category: detect score_value: partial - attack_object_id: T1526 attack_object_name: Cloud Service Discovery capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect anomalous user activity that may be associated with cloud service discovery. Relevant alert is "Unusual file share activty (by user)". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can restrict user app permissions which can limit the potential for theft of application access tokens. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: protect score_value: partial - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: 'This control can detect potentially risky apps. Relevant alerts include "Misleading publisher name for an Oauth app" and "Misleading OAuth app name". ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect use of unsanctioned business apps and data exfil to unsanctioned storage apps. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify anomalous admin activity. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: minimal - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify anomalous user impersonation activity, which can be an element of internal spearphishing. Relevant alert is "Unusual impersonated activity (by user)". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: minimal - attack_object_id: T1535 attack_object_name: Unused/Unsupported Cloud Regions capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect unusual region and activity for cloud resources (preview feature as of this writing). Relevant alert is "Suspicious creation activity for cloud region". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1558.005 attack_object_name: Ccache Files capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: Defender for Cloud Apps provides endpoint detection and response (EDR) capabilities. This can potentially block attempts to steal ccache files. mapping_type: technique_score references: [] related_score: T1558 score_category: protect score_value: partial - attack_object_id: T1565 attack_object_name: Data Manipulation capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect and encrypt sensitive information at rest on supported platforms and restrict access. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: protect score_value: partial - attack_object_id: T1565.001 attack_object_name: Stored Data Manipulation capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect and encrypt sensitive information at rest on supported platforms. mapping_type: technique_score references: [] related_score: T1565 score_category: protect score_value: partial - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can limit user methods to send data over web services. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: protect score_value: partial - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)". mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: partial - attack_object_id: T1567.001 attack_object_name: Exfiltration to Code Repository capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify large volume potential exfiltration activity. mapping_type: technique_score references: [] related_score: T1567 score_category: protect score_value: partial - attack_object_id: T1567.001 attack_object_name: Exfiltration to Code Repository capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)". mapping_type: technique_score references: [] related_score: T1567 score_category: detect score_value: partial - attack_object_id: T1567.002 attack_object_name: Exfiltration to Cloud Storage capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify large volume potential exfiltration activity. mapping_type: technique_score references: [] related_score: T1567 score_category: protect score_value: partial - attack_object_id: T1567.002 attack_object_name: Exfiltration to Cloud Storage capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)". mapping_type: technique_score references: [] related_score: T1567 score_category: detect score_value: partial - attack_object_id: T1574.013 attack_object_name: KernelCallbackTable capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control offers behavior prevention capabilities for cloud environments that can be configured to block some types of behaviors related to process injection/memory tampering. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1574 score_category: detect score_value: partial - attack_object_id: T1578 attack_object_name: Modify Cloud Compute Infrastructure capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: 'This control can identify anomalous admin activity. Relevant alerts include "Multiple storage deletion activities", "Multiple VM creation activities", and "Suspicious creation activity for cloud region". ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts score_category: detect score_value: minimal - attack_object_id: T1578.001 attack_object_name: Create Snapshot capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify anomalous admin activity. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1578 score_category: detect score_value: minimal - attack_object_id: T1578.002 attack_object_name: Create Cloud Instance capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify anomalous admin activity. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1578 score_category: detect score_value: minimal - attack_object_id: T1578.003 attack_object_name: Delete Cloud Instance capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify anomalous admin activity. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1578 score_category: detect score_value: minimal - attack_object_id: T1578.004 attack_object_name: Revert Cloud Instance capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can identify anomalous admin activity. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection - https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts related_score: T1578 score_category: detect score_value: minimal - attack_object_id: T1666 attack_object_name: Modify Cloud Resource Hierarchy capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: This control can detect suspicious or anomalous behavior indicative of potential threats, like attempts to transfer subscriptions to unauthorized tenants. mapping_type: technique_score references: - https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/hunt-for-compromised-azure-subscriptions-using-microsoft-defender-for-cloud-apps/3607121 - ' https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/' score_category: detect score_value: partial - attack_object_id: T1053.007 attack_object_name: Container Orchestration Job capability_description: Defender for Cloud Apps capability_group: m365-defender capability_id: DEF-CAPP-E5 comments: Microsoft 365 Defender for Cloud Apps can scan images and containers for threats and vulnerabilities, as well as identify misconfigurations for remediation. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery related_score: T1053 score_category: protect score_value: partial - attack_object_id: T1021 attack_object_name: Remote Services capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: [] related_score: T1021 score_category: detect score_value: minimal - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1021 score_category: detect score_value: minimal - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1059 score_category: detect score_value: minimal - attack_object_id: T1072 attack_object_name: Software Deployment Tools capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1078 score_category: detect score_value: minimal - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1078 score_category: detect score_value: minimal - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1110 score_category: detect score_value: minimal - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1110 score_category: detect score_value: minimal - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1110 score_category: detect score_value: minimal - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1110 score_category: detect score_value: minimal - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1114 score_category: detect score_value: minimal - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1114 score_category: detect score_value: minimal - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1114 score_category: detect score_value: minimal - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1114 score_category: detect score_value: minimal - attack_object_id: T1136 attack_object_name: Create Account capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1136 score_category: detect score_value: minimal - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1204 attack_object_name: User Execution capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1204 score_category: detect score_value: minimal - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1204 score_category: detect score_value: minimal - attack_object_id: T1211 attack_object_name: Exploitation for Defense Evasion capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1213 score_category: detect score_value: minimal - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1550 score_category: detect score_value: minimal - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1562 score_category: detect score_value: minimal - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1564.008 attack_object_name: Email Hiding Rules capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1564 score_category: detect score_value: minimal - attack_object_id: T1566 attack_object_name: Phishing capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1566 score_category: detect score_value: minimal - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1566 score_category: detect score_value: minimal - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1567.002 attack_object_name: Exfiltration to Cloud Storage capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1567 score_category: detect score_value: minimal - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? related_score: T1567 score_category: detect score_value: minimal - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1657 attack_object_name: Financial Theft capability_description: Secure Score capability_group: m365-defender capability_id: DEF-SSCO-E3 comments: 'Microsoft Secure Score is a measurement of an organization''s security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal. Following the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action. To help you find the information you need more quickly, Microsoft recommended actions are organized into groups: Identity (Microsoft Entra accounts & roles) Device (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices) Apps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps) Data (through Microsoft Information Protection)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide - https://security.microsoft.com/securescore? score_category: detect score_value: minimal - attack_object_id: T1021.007 attack_object_name: Cloud Services capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, use of strong two-factor for remote service\ \ accounts will mitigate an adversary's ability to leverage stolen credentials.\n\ \nLicense Requirements: \nAll Microsoft Entra ID licenses" mapping_type: technique_score references: - https://m365maps.com/files/Entra-ID-All.htm - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 related_score: T1021 score_category: protect score_value: significant - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity from credential attacks\ \ (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft\ \ Entra ID licenses" mapping_type: technique_score references: - https://m365maps.com/files/Entra-ID-All.htm - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods related_score: T1078 score_category: protect score_value: significant - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity (e.g., additional cloud\ \ permissions, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 - https://m365maps.com/files/Entra-ID-All.htm related_score: T1098 score_category: protect score_value: significant - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity (e.g., additional cloud\ \ roles, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses" mapping_type: technique_score references: - https://m365maps.com/files/Entra-ID-All.htm - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods related_score: T1098 score_category: protect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity from credential attacks\ \ (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft\ \ Entra ID licenses" mapping_type: technique_score references: - https://m365maps.com/files/Entra-ID-All.htm - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods score_category: protect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: This control provides significant protection against this brute force technique by completing obviating the need for passwords by replacing it with passwordless credentials. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless score_category: protect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity from credential attacks\ \ (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft\ \ Entra ID licenses" mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods - https://m365maps.com/files/Entra-ID-All.htm related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials. mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity from credential attacks\ \ (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft\ \ Entra ID licenses" mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods - https://m365maps.com/files/Entra-ID-All.htm related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials. mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity from credential attacks\ \ (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft\ \ Entra ID licenses" mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods - https://m365maps.com/files/Entra-ID-All.htm related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials. mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity from credential attacks\ \ (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft\ \ Entra ID licenses" mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods - https://m365maps.com/files/Entra-ID-All.htm related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials. mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity (e.g., account creation,\ \ etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses" mapping_type: technique_score references: - https://m365maps.com/files/Entra-ID-All.htm - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods related_score: T1136 score_category: protect score_value: significant - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity (e.g., account creation,\ \ account deletion etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 - https://m365maps.com/files/Entra-ID-All.htm score_category: protect score_value: significant - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: Passwordless Authentication capability_group: entra-id capability_id: EID-PWLA-E3 comments: "Microsoft recommended the use of Passwordless authentication. This method\ \ provides the most secure MFA sign-in process by replacing the password with\ \ something you have, plus something you are or something you know.(e.g., Biometric,\ \ FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined\ \ with Conditional Access policies, Passwordless Authentication can significantly\ \ protect against the likelihood of adversary activity from credential attacks\ \ (e.g., token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID\ \ licenses" mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124 - https://m365maps.com/files/Entra-ID-All.htm - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods score_category: protect score_value: significant - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: As this technique involves the use of Valid Accounts, Defender's behavioral analytics and Conditional Access can also lead to the detection of Direct Cloud VM Connections. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity - ' https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins' - ' https://learn.microsoft.com/en-us/defender-cloud-apps/conditional-access-app-control-how-to-overview' related_score: T1021 score_category: detect score_value: partial - attack_object_id: T1021.008 attack_object_name: Direct Cloud VM Connections capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: As this technique involves the use of Valid Accounts, Entra ID Protection's partial detection of the use of Valid Accounts for malicious purposes can also lead to the detection of Direct Cloud VM Connections. mapping_type: technique_score references: [] related_score: T1021 score_category: detect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in an overall Partial detection score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 score_category: detect score_value: partial - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: 'When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial. The temporal factor of this control''s detection is low because although there are some real-time detections most are offline detections (multi-day).' mapping_type: technique_score references: [] related_score: T1078 score_category: detect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: 'This control provides risk detections that can be used to detect suspicious uses of valid accounts, e.g.: Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc. Microsoft utilizes machine learning and heuristic systems to reduce the false positive rate but there will be false positives. The temporal factor of this control''s detection is low because although there are some real-time detections most are offline detections (multi-day).' mapping_type: technique_score references: [] related_score: T1078 score_category: detect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: 'Response Type: Eradication Supports blocking and resetting the user''s credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.' mapping_type: technique_score references: [] related_score: T1078 score_category: respond score_value: significant - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. Identity Protection requires users be a Security Reader, Security\ \ Operator, Security Administrator, Global Reader, or Global Administrator in\ \ order to access the dashboard.\n\nLicense Requirements: \nMicrosoft Entra ID\ \ P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection score_category: protect score_value: significant - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. Identity Protection requires users be a Security Reader, Security\ \ Operator, Security Administrator, Global Reader, or Global Administrator in\ \ order to access the dashboard. \n\nRisk-based Conditional Access policies can\ \ be enabled to require access controls such as providing a strong authentication\ \ method, perform multi-factor authentication, or perform a secure password reset\ \ based on the detected risk level. If the user successfully completes the access\ \ control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft\ \ Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection related_score: T1098 score_category: protect score_value: partial - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. Identity Protection requires users be a Security Reader, Security\ \ Operator, Security Administrator, Global Reader, or Global Administrator in\ \ order to access the dashboard. \n\nRisk-based Conditional Access policies can\ \ be enabled to require access controls such as providing a strong authentication\ \ method, perform multi-factor authentication, or perform a secure password reset\ \ based on the detected risk level. If the user successfully completes the access\ \ control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft\ \ Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection related_score: T1098 score_category: detect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: This control provides Minimal detection for one of this technique's sub-techniques while not providing any detection for the remaining, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 score_category: detect score_value: minimal - attack_object_id: T1110 attack_object_name: Brute Force capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: Provides significant response capabilities for one of this technique's sub-techniques (Password Spray). Due to this capability being specific to one of its sub-techniques and not its remaining sub-techniques, the coverage score is Minimal resulting in an overall Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 score_category: respond score_value: minimal - attack_object_id: T1110 attack_object_name: Brute Force capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. During each sign-in, Identity Protection runs all real-time\ \ sign-in detections generating a sign-in session risk level, indicating how likely\ \ the sign-in has been compromised. Based on this risk level, policies are then\ \ applied to protect the user and the organization. \n\nRisk-based Conditional\ \ Access policies can be enabled to require access controls such as providing\ \ a strong authentication method, perform multi-factor authentication, or perform\ \ a secure password reset based on the detected risk level. If the user successfully\ \ completes the access control, the risk is automatically remediated.\n\nLicense\ \ Requirements: \nMicrosoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection score_category: protect score_value: partial - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. During each sign-in, Identity Protection runs all real-time\ \ sign-in detections generating a sign-in session risk level, indicating how likely\ \ the sign-in has been compromised. Based on this risk level, policies are then\ \ applied to protect the user and the organization. \n\nRisk-based Conditional\ \ Access policies can be enabled to require access controls such as providing\ \ a strong authentication method, perform multi-factor authentication, or perform\ \ a secure password reset based on the detected risk level. If the user successfully\ \ completes the access control, the risk is automatically remediated.\n\nLicense\ \ Requirements: \nMicrosoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. During each sign-in, Identity Protection runs all real-time\ \ sign-in detections generating a sign-in session risk level, indicating how likely\ \ the sign-in has been compromised. Based on this risk level, policies are then\ \ applied to protect the user and the organization. \n\nRisk-based Conditional\ \ Access policies can be enabled to require access controls such as providing\ \ a strong authentication method, perform multi-factor authentication, or perform\ \ a secure password reset based on the detected risk level. If the user successfully\ \ completes the access control, the risk is automatically remediated.\n\nLicense\ \ Requirements: \nMicrosoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts. Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and 98 percent precision. The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours). mapping_type: technique_score references: [] related_score: T1110 score_category: detect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: 'Response Type: Eradication Supports blocking and resetting the user''s credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies.' mapping_type: technique_score references: [] related_score: T1110 score_category: respond score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. During each sign-in, Identity Protection runs all real-time\ \ sign-in detections generating a sign-in session risk level, indicating how likely\ \ the sign-in has been compromised. Based on this risk level, policies are then\ \ applied to protect the user and the organization. \n\nRisk-based Conditional\ \ Access policies can be enabled to require access controls such as providing\ \ a strong authentication method, perform multi-factor authentication, or perform\ \ a secure password reset based on the detected risk level. If the user successfully\ \ completes the access control, the risk is automatically remediated.\n\nLicense\ \ Requirements: \nMicrosoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. During each sign-in, Identity Protection runs all real-time\ \ sign-in detections generating a sign-in session risk level, indicating how likely\ \ the sign-in has been compromised. Based on this risk level, policies are then\ \ applied to protect the user and the organization. \n\nRisk-based Conditional\ \ Access policies can be enabled to require access controls such as providing\ \ a strong authentication method, perform multi-factor authentication, or perform\ \ a secure password reset based on the detected risk level. If the user successfully\ \ completes the access control, the risk is automatically remediated.\n\nLicense\ \ Requirements: \nMicrosoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "During each sign-in, Identity Protection runs all real-time sign-in detections\ \ generating a sign-in session risk level, indicating how likely the sign-in has\ \ been compromised. Based on this risk level, policies are then applied to protect\ \ the user and the organization.\n\nRisk-based Conditional Access policies can\ \ be enabled to require access controls such as providing a strong authentication\ \ method, perform multi-factor authentication, or perform a secure password reset\ \ based on the detected risk level. If the user successfully completes the access\ \ control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft\ \ Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection score_category: protect score_value: minimal - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "During each sign-in, Identity Protection runs all real-time sign-in detections\ \ generating a sign-in session risk level, indicating how likely the sign-in has\ \ been compromised. Based on this risk level, policies are then applied to protect\ \ the user and the organization.\n\nRisk-based Conditional Access policies can\ \ be enabled to require access controls such as providing a strong authentication\ \ method, perform multi-factor authentication, or perform a secure password reset\ \ based on the detected risk level. If the user successfully completes the access\ \ control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft\ \ Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection related_score: T1556 score_category: protect score_value: significant - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "Cloud accounts should have complex and unique passwords across all systems\ \ on the network. Microsoft Entra ID Protection helps organizations detect, investigate,\ \ and remediate identity-based risks. These identity-based risks can be further\ \ fed into tools like Conditional Access to make access decisions or fed back\ \ to a security information and event management (SIEM) tool for further investigation\ \ and correlation. During each sign-in, Identity Protection runs all real-time\ \ sign-in detections generating a sign-in session risk level, indicating how likely\ \ the sign-in has been compromised. Based on this risk level, policies are then\ \ applied to protect the user and the organization.\n\nLicense Requirements: \n\ Microsoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection related_score: T1586 score_category: protect score_value: partial - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: "During each sign-in, Identity Protection runs all real-time sign-in detections\ \ generating a sign-in session risk level, indicating how likely the sign-in has\ \ been compromised. Based on this risk level, policies are then applied to protect\ \ the user and the organization.\n\nRisk-based Conditional Access policies can\ \ be enabled to require access controls such as providing a strong authentication\ \ method, perform multi-factor authentication, or perform a secure password reset\ \ based on the detected risk level. If the user successfully completes the access\ \ control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft\ \ Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection score_category: protect score_value: significant - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: This control can be effective at detecting forged web credentials because it uses environmental properties (e.g. IP address, device info, etc.) to detect risky users and sign-ins even when valid credentials are utilized. It provides partial coverage of this technique's sub-techniques and therefore has been assessed a Partial score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 score_category: detect score_value: partial - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: Provides Significant response capabilities for one of this technique's sub-techniques (SAML tokens). mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk - https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328 score_category: respond score_value: partial - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity. Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial. mapping_type: technique_score references: [] related_score: T1606 score_category: detect score_value: partial - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: ID Protection capability_group: entra-id capability_id: EID-IDPR-E5 comments: 'Response Type: Eradication Supports blocking and resetting the user''s credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.' mapping_type: technique_score references: [] related_score: T1606 score_category: respond score_value: significant - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1036.007 attack_object_name: Double File Extension capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: M365's Antimalware capability can be used to block specified file types from executing. This can be configured to only block nonessential file types (such as .exe files), which could prevent files with double extensions from being opened. However, this does not combat the technique as a whole. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1036 score_category: protect score_value: minimal - attack_object_id: T1036.010 attack_object_name: Masquerade Account Name capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: [] related_score: T1036 score_category: protect score_value: significant - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1059 score_category: protect score_value: significant - attack_object_id: T1059.006 attack_object_name: Python capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1059 score_category: protect score_value: significant - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1059 score_category: protect score_value: significant - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1204 attack_object_name: User Execution capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1204 score_category: protect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Antimalware capability_group: eop capability_id: EOP-AMW-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are: Viruses that infect other programs and data, and spread through your computer or network looking for programs to infect. Spyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author. Ransomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn''t help you decrypt encrypted files, but it can detect the malware payload that''s associated with the ransomware. EOP offers multi-layered malware protection that''s designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection: Layered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine. Real-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks. Fast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they''re publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour. License Requirements: M365 E3 or Microsoft Defender for Office plan 1. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1566 score_category: protect score_value: significant - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1204 attack_object_name: User Execution capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy related_score: T1204 score_category: respond score_value: significant - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy related_score: T1204 score_category: respond score_value: significant - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet related_score: T1204 score_category: respond score_value: significant - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy related_score: T1213 score_category: respond score_value: significant - attack_object_id: T1213.005 attack_object_name: Messaging Applications capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: [] related_score: T1213 score_category: respond score_value: significant - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy related_score: T1566 score_category: respond score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy related_score: T1566 score_category: respond score_value: significant - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Quarantine Policies capability_group: m365-defender capability_id: DEF-QUAR-E3 comments: "In Exchange Online Protection (EOP) and Microsoft Defender for Office\ \ 365, quarantine policies allow admins to define the user experience for quarantined\ \ messages.\n \nTraditionally, users have been allowed or denied levels of interactivity\ \ with quarantine messages based on why the message was quarantined. For example,\ \ users can view and release messages that were quarantined as spam or bulk, but\ \ they can't view or release messages that were quarantined as high confidence\ \ phishing or malware.\n\nThe following M365 features are supported by quarantine\ \ policies, \u201CResponse\u201D to Anti-malware and Anti-Phishing tagged items.\ \ Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive,\ \ and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office\ \ plan 1)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://security.microsoft.com/quarantinePolicies. - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy score_category: respond score_value: significant - attack_object_id: T1027 attack_object_name: Obfuscated Files or Information capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1059.001 attack_object_name: PowerShell capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1059 score_category: respond score_value: significant - attack_object_id: T1059.006 attack_object_name: Python capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1059 score_category: respond score_value: significant - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1059 score_category: respond score_value: significant - attack_object_id: T1080 attack_object_name: Taint Shared Content capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1204 attack_object_name: User Execution capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1204 score_category: respond score_value: significant - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1204 score_category: respond score_value: significant - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1566 score_category: respond score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide related_score: T1566 score_category: respond score_value: significant - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Zero Hour Auto Purge capability_group: m365-defender capability_id: DEF-ZHAP-E3 comments: 'Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing. License Requirements: ZAP for Defender O365 is included with M365''s E3 and requires E5 when leveraging ZAP for Teams security.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1027.011 attack_object_name: Fileless Storage capability_description: Antimalware capability_group: m365-defender capability_id: EOP-AMW-E3 comments: This control can protect against fileless storage attacks. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows related_score: T1027 score_category: protect score_value: partial - attack_object_id: T1027.012 attack_object_name: LNK Icon Smuggling capability_description: Antimalware capability_group: m365-defender capability_id: EOP-AMW-E3 comments: This control can protect against LNK icon smuggling. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad related_score: T1027 score_category: protect score_value: significant - attack_object_id: T1027.013 attack_object_name: Encrypted/Encoded File capability_description: Anti-Phishing capability_group: eop capability_id: EOP-APH-E3 comments: Exchange Online Protection's anti-phishing methods can protect against encrypted malicious files by scanning attachments and potentially quarantining them. Due to this being only one avenue, the rating is judged to be partial. mapping_type: technique_score references: [] related_score: T1027 score_category: protect score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: Anti-Phishing capability_group: eop capability_id: EOP-APH-E3 comments: "Policies to configure anti-phishing protection settings are available\ \ in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange\ \ Online Protection (EOP) organizations without Exchange Online mailboxes, and\ \ Microsoft Defender for Office 365 organizations. The features provided with\ \ Anti-phishing policies in Defender for Office 365 are: Automatically creating\ \ default policies, creating custom policies, common policy settings, spoof settings,\ \ first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\ \nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due\ \ to it's custom policy feature where users can create policies to determine if\ \ certain websites used for phishing are necessary for business operations and\ \ can block access if activity cannot be monitored well or if it poses a significant\ \ risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender\ \ for Office 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - '[]' score_category: protect score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Anti-Phishing capability_group: eop capability_id: EOP-APH-E3 comments: "Policies to configure anti-phishing protection settings are available\ \ in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange\ \ Online Protection (EOP) organizations without Exchange Online mailboxes, and\ \ Microsoft Defender for Office 365 organizations. The features provided with\ \ Anti-phishing policies in Defender for Office 365 are: Automatically creating\ \ default policies, creating custom policies, common policy settings, spoof settings,\ \ first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\ \nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due\ \ to it's custom policy feature where users can create policies to determine if\ \ certain websites used for phishing are necessary for business operations and\ \ can block access if activity cannot be monitored well or if it poses a significant\ \ risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender\ \ for Office 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - '[]' related_score: T1566 score_category: protect score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Anti-Phishing capability_group: eop capability_id: EOP-APH-E3 comments: "Policies to configure anti-phishing protection settings are available\ \ in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange\ \ Online Protection (EOP) organizations without Exchange Online mailboxes, and\ \ Microsoft Defender for Office 365 organizations. The features provided with\ \ Anti-phishing policies in Defender for Office 365 are: Automatically creating\ \ default policies, creating custom policies, common policy settings, spoof settings,\ \ first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\ \nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due\ \ to it's custom policy feature where users can create policies to determine if\ \ certain websites used for phishing are necessary for business operations and\ \ can block access if activity cannot be monitored well or if it poses a significant\ \ risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender\ \ for Office 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - '[]' related_score: T1566 score_category: protect score_value: significant - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Anti-Phishing capability_group: eop capability_id: EOP-APH-E3 comments: "Policies to configure anti-phishing protection settings are available\ \ in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange\ \ Online Protection (EOP) organizations without Exchange Online mailboxes, and\ \ Microsoft Defender for Office 365 organizations. The features provided with\ \ Anti-phishing policies in Defender for Office 365 are: Automatically creating\ \ default policies, creating custom policies, common policy settings, spoof settings,\ \ first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\ \nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due\ \ to it's custom policy feature where users can create policies to determine if\ \ certain websites used for phishing are necessary for business operations and\ \ can block access if activity cannot be monitored well or if it poses a significant\ \ risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender\ \ for Office 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - '[]' score_category: protect score_value: significant - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' score_category: detect score_value: partial - attack_object_id: T1036 attack_object_name: Masquerading capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality score_category: detect score_value: partial - attack_object_id: T1036.001 attack_object_name: Invalid Code Signature capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1036 score_category: detect score_value: partial - attack_object_id: T1036.001 attack_object_name: Invalid Code Signature capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1036 score_category: detect score_value: partial - attack_object_id: T1036.005 attack_object_name: Match Legitimate Name or Location capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1036 score_category: detect score_value: partial - attack_object_id: T1036.005 attack_object_name: Match Legitimate Name or Location capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1036 score_category: detect score_value: partial - attack_object_id: T1036.006 attack_object_name: Space after Filename capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1036 score_category: detect score_value: partial - attack_object_id: T1036.006 attack_object_name: Space after Filename capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1036 score_category: detect score_value: partial - attack_object_id: T1204 attack_object_name: User Execution capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' score_category: detect score_value: partial - attack_object_id: T1204 attack_object_name: User Execution capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' score_category: detect score_value: partial - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1204 score_category: detect score_value: partial - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1204 score_category: detect score_value: partial - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: This control only provides detection for some of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' score_category: detect score_value: minimal - attack_object_id: T1553 attack_object_name: Subvert Trust Controls capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: This control only provides detection for some of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' score_category: detect score_value: minimal - attack_object_id: T1553.002 attack_object_name: Code Signing capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1553 score_category: detect score_value: partial - attack_object_id: T1553.002 attack_object_name: Code Signing capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1553 score_category: detect score_value: partial - attack_object_id: T1553.005 attack_object_name: Mark-of-the-Web Bypass capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' related_score: T1553 score_category: detect score_value: partial - attack_object_id: T1554 attack_object_name: Compromise Host Software Binary capability_description: Adaptive Application Control Integration capability_group: m365-defender capability_id: DEF-AACI-E3 comments: Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While name and publisher-based allow lists may fail to detect malicious modifications to executable client binaries, hash-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent - ' https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview' - ' https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description' score_category: detect score_value: partial - attack_object_id: T1036.008 attack_object_name: Masquerade File Type capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: Safe Attachment scanning can detect if an email attachment is potentially malicious, including if its filetype is being obfuscated. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - ' https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet' related_score: T1036 score_category: protect score_value: partial - attack_object_id: T1204 attack_object_name: User Execution capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet score_category: respond score_value: significant - attack_object_id: T1204 attack_object_name: User Execution capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet related_score: T1204 score_category: respond score_value: significant - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide related_score: T1204 score_category: detect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet score_category: respond score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet related_score: T1566 score_category: respond score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet - 'Ref: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about?view=o365-worldwide' related_score: T1566 score_category: detect score_value: significant - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet score_category: respond score_value: significant - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet related_score: T1598 score_category: respond score_value: significant - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: Safe Attachments capability_group: m365-defender capability_id: DEF-SATT-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide related_score: T1598 score_category: detect score_value: significant - attack_object_id: T1036.010 attack_object_name: Masquerade Account Name capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: Anti-Phishing measures in Microsoft 365 Defender include settings explicitly designed to protect against fake accounts masquerading as legitimate accounts, such as if the names or email addresses are too close to the real one. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - ' https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where' - can%20use%20in%20another%20scam. related_score: T1036 score_category: protect score_value: significant - attack_object_id: T1040 attack_object_name: Network Sniffing capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: 'This control''s "Stop clear text credentials exposure" provides a recommendation to run the "Entities exposing credentials in clear text" assessment that monitors your traffic for any entities exposing credentials in clear text (via LDAP simple-bind). This assessment seems specific to LDAP simple-binds and coupled with the fact that it is a recommendation and is not enforced, results in a Minimal score. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - ' https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#' - ' https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes' - ' https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675' score_category: protect score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control provides recommendations that can lead to protecting against the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited protection for this technique's procedure examples. Consequently, its overall protection coverage score is minimal. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: protect score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control provides recommendations that can lead to the detection of the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited detection for this technique's procedure examples. Consequently, its overall detection coverage score is minimal. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: detect score_value: minimal - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: 'This control''s "Protect and manage local admin passwords with Microsoft LAPS" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts. Because this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ' mapping_type: technique_score references: [] related_score: T1078 score_category: protect score_value: minimal - attack_object_id: T1078.002 attack_object_name: Domain Accounts capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: 'This control''s "Remove dormant accounts from sensitive groups" recommendation recommends reviewing dormant (domain) accounts from sensitive groups via an assessment report that can identify sensitive accounts that are dormant. Because these are recommendations and do not actually enforce the protections coupled with being limited to sensitive accounts, the assessed score is Minimal. ' mapping_type: technique_score references: [] related_score: T1078 score_category: protect score_value: minimal - attack_object_id: T1078.003 attack_object_name: Local Accounts capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: 'This control''s "Protect and manage local admin passwords with Microsoft LAPS" recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS. This can help reduce the compromise of local administrator accounts. Because this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ' mapping_type: technique_score references: [] related_score: T1078 score_category: protect score_value: minimal - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ \ all users can complete multi-factor authentication for secure access\" recommendations\ \ of MFA can provide protection against an adversary that obtains valid credentials\ \ by requiring the adversary to complete an additional authentication process\ \ before access is permitted. See the mapping for MFA for more details. \nThis\ \ control's \"Use limited administrative roles\" recommendation recommends reviewing\ \ and limiting the number of accounts with global admin privilege, reducing what\ \ an adversary can do with a compromised valid account.\nBecause these are recommendations\ \ and do not actually enforce the protections, the assessed score is capped at\ \ Partial. " mapping_type: technique_score references: [] related_score: T1078 score_category: protect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Turn on sign-in risk policy" and "Turn on user risk policy" recommendations recommend enabling Azure AD Identity Protection which can lead to detecting adversary usage of valid accounts. See the mapping for Azure AD Identity Protection. mapping_type: technique_score references: [] related_score: T1078 score_category: detect score_value: partial - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: 'The MFA recommendation provides significant protection against password compromises, but because this is a recommendation and doesn''t actually enforce MFA, the assessed score is capped at Partial. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: protect score_value: partial - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ \ all users can complete multi-factor authentication for secure access\" recommendations\ \ for enabling MFA can significantly lead to reducing the impact of a password\ \ compromise of accounts, requiring the adversary to complete an additional authentication\ \ method before their access is permitted.\nThis control's \"Do not expire passwords\"\ \ recommendation also can lead to mitigating the Password Guessing or Cracking\ \ sub-techniques by disabling password reset which tends to lead to users selecting\ \ weaker passwords. \nThis control's \"Enable policy to block legacy authentication\"\ \ and \"Stop legacy protocols communication\" recommendations can lead to protecting\ \ against these brute force attacks as Microsoft research has shown organizations\ \ that have disabled legacy authentication experience 67 percent fewer compromises\ \ than those where legacy authentication is enabled. Additionally, the same research\ \ shows that more than 99 percent of password spray and more than 97 percent of\ \ credential stuffing attacks use legacy authentication.\nThis control's \"Resolve\ \ unsecure account attributes\" recommendation can lead to detecting accounts\ \ with disabled (Kerberos) Preauthentication which can enable offline Password\ \ Cracking.\nBecause these are recommendations and do not actually enforce MFA,\ \ the assessed score is capped at Partial. " mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ \ all users can complete multi-factor authentication for secure access\" recommendations\ \ for enabling MFA can significantly lead to reducing the impact of a password\ \ compromise of accounts, requiring the adversary to complete an additional authentication\ \ method before their access is permitted.\nThis control's \"Do not expire passwords\"\ \ recommendation also can lead to mitigating the Password Guessing or Cracking\ \ sub-techniques by disabling password reset which tends to lead to users selecting\ \ weaker passwords. \nThis control's \"Enable policy to block legacy authentication\"\ \ and \"Stop legacy protocols communication\" recommendations can lead to protecting\ \ against these brute force attacks as Microsoft research has shown organizations\ \ that have disabled legacy authentication experience 67 percent fewer compromises\ \ than those where legacy authentication is enabled. Additionally, the same research\ \ shows that more than 99 percent of password spray and more than 97 percent of\ \ credential stuffing attacks use legacy authentication.\nThis control's \"Resolve\ \ unsecure account attributes\" recommendation can lead to detecting accounts\ \ with disabled (Kerberos) Preauthentication which can enable offline Password\ \ Cracking.\nBecause these are recommendations and do not actually enforce MFA,\ \ the assessed score is capped at Partial. " mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ \ all users can complete multi-factor authentication for secure access\" recommendations\ \ for enabling MFA can significantly lead to reducing the impact of a password\ \ compromise of accounts, requiring the adversary to complete an additional authentication\ \ method before their access is permitted.\nThis control's \"Do not expire passwords\"\ \ recommendation also can lead to mitigating the Password Guessing or Cracking\ \ sub-techniques by disabling password reset which tends to lead to users selecting\ \ weaker passwords. \nThis control's \"Enable policy to block legacy authentication\"\ \ and \"Stop legacy protocols communication\" recommendations can lead to protecting\ \ against these brute force attacks as Microsoft research has shown organizations\ \ that have disabled legacy authentication experience 67 percent fewer compromises\ \ than those where legacy authentication is enabled. Additionally, the same research\ \ shows that more than 99 percent of password spray and more than 97 percent of\ \ credential stuffing attacks use legacy authentication.\nThis control's \"Resolve\ \ unsecure account attributes\" recommendation can lead to detecting accounts\ \ with disabled (Kerberos) Preauthentication which can enable offline Password\ \ Cracking.\nBecause these are recommendations and do not actually enforce MFA,\ \ the assessed score is capped at Partial. " mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: "This control's \"Require MFA for administrative roles\" and \"Ensure\ \ all users can complete multi-factor authentication for secure access\" recommendations\ \ for enabling MFA can significantly lead to reducing the impact of a password\ \ compromise of accounts, requiring the adversary to complete an additional authentication\ \ method before their access is permitted.\nThis control's \"Do not expire passwords\"\ \ recommendation also can lead to mitigating the Password Guessing or Cracking\ \ sub-techniques by disabling password reset which tends to lead to users selecting\ \ weaker passwords. \nThis control's \"Enable policy to block legacy authentication\"\ \ and \"Stop legacy protocols communication\" recommendations can lead to protecting\ \ against these brute force attacks as Microsoft research has shown organizations\ \ that have disabled legacy authentication experience 67 percent fewer compromises\ \ than those where legacy authentication is enabled. Additionally, the same research\ \ shows that more than 99 percent of password spray and more than 97 percent of\ \ credential stuffing attacks use legacy authentication.\nThis control's \"Resolve\ \ unsecure account attributes\" recommendation can lead to detecting accounts\ \ with disabled (Kerberos) Preauthentication which can enable offline Password\ \ Cracking.\nBecause these are recommendations and do not actually enforce MFA,\ \ the assessed score is capped at Partial. " mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Configure VPN Integration" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack. Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: detect score_value: partial - attack_object_id: T1134 attack_object_name: Access Token Manipulation capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control provides a recommendation that can lead to detecting one of this technique's sub-techniques while not providing recommendations relevant to its procedure examples nor its remaining sub-techniques. It is subsequently scored as Minimal. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: detect score_value: minimal - attack_object_id: T1134.005 attack_object_name: SID-History Injection capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: 'This control''s "Remove unsecure SID history attributes from entities" recommendation promotes running the "Unsecure SID history attributes" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky. Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial. ' mapping_type: technique_score references: [] related_score: T1134 score_category: detect score_value: partial - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: "This control's \"Do not allow users to grant consent to unmanaged applications\"\ \ recommendation can protect against an adversary constructing a malicious application\ \ designed to be granted access to resources with the target user's OAuth token\ \ by ensuring users can not be fooled into granting consent to the application.\ \ \nDue to this being a recommendation, its score is capped at Partial." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: protect score_value: partial - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: 'This control''s "Designate more than one global admin" can enable recovery from an adversary locking a global administrator account (deleted, locked, or manipulated (ex: changed credentials)). Due to this being a recommendation, its score is capped as Partial.' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: protect score_value: partial - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control provides recommendations that lead to protections for some of the sub-techniques of this technique. Due to it only providing a recommendation, its score has been capped at Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: protect score_value: partial - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial. mapping_type: technique_score references: [] related_score: T1550 score_category: protect score_value: partial - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities. Because this is a recommendation, its score has been capped as Partial. mapping_type: technique_score references: [] related_score: T1550 score_category: protect score_value: partial - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Resolve unsecure account attributes" provides recommendations that can lead to strengthening how accounts are stored in Active Directory. This control provides recommendations specific to a few types of unsecured credentials (reversible and weakly encrypted credentials) while not providing recommendations for any other, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: protect score_value: minimal - attack_object_id: T1552.007 attack_object_name: Container API capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Resolve unsecure account attributes" provides recommendations that can lead to strengthening how accounts are stored. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 related_score: T1552 score_category: protect score_value: minimal - attack_object_id: T1558 attack_object_name: Steal or Forge Kerberos Tickets capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control provides recommendations that lead to protections for some of the sub-techniques of this technique and therefore its overall protection coverage is Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: protect score_value: partial - attack_object_id: T1558.001 attack_object_name: Golden Ticket capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Reduce lateral movement path risk to sensitive entities" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks that may result in an adversary acquiring a golden ticket. It recommends running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities such as the KRBTGT on the domain controller. Because this is a recommendation, its score has been capped as Partial. mapping_type: technique_score references: [] related_score: T1558 score_category: protect score_value: partial - attack_object_id: T1558.003 attack_object_name: Kerberoasting capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Modify unsecure Kerberos delegations to prevent impersonation" recommendation promotes running the "Unsecure Kerberos delegation" report that can identify accounts that have unsecure Kerberos delegation configured. Unsecured Kerberos delegation can lead to exposing account TGTs to more hosts resulting in an increased attack surface for Kerberoasting. Due to this control providing a recommendation its score is capped at Partial. mapping_type: technique_score references: [] related_score: T1558 score_category: protect score_value: partial - attack_object_id: T1558.004 attack_object_name: AS-REP Roasting capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: "This control's \"Resolve unsecure account attributes\" recommendation\ \ can lead to detecting Active Directory accounts which do not require Kerberos\ \ preauthentication. Preauthentication offers protection against offline (Kerberos)\ \ Password Cracking. \nBecause this is a recommendation its score is capped as\ \ Partial." mapping_type: technique_score references: [] related_score: T1558 score_category: protect score_value: partial - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Turn on sign-in risk policy" and "Turn on user risk policy" recommendations recommend the usage of Azure AD Identity Protection which can detect one of the sub-techniques of this technique. This is a recommendation and therefore the score is capped at Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302# - https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes - https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675 score_category: detect score_value: partial - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Identity Secure Score capability_group: entra-id capability_id: EID-IDSS-E3 comments: This control's "Turn on sign-in risk policy" and "Turn on user risk policy" recommendations recommend enabling Azure AD Identity Protection which can detect the malicious usage of SAML Tokens. This is a recommendation and therefore the score is capped at Partial. mapping_type: technique_score references: [] related_score: T1606 score_category: detect score_value: partial - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1055.015 attack_object_name: ListPlanting capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: Defender's automated investigation and response can potentially detect a ListPlanting attack using endpoint scanning capabilities. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - ' https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide' related_score: T1055 score_category: detect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide related_score: T1078 score_category: respond score_value: significant - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide related_score: T1114 score_category: respond score_value: significant - attack_object_id: T1137 attack_object_name: Office Application Startup capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide related_score: T1204 score_category: respond score_value: significant - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide related_score: T1204 score_category: respond score_value: significant - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1564.008 attack_object_name: Email Hiding Rules capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide related_score: T1564 score_category: respond score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide related_score: T1566 score_category: respond score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide related_score: T1566 score_category: respond score_value: significant - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Automated Investigation and Response capability_group: m365-defender capability_id: DEF-AIR-E5 comments: 'Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it''s up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help. AIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc. Required licenses E5 or Microsoft Defender for Office 365 Plan 2 licenses. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide score_category: respond score_value: significant - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Command and Scripting Interpreter attacks due to Incident Response monitoring for reconnaissance and discovery alerts which monitors for subsequent behavior related to discovery. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Cloud API attacks due to Incident Response monitoring for api activity security alerts which reviews cloud audit logs to determine if unauthorized or suspicious commands were executed. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-for-azure-ddos-protection - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1059 score_category: respond score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to valid account attacks due to Incident Response monitoring for newly constructed logon behavior that may obtain and abuse credentials of existing accounts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to cloud account attacks due to Incident Response monitoring the activity of cloud accounts to detect abnormal or malicious behavior. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1087 score_category: respond score_value: minimal - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Account Manipulation attacks due to Incident Response monitoring for persistence and privilege escalation alerts which monitors for newly constructed processes indicative of modifying account settings. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Additional Cloud Credential attacks due to Incident Response monitoring for persistence and privilege escalation alerts which monitors for unexpected changes to cloud user accounts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1098 score_category: respond score_value: minimal - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Additional Email Delegate Permission attacks due to Incident Response monitoring for default alert policies which provides built-in alert policies that help identify Exchange admin permissions abuse and account permissions changes. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/alert-policies - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1098 score_category: respond score_value: minimal - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Additional Cloud Role attacks due to Incident Response monitoring for permission alert policies which collect usage logs from cloud administrator accounts to identify unusual activity. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/alert-policies - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1098 score_category: respond score_value: minimal - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Brute Force attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Password Guessing attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password guessing attempts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1110 score_category: respond score_value: minimal - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Password Cracking attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1110 score_category: respond score_value: minimal - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Password Spraying attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1110 score_category: respond score_value: minimal - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Credential Stuffing attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from credential stuffing attempts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1110 score_category: respond score_value: minimal - attack_object_id: T1136 attack_object_name: Create Account capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Create Account attacks due to Incident Response monitoring for newly executed processes associated with account creations. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-for-azure-ddos-protection - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Cloud Account attacks due to Incident Response monitoring for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-for-azure-ddos-protection - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1136 score_category: respond score_value: minimal - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Data from Information Repository attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Sharepoint attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1213 score_category: respond score_value: minimal - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Data from Cloud Storage attacks due to Incident Response monitoring for security alerts that represent unusual queries to the cloud provider''s storage service. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1531 attack_object_name: Account Access Removal capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Account Access Removal attacks due to Incident Response monitoring for password change security alerts which monitors for changes made to user accounts for unexpected modification of properties. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts - https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-for-azure-ddos-protection - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Cloud Service Dashboard attacks due to Incident Response monitoring for newly constructed logon behavior across cloud service management consoles and the aggregated alerts allowing admins to correlate security systems with login information, such as user accounts, IP addresses, and login names. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to use alternate authentication material attacks due to Incident Response monitoring for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, and suspicious account behavior across systems that share accounts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1550.001 attack_object_name: Application Access Token capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to application access token attacks due to Incident Response monitoring for the use of application access tokens to interact with resources or services that do not fit the organization baseline. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1550 score_category: respond score_value: minimal - attack_object_id: T1550.004 attack_object_name: Web Session Cookie capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to web session cookie attacks due to Incident Response monitoring for third-party application logging, messaging, other service artifacts that provide context of user authentication to web applications, and/or anomalous access of websites/cloud-based applications. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1550 score_category: respond score_value: minimal - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to unsecure credential attacks due to Incident Response monitoring for newly executed processes, suspicious file access activity, and application logs for activity that may highlight malicious attempts to access application data. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1552.008 attack_object_name: Chat Messages capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to chat messages attacks due to Incident Response monitoring application logs for activity that may highlight malicious attempts to access application data. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1552 score_category: respond score_value: minimal - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Modify Authentication Process attacks due to Incident Response monitoring for newly created files, suspicious modification of files, and newly constructed logon behavior across systems that share accounts. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Multi-Factor Authentication attacks due to Incident Response monitoring for logon sessions for user accounts that did not require MFA for authentication. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1556 score_category: respond score_value: minimal - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Impair Defense attacks due to Incident Response monitoring for changes to account settings, newly executed processes, and abnormal execution of API functions. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Disable or Modify Cloud Log attacks due to Incident Response monitoring for changes to account settings and logs for API calls to disable logging. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1562 score_category: respond score_value: minimal - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Hide Artifact attacks due to Incident Response monitoring for newly constructed user accounts, contextual data about accounts, contextual data about files, and newly constructed files. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1564.008 attack_object_name: Email Hiding Rules capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Email Hiding Rules attacks due to Incident Response being able to monitor for creation or modification of suspicious inbox rules. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1564 score_category: respond score_value: minimal - attack_object_id: T1566 attack_object_name: Phishing capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Phishing attacks due to its phishing Incident Response playbook which monitors for messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-phishing - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1598.003 attack_object_name: Spearphishing Link capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to spearphishing link attacks due to its phishing Incident Response playbook which monitors for messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-phishing - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1598 score_category: respond score_value: minimal - attack_object_id: T1598.004 attack_object_name: Spearphishing Voice capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to spearphishing voice attacks due to its phishing Incident Response playbook which monitors call logs from corporate devices to identify patterns of potential voice phishing. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-phishing - https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1598 score_category: respond score_value: minimal - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Forge Web Credentials attacks due to Incident Response monitoring for credential access alert policies which monitors for anomalous authentication activity. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to SAML Token attacks due to Incident Response monitoring for credential access alert policies which monitors for anomalous authentication activity. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide related_score: T1606 score_category: respond score_value: minimal - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Incident Response capability_group: m365-defender capability_id: DEF-IR-E5 comments: 'An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action. Microsoft 365 Defender Incident Response responds to Multi-Factor Authentication Request Generation attacks due to Incident Response monitoring MFA application logs for suspicious events. License Requirements: Microsoft Defender XDR' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide score_category: respond score_value: minimal - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management score_category: detect score_value: partial - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management related_score: T1059 score_category: detect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management score_category: detect score_value: partial - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management related_score: T1078 score_category: detect score_value: partial - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management score_category: detect score_value: partial - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management related_score: T1098 score_category: detect score_value: partial - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management related_score: T1098 score_category: detect score_value: partial - attack_object_id: T1133 attack_object_name: External Remote Services capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management score_category: detect score_value: partial - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management score_category: detect score_value: partial - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management related_score: T1213 score_category: detect score_value: partial - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management score_category: detect score_value: partial - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management related_score: T1586 score_category: detect score_value: partial - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Privileged Access Management capability_group: purview capability_id: PUR-PAM-E5 comments: "Microsoft Purview Privileged Access Management allows granular access\ \ control over privileged admin tasks in Office 365. It can help protect your\ \ organization from breaches that use existing privileged admin accounts with\ \ standing access to sensitive data or access to critical configuration settings.\ \ Privileged access management requires users to request just-in-time access to\ \ complete elevated and privileged tasks through a highly scoped and time-bounded\ \ approval workflow. This configuration gives users just-enough-access to perform\ \ the task at hand, without risking exposure of sensitive data or critical configuration\ \ settings. Microsoft 365 configuration settings. When used with Microsoft Entra\ \ Privileged Identity Management, these two features provide access control with\ \ just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional\ \ Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365\ \ E5 customers." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/privileged-access-management score_category: detect score_value: partial - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: Using Role-Based Access Control to create a zero-trust environment can ensure that only accounts explicitly granted access to API tools can use them. This prevents unauthorized use and potential exploitation/misuse. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - ' https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview' related_score: T1059 score_category: protect score_value: significant - attack_object_id: T1059 attack_object_name: Command and Scripting Interpreter capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to partially protect against the abuse of\ \ Cloud APIs but does not provide protection against this technique's other sub-techniques\ \ or other example procedures. Due to its Minimal coverage score, it receives\ \ a score of minimal. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: minimal - attack_object_id: T1059.009 attack_object_name: Cloud API capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to limit API functionality administrative accounts can take. This scores Partial\ \ for its ability to minimize the actions these accounts can perform. \n\n\nLicense\ \ Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1059 score_category: protect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for account management, reducing the potential actions that can be taken with\ \ Valid Default and Cloud Accounts. Although RBAC can limit the actions the adversary\ \ can take if a Valid Account has been compromised, it does not protect against\ \ different variations of the technique's procedure. Due to overall Minimal coverage,\ \ it receives an overall score of Minimal. \n\n\nLicense Requirements: \nME-ID\ \ Built-in Roles (Free) \n\nLicense Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: minimal - attack_object_id: T1078.001 attack_object_name: Default Accounts capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for account management, reducing the available actions an adversary can perform\ \ with a default account. This scores Partial for its ability to minimize the\ \ overall accounts with management privileges. \n\n\nLicense Requirements: \n\ ME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1078 score_category: protect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for account management, reducing the available actions an adversary can perform\ \ with a cloud account. This scores Partial for its ability to minimize the overall\ \ accounts with management privileges. \n\n\nLicense Requirements: \nME-ID Built-in\ \ Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1078 score_category: protect score_value: partial - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to partially protect against Cloud Account\ \ Discovery, but does not provide protection against this technique's other sub-techniques\ \ or example procedures. Due to its Minimal coverage score, it receives an overall\ \ score of minimal. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: minimal - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for account management, limiting the accounts that can be used to perform account\ \ discovery. This scores Partial for its ability to minimize the overall accounts\ \ with these role privileges. \n\nLicense Requirements: \nME-ID Built-in Roles\ \ (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1087 score_category: protect score_value: partial - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can generally be used to implement the principle of\ \ least privilege to protect against the number of accounts with management capabilities.\ \ This has Partial coverage of Account Manipulation sub-techniques, resulting\ \ in an overall score of Partial. \n\nLicense Requirements: \nME-ID Built-in Roles\ \ (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for account management in order to limit the number of accounts with the ability\ \ to add additional cloud credentials. This receives a score of Partial for its\ \ ability to minimize known accounts with the ability to add credentials.\n\n\ License Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1098 score_category: protect score_value: partial - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for account management in order to limit the number of accounts with the ability\ \ to add additional cloud roles. This receives a score of Partial for its ability\ \ to minimize known accounts with the ability to add roles. \n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1098 score_category: protect score_value: partial - attack_object_id: T1127.002 attack_object_name: ClickOnce capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: Incorporating Role-Based Access Control can help to ensure that only those who need to use ClickOnce applications may do so, protecting against the threat of misuse. mapping_type: technique_score references: [] related_score: T1127 score_category: protect score_value: partial - attack_object_id: T1136 attack_object_name: Create Account capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can generally be used to implement the principle of\ \ least privilege to protect against account creation. For the given product space,\ \ this control helps protect against only against Cloud Account creation, and\ \ none of this technique\u2019s other sub-techniques or procedures. Due to overall\ \ Minimal coverage, it receives an overall score of Minimal. \n\n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: minimal - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for account management in order to limit the number of accounts that can create\ \ new accounts. This receives a score of Partial for its ability to minimize known\ \ accounts with the ability to create new accounts. \n\n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1136 score_category: protect score_value: partial - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to properly manage accounts and permissions of parties in trusted relationships.\ \ This scores Partial for its ability to minimize the the potential abuse by the\ \ party and if it is comprised by an adversary. \n\nLicense Requirements: \nME-ID\ \ Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1213 attack_object_name: Data from Information Repositories capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can generally be used to protect against and limit adversary\ \ access to valuable information repositories. Although it does not have full\ \ coverage of this technique's sub-techniques, it also helps protect against Procedure\ \ examples, resulting in an overall score of Partial. \n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for access to SharePoint repositories to only those required for an account.\ \ This scores Partial for its ability to minimize the attack surface of accounts\ \ with access to potentially valuable information. \n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1213 score_category: protect score_value: partial - attack_object_id: T1213.003 attack_object_name: Code Repositories capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for access to SharePoint repositories to only those required for an account.\ \ This scores Partial for its ability to minimize the attack surface of accounts\ \ with access to potentially valuable information. \n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1213 score_category: protect score_value: partial - attack_object_id: T1213.004 attack_object_name: Customer Relationship Management Software capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for access to SharePoint repositories to only those required for an account.\ \ This scores Partial for its ability to minimize the attack surface of accounts\ \ with access to potentially valuable information. \n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1213 score_category: protect score_value: partial - attack_object_id: T1216.002 attack_object_name: SyncAppvPublishingServer capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for access to SharePoint repositories to only those required for an account.\ \ This scores Partial for its ability to minimize the attack surface of accounts\ \ with access to potentially valuable information. \n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1216 score_category: protect score_value: partial - attack_object_id: T1484 attack_object_name: Domain or Tenant Policy Modification capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to limit administrative accounts. This scores Partial for its ability to minimize\ \ the overall accounts that can modify domain policies. \n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/concept-understand-roles - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1484.002 attack_object_name: Trust Modification capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to limit accounts with the access to domain trusts. This scores Partial for\ \ its ability to minimize the overall accounts with these privileges. \n\n\n\ License Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/concept-understand-roles - https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1484 score_category: protect score_value: partial - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege,\ \ limiting accounts with access to application tokens. This receives a score of\ \ Partial for its ability to minimize the attack surface of accounts this ability.\ \ \n\nLicense Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for cloud data storage access to only those required. This scores Partial for\ \ its ability to minimize the attack surface of accounts with storage solution\ \ access. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege,\ \ limiting dashboard visibility to necessary accounts. This receives a score of\ \ Partial for its ability to minimize the discovery value a dashboard may have\ \ in the event of a compromised account. \n\nLicense Requirements: \nME-ID Built-in\ \ Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1548.005 attack_object_name: Temporary Elevated Cloud Access capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to limit the ability of cloud accounts to assume, create, or impersonate only\ \ required privileges. This scores Minimal for its ability to protect against\ \ the actions temporary elevated accounts can take. \n\nLicense Requirements:\ \ \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1548 score_category: protect score_value: minimal - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to limit cloud accounts with authentication\ \ modification relevant privileges, but does not provide protection against this\ \ technique's other sub-techniques or example procedures. Due to its Minimal coverage\ \ score, it receives a score of minimal. \n\nLicense Requirements: \nME-ID Built-in\ \ Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: minimal - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to limit account management control of MFA. This scores Partial for its ability\ \ to minimize overall accounts with the ability to change or disable MFA. \n\n\ \nLicense Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1556 score_category: protect score_value: partial - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to limit Global Administrator accounts, and ensure these accounts are cloud-only.\ \ This scores Partial for its ability to minimize hybrid accounts with administrative\ \ privileges. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1556 score_category: protect score_value: partial - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to partially protect against the ability\ \ to Disable or Modify Cloud Logs, but has minimal coverage against this technique's\ \ other sub-techniques and example procedures. Due to its Minimal coverage score,\ \ it receives an overall score of minimal. \n\n\nLicense Requirements: \nME-ID\ \ Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: minimal - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to limit users with permission to modify logging policies to those required.\ \ This scores Partial for its ability to minimize the overall accounts with the\ \ ability to modify cloud logging capabilities. \n\nLicense Requirements: \nME-ID\ \ Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1562 score_category: protect score_value: partial - attack_object_id: T1648 attack_object_name: Serverless Execution capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ to limit accounts with permissions for serverless services to those required.\ \ This scores Partial for its ability to minimize the overall accounts with this\ \ ability. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: "The RBAC control can be used to implement the principle of least privilege\ \ for account management, limiting the number of Global and Intune administrators\ \ to those required. This scores Partial for its ability to minimize the overall\ \ accounts with associated privileges. \n\n\nLicense Requirements: \nME-ID Built-in\ \ Roles (Free) " mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview score_category: protect score_value: partial - attack_object_id: T1480.002 attack_object_name: Mutual Exclusion capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: Implementing Role-Based Access Control will help prevent access to sensitive resources, ensuring only those with the proper authorization can use them. mapping_type: technique_score references: [] related_score: T1480 score_category: protect score_value: partial - attack_object_id: T1546.016 attack_object_name: Installer Packages capability_description: Role Based Access Control capability_group: entra-id capability_id: EID-RBAC-E3 comments: The RBAC control can be used to implement the principle of least privilege to limit the ability of accounts to utilize installer packages, reserving the ability to install software to those with higher privileges. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview related_score: T1546 score_category: protect score_value: partial - attack_object_id: T1059.010 attack_object_name: AutoHotKey & AutoIT capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: Defender's Advanced Threat Hunting can potentially detect if AutoHotKey and AutoIT are being misused or behaving in a way that is unexpected, alerting administrators to an issue and allowing for remediation/preventing extensive damage. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide' related_score: T1059 score_category: detect score_value: partial - attack_object_id: T1059.011 attack_object_name: Lua capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: Defender's Advanced Threat Hunting can protect against various types of malware, including those that exploit Lua scripts, by analyzing the behavioral characteristics of the program. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide' related_score: T1059 score_category: protect score_value: partial - attack_object_id: T1027.014 attack_object_name: Polymorphic Code capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: Defender's advanced threat hunting capabilities can potentially detect suspicious or changing behaviors in programs, which can be indicative of polymorphic code. mapping_type: technique_score references: [] related_score: T1027 score_category: detect score_value: partial - attack_object_id: T1027.014 attack_object_name: Polymorphic Code capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: Defender's Advanced Threat Hunting can use Machine Learning models to identify malicious behavior, even if the code is polymorphic and attempts to disguise itself. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide' related_score: T1027 score_category: protect score_value: partial - attack_object_id: T1036.009 attack_object_name: Break Process Trees capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: Behavior-based machine learning techniques may be able to detect the presence of malware, even if the parent-child process tree is broken, by analyzing the program's behavior. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide' - ' https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide' related_score: T1036 score_category: protect score_value: partial - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Alternative\ \ Protocol attacks due to the DeviceNetworkEvents table in the advanced hunting\ \ schema which contains information about network connections and related events\ \ which monitors for newly constructed network connections.\n\nLicense Requirements:\ \ \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Valid Account attacks due to\ \ the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors for newly\ \ constructed logon behavior.\n\nLicense Requirements: \nMicrosoft Defender XDR,\ \ Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Cloud Account attacks due to\ \ the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements:\ \ \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1078 score_category: detect score_value: significant - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Account Discovery attacks due\ \ to the DeviceProcessEvents table in the advanced hunting schema that contains\ \ information about process creation and related events which monitors for processes\ \ that can be used to enumerate user accounts and groups. \n\nLicense Requirements:\ \ \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Cloud Account attacks due to\ \ the DeviceProcessEvents table in the advanced hunting schema that contains information\ \ about process creation and related events which monitors logs for actions that\ \ could be taken to gather information about cloud accounts.\n\nLicense Requirements:\ \ \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1087 score_category: detect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Brute Force attacks due to\ \ the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors authentication\ \ logs for system and application login failures of Valid Accounts.\n\nLicense\ \ Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, \ \ Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced hunting is a query-based threat hunting tool that\ \ lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender\ \ XDR allows you to proactively hunt for threats across: Devices managed by Microsoft\ \ Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities,\ \ authentication events, and domain controller activities. With this level of\ \ visibility, you can quickly hunt for threats that traverse sections of your\ \ network, including sophisticated intrusions that arrive on email or the web,\ \ elevate local privileges, acquire privileged domain credentials, and move laterally\ \ to across your devices. Advanced hunting supports two modes, guided and advanced.\ \ Users use advanced mode if they are comfortable using Kusto Query Language (KQL)\ \ to create queries from scratch.\n\nAdvanced Threat Hunting Detects Password\ \ Guessing attacks due to the IdentityLogonEvents table in the advanced hunting\ \ schema which contains information about all authentication activities related\ \ to Microsoft online services captured by Microsoft Defender for Cloud Apps which\ \ monitors authentication logs for system and application login failures of Valid\ \ Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender\ \ for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Password Cracking attacks due\ \ to the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors authentication\ \ logs for system and application login failures of Valid Accounts.\n\nLicense\ \ Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, \ \ Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Password Spraying attacks due\ \ to the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors authentication\ \ logs for system and application login failures of Valid Accounts.\n\nLicense\ \ Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, \ \ Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Credential Stuffing attacks\ \ due to the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors authentication\ \ logs for system and application login failures of Valid Accounts.\n\nLicense\ \ Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, \ \ Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Email Collection attacks due\ \ to the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors for unusual\ \ login activity from unknown or abnormal locations, especially for privileged\ \ accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender\ \ for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Remote Email Collection attacks\ \ due to the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors for unusual\ \ login activity from unknown or abnormal locations, especially for privileged\ \ accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender\ \ for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1114 score_category: detect score_value: significant - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Drive-by-Compromise attacks\ \ due to the UrlClickEvents table in the advanced hunting schema which contains\ \ information about Safe Links clicks from email messages, Microsoft Teams, and\ \ Office 365 apps which can inspect URLs for potentially known-bad domains or\ \ parameters.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender\ \ for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-urlclickevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Trusted Relationship attacks\ \ due to the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors for newly\ \ constructed logon behavior.\n\nLicense Requirements: \nMicrosoft Defender XDR,\ \ Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Internal Spearphishing attacks\ \ due to the DeviceNetworkEvents table in the advanced hunting schema which contains\ \ information about network connections and related events which monitors network\ \ data for uncommon data flows\n\nLicense Requirements: \nMicrosoft Defender XDR,\ \ Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Cloud Service Dashboard attacks\ \ due to the IdentityInfo and IdentityLogonEvents tables in the advanced hunting\ \ schema which contains information about all authentication activities related\ \ to Microsoft online services captured by Microsoft Defender for Cloud Apps and\ \ information about user accounts obtained from various services, including Microsoft\ \ Entra ID.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender\ \ for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityinfo-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Event-Triggered Execution attacks\ \ due to the DeviceFileEvents table in the advanced hunting schema which contains\ \ information about file creation, modification, and other file events.\n\nLicense\ \ Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, \ \ Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Unsecured Credentials attacks\ \ due to the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements:\ \ \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Modify-Authentication Process\ \ attacks due to the IdentityLogonEvents table in the advanced hunting schema\ \ which contains information about all authentication activities related to Microsoft\ \ online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements:\ \ \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Multi-Factor Authentication\ \ attacks due to the IdentityLogonEvents table in the advanced hunting schema\ \ which contains information about all authentication activities related to Microsoft\ \ online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements:\ \ \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1556 score_category: detect score_value: significant - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Impair Defense attacks due\ \ to the DeviceNetworkEvents table in the advanced hunting schema which contains\ \ information about network connections and related events which monitors for\ \ the abnormal execution of API functions. \n\nLicense Requirements: \nMicrosoft\ \ Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office\ \ 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Disabling or Modifying Cloud\ \ Log attacks due to the DeviceNetworkEvents table in the advanced hunting schema\ \ which contains information about network connections and related events which\ \ monitors logs for API calls to disable logging. \n\nLicense Requirements: \n\ Microsoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1562 score_category: detect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Phishing attacks due to the\ \ DeviceNetworkEvents table in the advanced hunting schema which contains information\ \ about network connections and related events which monitors for the abnormal\ \ execution of API functions which monitors network data for uncommon data flows.\ \ \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud\ \ Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Spearphishing Link attacks\ \ due to the UrlClickEvents table in the advanced hunting schema which contains\ \ information about Safe Links clicks from email messages, Microsoft Teams, and\ \ Office 365 apps which can inspect URLs for potentially known-bad domains or\ \ parameters.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender\ \ for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-urlclickevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1566 score_category: detect score_value: significant - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Web Service\ \ attacks due to the DeviceNetworkEvents table in the advanced hunting schema\ \ which contains information about network connections and related events which\ \ monitors for newly constructed network connections.\n\nLicense Requirements:\ \ \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps, Microsoft Defender\ \ for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Webhook attacks\ \ due to the DeviceNetworkEvents table in the advanced hunting schema which contains\ \ information about network connections and related events which monitor network\ \ data for uncommon data flows.\n\nLicense Requirements: \nMicrosoft Defender\ \ XDR, Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan\ \ 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide related_score: T1567 score_category: detect score_value: significant - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Forge Web Credential attacks\ \ due to the IdentityLogonEvents table in the advanced hunting schema which contains\ \ information about all authentication activities related to Microsoft online\ \ services captured by Microsoft Defender for Cloud Apps which monitors for anomalous\ \ authentication activity.\n\nLicense Requirements: \nMicrosoft Defender XDR,\ \ Microsoft Defender for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Advanced Threat Hunting capability_group: m365-defender capability_id: DEF-ATH-E5 comments: "Advanced hunting is a query-based threat hunting tool that lets you explore\ \ up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows\ \ you to proactively hunt for threats across: Devices managed by Microsoft Defender\ \ for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication\ \ events, and domain controller activities. With this level of visibility, you\ \ can quickly hunt for threats that traverse sections of your network, including\ \ sophisticated intrusions that arrive on email or the web, elevate local privileges,\ \ acquire privileged domain credentials, and move laterally to across your devices.\ \ Advanced hunting supports two modes, guided and advanced. Users use advanced\ \ mode if they are comfortable using Kusto Query Language (KQL) to create queries\ \ from scratch.\n\nAdvanced Threat Hunting Detects Multi-Factor Authentication\ \ Request Generation attacks due to the IdentityLogonEvents table in the advanced\ \ hunting schema which contains information about all authentication activities\ \ related to Microsoft online services captured by Microsoft Defender for Cloud\ \ Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender\ \ for Cloud Apps, Microsoft Defender for Office 365 plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1068 attack_object_name: Exploitation for Privilege Escalation capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' score_category: detect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' score_category: detect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1078 score_category: detect score_value: partial - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' score_category: detect score_value: partial - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1098 score_category: detect score_value: partial - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' score_category: detect score_value: partial - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1110 score_category: detect score_value: partial - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1110 score_category: detect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1110 score_category: detect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1110 score_category: detect score_value: partial - attack_object_id: T1210 attack_object_name: Exploitation of Remote Services capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' score_category: detect score_value: partial - attack_object_id: T1213.002 attack_object_name: Sharepoint capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1213 score_category: detect score_value: partial - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' score_category: detect score_value: partial - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' score_category: detect score_value: partial - attack_object_id: T1550.002 attack_object_name: Pass the Hash capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1550 score_category: detect score_value: partial - attack_object_id: T1550.003 attack_object_name: Pass the Ticket capability_description: Lateral Movements capability_group: m365-defender capability_id: DEF-LM-E5 comments: Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. mapping_type: technique_score references: - ' \thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths ' related_score: T1550 score_category: detect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Valid\ \ Account attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Cloud\ \ Account attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1078 score_category: detect score_value: significant - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Account\ \ Discovery attacks due to App Governance tracking various app attributes and\ \ behaviors such as certification, data use, API access errors, and unused permissions\ \ that can indicate misuse and risk\n\nLicense Requirements: \nMicrosoft Defender\ \ for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-faq - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Cloud\ \ Account attacks due to App Governance tracking various app attributes and behaviors\ \ such as certification, data use, API access errors, and unused permissions that\ \ can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender\ \ for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-faq - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1087 score_category: detect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Brute\ \ Force attacks due to App Governance monitoring aggregated sign-in activity for\ \ each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Password\ \ Guessing attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Password\ \ Cracking attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Password\ \ Spraying attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Credential\ \ Stuffing attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1110 score_category: detect score_value: significant - attack_object_id: T1199 attack_object_name: Trusted Relationship capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Trusted\ \ Relationship attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Steal\ \ Application Access Token attacks due to App Governance tracking various app\ \ attributes and behaviors such as certification, data use, API access errors,\ \ and unused permissions that can indicate misuse and risk.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1538 attack_object_name: Cloud Service Dashboard capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Cloud\ \ Service Dashboard attacks due to App Governance monitoring aggregated sign-in\ \ activity for each app and tracking all risky sign-in's.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1548 attack_object_name: Abuse Elevation Control Mechanism capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Protects against\ \ Abuse Elevation Control Mechanism attacks due to the governance feature where\ \ admins can create proactive or reactive policies to protect your users from\ \ using noncompliant or malicious apps and limiting the access of risky apps to\ \ your data.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: protect score_value: significant - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Modify\ \ Authentication attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Multi-Factor\ \ Authentication attacks due to App Governance monitoring aggregated sign-in activity\ \ for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1556 score_category: detect score_value: significant - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Protects against\ \ Impair Defense attacks due to the governance feature where admins can create\ \ proactive or reactive policies to protect your users from using noncompliant\ \ or malicious apps and limiting the access of risky apps to your data to ensure\ \ that only approved security applications are used and running.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: protect score_value: significant - attack_object_id: T1562 attack_object_name: Impair Defenses capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance detects Impair\ \ Defense attacks due to App Governance tracking various app attributes and behaviors\ \ such as certification, data use, API access errors, and unused permissions that\ \ can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender\ \ for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Disable\ \ or Modify Cloud Log attacks due to App Governance tracking various app attributes\ \ and behaviors such as certification, data use, API access errors, and unused\ \ permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1562 score_category: detect score_value: significant - attack_object_id: T1562.008 attack_object_name: Disable or Modify Cloud Logs capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance protects against\ \ Disable or Modify Cloud Log attacks due to the governance feature where admins\ \ can create proactive or reactive policies to protect your users from using noncompliant\ \ or malicious apps and limiting the access of risky apps to your data to ensure\ \ that only approved security applications are used and running.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1562 score_category: protect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Phishing\ \ attacks due to App Governance tracking various app attributes and behaviors\ \ such as certification, data use, API access errors, and unused permissions that\ \ can indicate misuse and risk helping an admin to confirm that the OAuth app\ \ is delivered from an unknown source and is performing unusual activities. \n\ \nLicense Requirements: \nMicrosoft Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1606 attack_object_name: Forge Web Credentials capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Forge\ \ Web Credentials attacks due to App Governance tracking various app attributes\ \ and behaviors such as certification, data use, API access errors, and unused\ \ permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-faq - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1606.002 attack_object_name: SAML Tokens capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects SAML\ \ Token attacks due to App Governance monitoring aggregated sign-in activity for\ \ each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft\ \ Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance related_score: T1606 score_category: detect score_value: significant - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: App Governance capability_group: m365-defender capability_id: DEF-APGV-E5 comments: "App governance in Defender for Cloud Apps is a set of security and policy\ \ management capabilities designed for OAuth-enabled apps registered on Microsoft\ \ Entra ID, Google, and Salesforce. App governance delivers visibility, remediation,\ \ and governance into how these apps and their users access, use, and share sensitive\ \ data in Microsoft 365 and other cloud platforms through actionable insights\ \ and automated policy alerts and actions. App governance also enables you to\ \ see which user-installed OAuth applications have access to data on Microsoft\ \ 365, Google Workspace, and Salesforce. It tells you what permissions the apps\ \ have and which users have granted access to their accounts. App governance insights\ \ enable you to make informed decisions around blocking or restricting apps that\ \ present significant risk to your organization\n\nApp Governance Detects Multi-Factor\ \ Authentication Request Generation attacks due to App Governance monitoring aggregated\ \ sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Cloud Apps" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts - https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance score_category: detect score_value: significant - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: This control only protects cloud accounts and therefore its overall protection coverage is Minimal. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks score_category: protect score_value: minimal - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: 'MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted. This is an incomplete protection measure though as the adversary may also have obtained credentials enabling bypassing the additional authentication method. ' mapping_type: technique_score references: [] related_score: T1078 score_category: protect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: Requiring the use of MFA for all users can significantly reduce the likelihood of adversaries gaining access to the environment's cloud accounts. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa related_score: T1078 score_category: protect score_value: significant - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa score_category: protect score_value: minimal - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa - https://www.microsoft.com/en-us/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/ related_score: T1098 score_category: protect score_value: partial - attack_object_id: T1098.002 attack_object_name: Additional Email Delegate Permissions capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: 'Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making modifications, such as changes to email delegate permissions. ' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa related_score: T1098 score_category: protect score_value: partial - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa related_score: T1098 score_category: protect score_value: partial - attack_object_id: T1098.005 attack_object_name: Device Registration capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: Requiring the use of MFA to register devices in Entra ID along with conditional access policies can reduce the likelihood of successfu use of this technique. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa related_score: T1098 score_category: protect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks score_category: protect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks score_category: protect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before access is permitted. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: 'MFA can significantly reduce the impact of a password cracking, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques, for example: phishing, brute force, credential stuffing, key logging, etc.' mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: 'MFA can significantly reduce the impact of a password spraying, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques: phishing, brute force, credential stuffing, key logging, etc.' mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted. mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: 'MFA can significantly reduce the impact of a password spraying, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques: phishing, brute force, credential stuffing, key logging, etc.' mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: MFA can significantly reduce the impact from adversaries creating accounts by requiring an additional authentication method for verification (e.g., Microsoft Authenticator, Authenticator Lite (in Outlook), Windows Hello for Business, FIDO2 security key, OATH hardware token (preview), OATH software token, SMS, Voice call, etc.) mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks related_score: T1136 score_category: protect score_value: significant - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: MFA provides significant protection by enforcing and restricting access to resources (e.g., cloud storage, APIs, etc.). mapping_type: technique_score references: - '[]' score_category: protect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: ' Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. ' mapping_type: technique_score references: - https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984 - https://www.microsoft.com/en-us/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/ score_category: protect score_value: partial - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: ' Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. ' mapping_type: technique_score references: - https://www.microsoft.com/en-us/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/ related_score: T1566 score_category: protect score_value: partial - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: ' Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. ' mapping_type: technique_score references: - https://www.microsoft.com/en-us/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/ related_score: T1566 score_category: protect score_value: partial - attack_object_id: T1621 attack_object_name: Multi-Factor Authentication Request Generation capability_description: Multifactor Authentication capability_group: entra-id capability_id: EID-MFA-E3 comments: Entra MFA can be used to implement limits upon the maximum number of MFA request prompts that can be sent to users in period of time and throttles sign-in attempts in certain cases involving repeated authentication requests. mapping_type: technique_score references: [] score_category: protect score_value: significant - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: "Accounts should have complex and unique passwords across all systems\ \ on the network. Passwords and access keys should be rotated regularly. \n\n\ License Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft\ \ Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy score_category: protect score_value: significant - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: This control provides partial protection for most of this technique's sub-techniques and therefore has been scored as Partial. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts score_category: protect score_value: partial - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: "A password policy is applied to all user accounts that are created and\ \ managed directly in Microsoft Entra ID. \n\nBy default, an account is locked\ \ out after 10 unsuccessful sign-in attempts with the wrong password.\n\nLicense\ \ Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft\ \ Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy score_category: protect score_value: partial - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: The password restrictions provided by the default Password policy along with the lockout threshold and duration settings is an effective protection against this Password Guessing sub-technique. mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: 'A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy related_score: T1110 score_category: protect score_value: significant - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: 'The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector. In regards to Credential Stuffing, the password policy''s lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).' mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: 'A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: 'A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: 'The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector. In regards to Credential Stuffing, the password policy''s lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted. Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold. This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).' mapping_type: technique_score references: [] related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: 'A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Password Policy capability_group: entra-id capability_id: EID-PWP-E3 comments: 'Cloud accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy related_score: T1586 score_category: protect score_value: significant - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: 'Accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad score_category: protect score_value: partial - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: 'With Microsoft Entra Password Protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your own business and security needs, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad score_category: protect score_value: partial - attack_object_id: T1110 attack_object_name: Brute Force capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: 'With Microsoft Entra Password Protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your own business and security needs, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad score_category: protect score_value: partial - attack_object_id: T1110.001 attack_object_name: Password Guessing capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: "Microsoft Entra Password Protection efficiently blocks known weak passwords\ \ likely to be used in password guessing attacks. \n\n\nLicense Requirements:\n\ Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.002 attack_object_name: Password Cracking capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: "Microsoft Entra Password Protection efficiently blocks known weak passwords\ \ likely to be used in password cracking attacks. \n\n\nLicense Requirements:\n\ Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: "Microsoft Entra Password Protection efficiently blocks known weak passwords\ \ likely to be used in password spray attacks. \n\n\nLicense Requirements:\nMicrosoft\ \ Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.003 attack_object_name: Password Spraying capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: "Microsoft Entra Password Protection efficiently blocks known weak passwords\ \ likely to be used in password spray attacks. \n\n\nLicense Requirements:\nMicrosoft\ \ Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: 'With Microsoft Entra Password Protection, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1110.004 attack_object_name: Credential Stuffing capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: 'With Microsoft Entra Password Protection, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad related_score: T1110 score_category: protect score_value: partial - attack_object_id: T1586.003 attack_object_name: Cloud Accounts capability_description: Password Protection capability_group: entra-id capability_id: EID-PWPR-E3 comments: 'Cloud accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers. License Requirements: Microsoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad related_score: T1586 score_category: protect score_value: partial - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: protect score_value: minimal - attack_object_id: T1078 attack_object_name: Valid Accounts capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control supports an Access Review feature, which can partially\ \ be used to avoid stale role assignment for Valid Accounts: Cloud Accounts. The\ \ control does not protect against this technique's other sub-techniques, resulting\ \ in a Minimal coverage score, for an overall score of Minimal. \n\nLicense Requirements:\n\ Microsoft Entra ID P2 or Microsoft Entra ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: protect score_value: minimal - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: This control's Access Review feature supports scheduling a routine review of cloud account permission levels to look for those that could allow an adversary to gain wide access. This information can then be used to validate if such access is required and identify which (privileged) accounts should be monitored closely. This reduces the availability of valid accounts to adversaries. This review would normally be scheduled periodically, at most weekly, and therefore its temporal score is Partial. mapping_type: technique_score references: [] related_score: T1078 score_category: protect score_value: partial - attack_object_id: T1078.004 attack_object_name: Cloud Accounts capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control supports an Access Review feature, which can be created\ \ to review privileged access to avoid stale role assignments. Access Reviews\ \ can be scheduled routinely, and used to help evaluate the state of privileged\ \ access. Performing this review can help minimize the availability of valid accounts\ \ to adversaries. Although this review can be scheduled periodically, it would\ \ not occur at real-time frequency, and is therefore assigned Partial. \n\nLicense\ \ Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure related_score: T1078 score_category: protect score_value: partial - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: This control provides significant protection for some of this technique's sub-techniques while not providing any protection for others, resulting in a Partial score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: protect score_value: partial - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: This control only provides detection for one of this technique's sub-techniques while not providing any detection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: detect score_value: minimal - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control can assist post-execution detection by alerting on the\ \ assignment of privileged Additional Cloud Roles. This is not extendable to detect\ \ against the technique's other sub-techniques, resulting in overall minimal detection\ \ coverage. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra\ \ ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: detect score_value: minimal - attack_object_id: T1098 attack_object_name: Account Manipulation capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control provides significant protection against multiple sub-techniques,\ \ although not all, resulting in partial coverage. The control scores Significant\ \ for the temporal aspects of its protection, which include requiring activation\ \ by eligible privileged roles, and confirming user identity with MFA before execution.\ \ \n\n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: protect score_value: significant - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: Privileged roles such as the Application Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface. mapping_type: technique_score references: [] related_score: T1098 score_category: protect score_value: significant - attack_object_id: T1098.001 attack_object_name: Additional Cloud Credentials capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control can enforce on-activation requirements for privileged\ \ roles, such as the Application Administrator. Configuration can include an MFA\ \ requirement, which can provide additional protection against Additional Cloud\ \ Credentials. PIM can also be used to assigned privileged roles as \"eligible\"\ \ rather than \"active\" to further, requiring activation of the assigned role\ \ before use. Due to these features, a score of Significant is assigned. \n\n\ License Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure related_score: T1098 score_category: protect score_value: significant - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user. mapping_type: technique_score references: [] related_score: T1098 score_category: protect score_value: significant - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique. Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal. mapping_type: technique_score references: [] related_score: T1098 score_category: detect score_value: significant - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control can notify administrators when the Global Administrator\ \ and other administrator roles are assigned to an account, allowing it to be\ \ a method of detection for Additional Cloud Roles execution. PIM supports multiple\ \ security alerts, with customizable triggers, including numeric specificity.\ \ Following Microsoft's role based access control Best Practices, assignment of\ \ Global Administrator, among other administrative roles should be uncommon, resulting\ \ in an overall low false positive rate for detecting unexpected privileged role\ \ assignments. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra\ \ ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure related_score: T1098 score_category: detect score_value: significant - attack_object_id: T1098.003 attack_object_name: Additional Cloud Roles capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control can enforce on-activation requirements for privileged\ \ roles, such as the Global Administrator. Configuration can include an MFA requirement,\ \ which can provide additional protection against Additional Cloud Roles. MFA\ \ can be required both when assigning these administrative roles, and/or when\ \ a user activates the role. \n\nLicense Requirements:\nMicrosoft Entra ID P2\ \ or Microsoft Entra ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure related_score: T1098 score_category: protect score_value: significant - attack_object_id: T1098.007 attack_object_name: Additional Local or Domain Groups capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: [] related_score: T1098 score_category: detect score_value: significant - attack_object_id: T1098.007 attack_object_name: Additional Local or Domain Groups capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "Entra ID's continuous access evaluation is a security control implemented\ \ by enabling services to subscribe to critical Microsoft Entra events. Those\ \ events can then be evaluated and enforced near real time. This process enables\ \ tenant users lose access to organizational SharePoint Online files, email, calendar,\ \ or tasks, and Teams from Microsoft 365 client apps within minutes after a critical\ \ event is detected. The following events are currently evaluated:\n\nUser Account\ \ is deleted or disabled\nPassword for a user is changed or reset\nMultifactor\ \ authentication is enabled for the user\nAdministrator explicitly revokes all\ \ refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\ \nLicense Requirements:\nContinuous access evaluation will be included in all\ \ versions of Microsoft 365. \n" mapping_type: technique_score references: [] related_score: T1098 score_category: protect score_value: significant - attack_object_id: T1136 attack_object_name: Create Account capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: This control only provides protection for one of this technique's sub-techniques while not providing any detection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score. mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: protect score_value: minimal - attack_object_id: T1136 attack_object_name: Create Account capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control provides significant protection against Create Account:\ \ Cloud Account, but not against the technique's other sub-techniques. An overall\ \ score of Partial is provided, although overall coverage for the across the sub-techniques\ \ is minimal. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra\ \ ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: protect score_value: partial - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: Privileged roles such as the User Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique. In addition, these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface. mapping_type: technique_score references: [] related_score: T1136 score_category: protect score_value: significant - attack_object_id: T1136.003 attack_object_name: Cloud Account capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control can enforce on-activation requirements for privileged\ \ roles, such as the User Administrator. Configuration can include an MFA requirement,\ \ which can provide additional protection against Cloud Account creation. PIM\ \ can also be used to assigned privileged roles as \"eligible\" rather than \"\ active\" to further, requiring activation of the assigned role before use. Due\ \ to these features, a score of Significant is assigned. \n\nLicense Requirements:\n\ Microsoft Entra ID P2 or Microsoft Entra ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure related_score: T1136 score_category: protect score_value: significant - attack_object_id: T1556 attack_object_name: Modify Authentication Process capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control significantly protects against the modification of Multi-Factor\ \ Authentication by placing limitations and restrictions on relevant privileged\ \ accounts. However, this is overall Minimal coverage relative to the all the\ \ technique's sub-techniques. \n\nLicense Requirements:\nMicrosoft Entra ID P2\ \ or Microsoft Entra ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: protect score_value: minimal - attack_object_id: T1556.006 attack_object_name: Multi-Factor Authentication capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: 'The PIM control can enforce on-activation requirements for privileged roles, such as the Conditional Access Administrator, Global Administrator or Security Administrator, which include privileges necessary to modify certain MFA settings. Configuration can include an MFA requirement, which can provide additional protection against modifying Multi-Factor Authentication. MFA can be required both when assigning these administrative roles, and/or when a user activates the role. PIM can also be used to assigned privileged roles as "eligible" rather than "active" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use. License Requirements: Microsoft Entra ID P2 or Microsoft Entra ID Governance' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure related_score: T1556 score_category: protect score_value: significant - attack_object_id: T1556.007 attack_object_name: Hybrid Identity capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control can enforce on-activation requirements for privileged\ \ roles, such as the Global Administrator, which may be used for modifying the\ \ hybrid identity authentication process from the cloud. Ideally, ensure these\ \ accounts are dedicated cloud-only rather than hybrid accounts. MFA can be required\ \ both when assigning Global Administrator, and/or when a user activates the role.\ \ PIM can also be used to assigned privileged roles as \"eligible\" rather than\ \ \"active\" to further, requiring activation of the assigned role before use.\ \ This scores Significant for its limitation of the overall accounts with these\ \ privileges, and the conditions for use. \n\n\nLicense Requirements:\nMicrosoft\ \ Entra ID P2 or Microsoft Entra ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure related_score: T1556 score_category: protect score_value: significant - attack_object_id: T1651 attack_object_name: Cloud Administration Command capability_description: Privileged Identity Management capability_group: entra-id capability_id: EID-PIM-E5 comments: "The PIM control can enforce on-activation requirements for privileged\ \ roles, such as Global Administrators. Configuration can include an MFA requirement,\ \ which can help limit the overall privileged accounts available and their ability\ \ to execute administration commands. PIM can also be used to assigned privileged\ \ roles as \"eligible\" rather than \"active\" to further, requiring activation\ \ of the assigned role before use. Due to these features, a score of Significant\ \ is assigned. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra\ \ ID Governance" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure score_category: protect score_value: significant - attack_object_id: T1114 attack_object_name: Email Collection capability_description: Mail Flow Rules capability_group: eop capability_id: EOP-MFR-E3 comments: "In Exchange Online Protection (EOP) organizations without Exchange Online\ \ mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to\ \ look for specific conditions on messages that pass through your organization\ \ and take action on them. Mail Flow Rules take action on messages while they\ \ are in transit, not after the message is delivered to the mailbox. Mail flow\ \ rules contain a richer set of conditions, exceptions, and actions, which provides\ \ you with the flexibility to implement many types of messaging policies.\n\n\ Mail Flow Rules protects from Email Collection attacks due to the custom rules\ \ feature which allows you to define rules to encrypt email messages which provides\ \ an added layer of security to sensitive information sent over email.\n\nLicense\ \ Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365\ \ plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/define-mail-flow-rules-to-encrypt-email - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules score_category: protect score_value: significant - attack_object_id: T1114.002 attack_object_name: Remote Email Collection capability_description: Mail Flow Rules capability_group: eop capability_id: EOP-MFR-E3 comments: "In Exchange Online Protection (EOP) organizations without Exchange Online\ \ mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to\ \ look for specific conditions on messages that pass through your organization\ \ and take action on them. Mail Flow Rules take action on messages while they\ \ are in transit, not after the message is delivered to the mailbox. Mail flow\ \ rules contain a richer set of conditions, exceptions, and actions, which provides\ \ you with the flexibility to implement many types of messaging policies.\n\n\ Mail Flow Rules protects from Remote Email Collection attacks due to the custom\ \ rules feature which allows you to define rules to encrypt email messages which\ \ provides an added layer of security to sensitive information sent over email.\n\ \nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office\ \ 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/define-mail-flow-rules-to-encrypt-email - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules related_score: T1114 score_category: protect score_value: significant - attack_object_id: T1114.003 attack_object_name: Email Forwarding Rule capability_description: Mail Flow Rules capability_group: eop capability_id: EOP-MFR-E3 comments: "In Exchange Online Protection (EOP) organizations without Exchange Online\ \ mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to\ \ look for specific conditions on messages that pass through your organization\ \ and take action on them. Mail Flow Rules take action on messages while they\ \ are in transit, not after the message is delivered to the mailbox. Mail flow\ \ rules contain a richer set of conditions, exceptions, and actions, which provides\ \ you with the flexibility to implement many types of messaging policies.\n\n\ Mail Flow Rules protects from Email Forwarding Rule attacks due to the custom\ \ rules feature which allows you to define rules to encrypt email messages which\ \ provides an added layer of security to sensitive information sent over email.\n\ \nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office\ \ 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/purview/define-mail-flow-rules-to-encrypt-email - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules related_score: T1114 score_category: protect score_value: significant - attack_object_id: T1564 attack_object_name: Hide Artifacts capability_description: Mail Flow Rules capability_group: eop capability_id: EOP-MFR-E3 comments: "In Exchange Online Protection (EOP) organizations without Exchange Online\ \ mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to\ \ look for specific conditions on messages that pass through your organization\ \ and take action on them. Mail Flow Rules take action on messages while they\ \ are in transit, not after the message is delivered to the mailbox. Mail flow\ \ rules contain a richer set of conditions, exceptions, and actions, which provides\ \ you with the flexibility to implement many types of messaging policies.\n\n\ Mail Flow Rules detects Hide Artifacts attacks due to the conditions property\ \ which examines message header fields that may attempt to hide artifacts associated\ \ with their behaviors to evade detection.\n\nLicense Requirements: \nMicrosoft\ \ Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft\ \ XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules score_category: detect score_value: significant - attack_object_id: T1564.008 attack_object_name: Email Hiding Rules capability_description: Mail Flow Rules capability_group: eop capability_id: EOP-MFR-E3 comments: "In Exchange Online Protection (EOP) organizations without Exchange Online\ \ mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to\ \ look for specific conditions on messages that pass through your organization\ \ and take action on them. Mail Flow Rules take action on messages while they\ \ are in transit, not after the message is delivered to the mailbox. Mail flow\ \ rules contain a richer set of conditions, exceptions, and actions, which provides\ \ you with the flexibility to implement many types of messaging policies.\n\n\ Mail Flow Rules protects from Email Hiding Rules attacks due to it's detection\ \ mechanisms that include the ability to audit inbox rules on a regular basis\ \ as they are in transit.\n\nLicense Requirements: \nMicrosoft Exchange Online\ \ Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules related_score: T1564 score_category: protect score_value: significant - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques score_category: respond score_value: partial - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1204 attack_object_name: User Execution capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide score_category: respond score_value: partial - attack_object_id: T1204 attack_object_name: User Execution capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques related_score: T1204 score_category: respond score_value: partial - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide related_score: T1204 score_category: detect score_value: partial - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques related_score: T1204 score_category: respond score_value: partial - attack_object_id: T1204.002 attack_object_name: Malicious File capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide related_score: T1204 score_category: detect score_value: partial - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide score_category: respond score_value: partial - attack_object_id: T1528 attack_object_name: Steal Application Access Token capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide score_category: respond score_value: partial - attack_object_id: T1539 attack_object_name: Steal Web Session Cookie capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide score_category: respond score_value: partial - attack_object_id: T1550 attack_object_name: Use Alternate Authentication Material capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques score_category: detect score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques score_category: respond score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques related_score: T1566 score_category: respond score_value: partial - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide related_score: T1566 score_category: detect score_value: partial - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques related_score: T1566 score_category: respond score_value: partial - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide related_score: T1566 score_category: detect score_value: partial - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques score_category: respond score_value: partial - attack_object_id: T1598 attack_object_name: Phishing for Information capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1598.002 attack_object_name: Spearphishing Attachment capability_description: ATT&CK Simulation Training capability_group: m365-defender capability_id: DEF-SIMT-E5 comments: "M365's Defender Attack Simulation Training allows organizations to automate\ \ the simulation of benign real-world cyberattacks. These simulation automations\ \ feature social engineering techniques, payloads, and can start on an automated\ \ schedule. This detection focused security control partially improves organizations\ \ security posture by continuously conduct attack simulations that fine tune analytics,\ \ and provide hands-on training for users and cyber professionals to improve response\ \ capabilities. \n\nThe following social engineering techniques are available:\n\ \nCredential Harvest: Attempts to collect credentials by taking users to a well-known\ \ looking website with input boxes to submit a username and password.\nMalware\ \ Attachment: Adds a malicious attachment to a message. When the user opens the\ \ attachment, arbitrary code is run that helps the attacker compromise the target's\ \ device.\nLink in Attachment: A type of credential harvest hybrid. An attacker\ \ inserts a URL into an email attachment. The URL within the attachment follows\ \ the same technique as credential harvest.\nLink to Malware: Runs some arbitrary\ \ code from a file hosted on a well-known file sharing service. The message sent\ \ to the user contains a link to this malicious file, opening the file and helping\ \ the attacker compromise the target's device.\nDrive-by URL: The malicious URL\ \ in the message takes the user to a familiar-looking website that silently runs\ \ and/or installs code on the user's device.\nOAuth Consent Grant: The malicious\ \ URL asks users to grant permissions to data for a malicious Azure Application.\n\ \nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365\ \ Plan 2." mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide related_score: T1598 score_category: detect score_value: partial - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Preset Security Policies capability_group: m365-defender capability_id: DEF-PSP-E3 comments: "M365 Preset security policies allow you to apply protection features\ \ to users based on Microsoft's recommended settings. Unlike custom policies that\ \ are infinitely configurable, virtually all of the settings in preset security\ \ policies aren't configurable, and are based on observations in Microsoft's datacenters.\ \ The settings in preset security policies provide a balance between keeping harmful\ \ content away from users while avoiding unnecessary disruptions. \n\nPreset Security\ \ Policies Detects Drive-by-Compromise attacks due to all recipients in the organization\ \ receiving Safe Links and Safe Attachments with the Built-in protection profile\ \ by default. Safe Links immediately checking the URL's before opening the websites.\ \ You can add entries to the existing policies or configure different lists in\ \ different Safe Links policies to determine if certain websites are necessary\ \ for business operations. If the URL points to a website that has been identified\ \ as a phishing attack, a Phishing attempt warning page will open. \n\nLicense\ \ Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft\ \ Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1204 attack_object_name: User Execution capability_description: Preset Security Policies capability_group: m365-defender capability_id: DEF-PSP-E3 comments: "M365 Preset security policies allow you to apply protection features\ \ to users based on Microsoft's recommended settings. Unlike custom policies that\ \ are infinitely configurable, virtually all of the settings in preset security\ \ policies aren't configurable, and are based on observations in Microsoft's datacenters.\ \ The settings in preset security policies provide a balance between keeping harmful\ \ content away from users while avoiding unnecessary disruptions. \n\nPreset Security\ \ Policies Detects User Execution attacks due to all recipients in the organization\ \ receiving Safe Links and Safe Attachments with the Built-in protection profile\ \ by default. Safe Links immediately checking the URL's before opening the websites.\ \ You can add entries to the existing policies or configure different lists in\ \ different Safe Links policies to determine if certain websites are necessary\ \ for business operations. If the URL points to a website that has been identified\ \ as a phishing attack, a Phishing attempt warning page will open. \n\nLicense\ \ Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft\ \ Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide - ' https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide' score_category: detect score_value: significant - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Preset Security Policies capability_group: m365-defender capability_id: DEF-PSP-E3 comments: "M365 Preset security policies allow you to apply protection features\ \ to users based on Microsoft's recommended settings. Unlike custom policies that\ \ are infinitely configurable, virtually all of the settings in preset security\ \ policies aren't configurable, and are based on observations in Microsoft's datacenters.\ \ The settings in preset security policies provide a balance between keeping harmful\ \ content away from users while avoiding unnecessary disruptions. \n\nPreset Security\ \ Policies Detects Malicious Link attacks due to all recipients in the organization\ \ receiving Safe Links and Safe Attachments with the Built-in protection profile\ \ by default. Safe Links immediately checks the URL's before opening the websites.\ \ If the URL points to a website that has been identified as a phishing attack,\ \ a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft\ \ Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide related_score: T1204 score_category: detect score_value: significant - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Preset Security Policies capability_group: m365-defender capability_id: DEF-PSP-E3 comments: "M365 Preset security policies allow you to apply protection features\ \ to users based on Microsoft's recommended settings. Unlike custom policies that\ \ are infinitely configurable, virtually all of the settings in preset security\ \ policies aren't configurable, and are based on observations in Microsoft's datacenters.\ \ The settings in preset security policies provide a balance between keeping harmful\ \ content away from users while avoiding unnecessary disruptions. \n\nPreset Security\ \ Policies Detects Internal Spearphishing attacks due to all recipients in the\ \ organization receiving Safe Links and Safe Attachments with the Built-in protection\ \ profile by default. Safe Links immediately checking the URL's before opening\ \ the websites. You can add entries to the existing policies or configure different\ \ lists in different Safe Links policies to determine if certain websites are\ \ necessary for business operations. If the URL points to a website that has been\ \ identified as a phishing attack, a Phishing attempt warning page will open.\ \ \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan\ \ 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Preset Security Policies capability_group: m365-defender capability_id: DEF-PSP-E3 comments: "M365 Preset security policies allow you to apply protection features\ \ to users based on Microsoft's recommended settings. Unlike custom policies that\ \ are infinitely configurable, virtually all of the settings in preset security\ \ policies aren't configurable, and are based on observations in Microsoft's datacenters.\ \ The settings in preset security policies provide a balance between keeping harmful\ \ content away from users while avoiding unnecessary disruptions. \n\nPreset Security\ \ Policies Detects Phishing attacks due to all recipients in the organization\ \ receiving Safe Links and Safe Attachments with the Built-in protection profile\ \ by default. Safe Links immediately checks the URL's before opening the websites.\ \ If the URL points to a website that has been identified as a phishing attack,\ \ a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft\ \ Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Preset Security Policies capability_group: m365-defender capability_id: DEF-PSP-E3 comments: "M365 Preset security policies allow you to apply protection features\ \ to users based on Microsoft's recommended settings. Unlike custom policies that\ \ are infinitely configurable, virtually all of the settings in preset security\ \ policies aren't configurable, and are based on observations in Microsoft's datacenters.\ \ The settings in preset security policies provide a balance between keeping harmful\ \ content away from users while avoiding unnecessary disruptions. \n\nPreset Security\ \ Policies Detects Spearphishing Attachment attacks due to the Built-in protection\ \ preset security policy providing Safe Attachments protection to all recipients.\ \ Safe Attachments uses a virtual environment to check attachments in email messages\ \ before they're delivered to recipients (a process known as detonation).\n\n\ License Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft\ \ Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide related_score: T1566 score_category: detect score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Preset Security Policies capability_group: m365-defender capability_id: DEF-PSP-E3 comments: "M365 Preset security policies allow you to apply protection features\ \ to users based on Microsoft's recommended settings. Unlike custom policies that\ \ are infinitely configurable, virtually all of the settings in preset security\ \ policies aren't configurable, and are based on observations in Microsoft's datacenters.\ \ The settings in preset security policies provide a balance between keeping harmful\ \ content away from users while avoiding unnecessary disruptions. \n\nPreset Security\ \ Policies Detects Spearphishing Link attacks due to all recipients in the organization\ \ receiving Safe Links and Safe Attachments with the Built-in protection profile\ \ by default. Safe Links immediately checks the URL's before opening the websites.\ \ If the URL points to a website that has been identified as a phishing attack,\ \ a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft\ \ Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide related_score: T1566 score_category: detect score_value: significant - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Preset Security Policies capability_group: m365-defender capability_id: DEF-PSP-E3 comments: "M365 Preset security policies allow you to apply protection features\ \ to users based on Microsoft's recommended settings. Unlike custom policies that\ \ are infinitely configurable, virtually all of the settings in preset security\ \ policies aren't configurable, and are based on observations in Microsoft's datacenters.\ \ The settings in preset security policies provide a balance between keeping harmful\ \ content away from users while avoiding unnecessary disruptions. \n\nPreset Security\ \ Policies Detects Impersonation attacks due to all recipients in the organization\ \ receiving Safe Links and Safe Attachments with the Built-in protection profile\ \ by default. Safe Links immediately checks the URL's before opening the websites.\ \ If the URL points to a website that has been identified as a phishing attack,\ \ a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft\ \ Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Threat Explorer capability_group: m365-defender capability_id: DEF-THEX-E5 comments: "Threat Explorer helps your security operations team investigate and respond\ \ to threats efficiently. With these tools, you can: See malware detected by Microsoft\ \ 365 security features, View phishing URL and click verdict data, Start an automated\ \ investigation and response process from a view in Explorer, Investigate malicious\ \ email, and more. \n\nThreat Explorer Detects Drive-by-Compromise attacks by\ \ their dashboard capturing and enabling the user to view phishing attempts, including\ \ a list of URLs that were allowed, blocked, and overridden. With an organization\ \ blocking URL's for users, it mitigates users visiting a website that is used\ \ to host the adversary controlled content.\n\n\nLicense Requirements: \nMicrosoft\ \ Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: Threat Explorer capability_group: m365-defender capability_id: DEF-THEX-E5 comments: "Threat Explorer helps your security operations team investigate and respond\ \ to threats efficiently. With these tools, you can: See malware detected by Microsoft\ \ 365 security features, View phishing URL and click verdict data, Start an automated\ \ investigation and response process from a view in Explorer, Investigate malicious\ \ email, and more. \n\nThreat Explorer Detects Phishing attacks by their dashboard\ \ capturing and enabling the user to view phishing attempts, including a list\ \ of URLs that were allowed, blocked, and overridden.\n\n\nLicense Requirements:\ \ \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Threat Explorer capability_group: m365-defender capability_id: DEF-THEX-E5 comments: "Threat Explorer helps your security operations team investigate and respond\ \ to threats efficiently. With these tools, you can: See malware detected by Microsoft\ \ 365 security features, View phishing URL and click verdict data, Start an automated\ \ investigation and response process from a view in Explorer, Investigate malicious\ \ email, and more. \n\nThreat Explorer Detects Spearphishing Attachment attacks\ \ by using Threat Explorer's System Override feature. The File extension blocked\ \ by org policy value, enables An organization's security team to block a file\ \ name extension through the anti-malware policy settings. These values will now\ \ be displayed in email details to help with investigations. Secops teams can\ \ also use the rich-filtering capability to filter on blocked file extensions.\n\ \n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan\ \ 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide related_score: T1566 score_category: detect score_value: partial - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Threat Explorer capability_group: m365-defender capability_id: DEF-THEX-E5 comments: "Threat Explorer helps your security operations team investigate and respond\ \ to threats efficiently. With these tools, you can: See malware detected by Microsoft\ \ 365 security features, View phishing URL and click verdict data, Start an automated\ \ investigation and response process from a view in Explorer, Investigate malicious\ \ email, and more. \n\nThreat Explorer Detects Spearphishing Link attacks by their\ \ dashboard capturing and enabling the user to view phishing attempts, including\ \ a list of URLs that were allowed, blocked, and overridden.\n\n\nLicense Requirements:\ \ \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide related_score: T1566 score_category: detect score_value: partial - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Threat Explorer capability_group: m365-defender capability_id: DEF-THEX-E5 comments: "Threat Explorer helps your security operations team investigate and respond\ \ to threats efficiently. With these tools, you can: See malware detected by Microsoft\ \ 365 security features, View phishing URL and click verdict data, Start an automated\ \ investigation and response process from a view in Explorer, Investigate malicious\ \ email, and more. \n\nThreat Explorer Detects Impersonation attacks by their\ \ dashboard capturing and enabling the user to view phishing attempts, including\ \ a list of URLs that were allowed, blocked, and overridden. With an organization\ \ blocking URL's for users, it mitigates users visiting a website that is used\ \ to host the adversary controlled content.\n\n\nLicense Requirements: \nMicrosoft\ \ Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1189 attack_object_name: Drive-by Compromise capability_description: Threat Protection Status Report capability_group: m365-defender capability_id: DEF-TPSR-E3 comments: "Threat protection status report is a single view that brings together\ \ information about malicious content and malicious email detected and blocked\ \ by Exchange Online Protection (EOP) and Defender for Office 365. The report\ \ provides the count of email messages with malicious content. For example: Files\ \ or website addresses (URLs) that were blocked by the anti-malware engine, Files\ \ or messages affected by zero-hour auto purge (ZAP), Files or messages that were\ \ blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and\ \ impersonation protection features in anti-phishing policies.\n\nThreat Protection\ \ Status Report Detects Drive-by-Compromise attacks by the report capturing and\ \ displaying files or messages that were blocked by Safe Links, Safe Attachments,\ \ and impersonation protection features in phishing policies. With an organization\ \ filtering URL's for users, it mitigates users visiting a website that is used\ \ to host the adversary controlled content.\n\nLicense Requirements: \nExchange\ \ Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft\ \ Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report score_category: detect score_value: partial - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Threat Protection Status Report capability_group: m365-defender capability_id: DEF-TPSR-E3 comments: "Threat protection status report is a single view that brings together\ \ information about malicious content and malicious email detected and blocked\ \ by Exchange Online Protection (EOP) and Defender for Office 365. The report\ \ provides the count of email messages with malicious content. For example: Files\ \ or website addresses (URLs) that were blocked by the anti-malware engine, Files\ \ or messages affected by zero-hour auto purge (ZAP), Files or messages that were\ \ blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and\ \ impersonation protection features in anti-phishing policies.\n\nThreat Protection\ \ Status Report Detects Internal Spearphishing attacks by the report capturing\ \ and displaying files or messages that were blocked by Safe Links, Safe Attachments,\ \ and impersonation protection features in phishing policies.\n\nLicense Requirements:\ \ \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan\ \ 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report score_category: detect score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: Threat Protection Status Report capability_group: m365-defender capability_id: DEF-TPSR-E3 comments: "Threat protection status report is a single view that brings together\ \ information about malicious content and malicious email detected and blocked\ \ by Exchange Online Protection (EOP) and Defender for Office 365. The report\ \ provides the count of email messages with malicious content. For example: Files\ \ or website addresses (URLs) that were blocked by the anti-malware engine, Files\ \ or messages affected by zero-hour auto purge (ZAP), Files or messages that were\ \ blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and\ \ impersonation protection features in anti-phishing policies.\n\nThreat Protection\ \ Status Report Detects Phishing attacks by the report capturing and displaying\ \ files or messages that were blocked by Safe Links, Safe Attachments, and impersonation\ \ protection features in phishing policies.\n\nLicense Requirements: \nExchange\ \ Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft\ \ Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report score_category: detect score_value: partial - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Threat Protection Status Report capability_group: m365-defender capability_id: DEF-TPSR-E3 comments: "Threat protection status report is a single view that brings together\ \ information about malicious content and malicious email detected and blocked\ \ by Exchange Online Protection (EOP) and Defender for Office 365. The report\ \ provides the count of email messages with malicious content. For example: Files\ \ or website addresses (URLs) that were blocked by the anti-malware engine, Files\ \ or messages affected by zero-hour auto purge (ZAP), Files or messages that were\ \ blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and\ \ impersonation protection features in anti-phishing policies.\n\nThreat Protection\ \ Status Report Detects Spearphishing Attachment attacks by the report capturing\ \ and displaying files or messages that were blocked by Safe Links, Safe Attachments,\ \ and impersonation protection features in phishing policies.\n\nLicense Requirements:\ \ \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan\ \ 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report related_score: T1566 score_category: detect score_value: partial - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Threat Protection Status Report capability_group: m365-defender capability_id: DEF-TPSR-E3 comments: "Threat protection status report is a single view that brings together\ \ information about malicious content and malicious email detected and blocked\ \ by Exchange Online Protection (EOP) and Defender for Office 365. The report\ \ provides the count of email messages with malicious content. For example: Files\ \ or website addresses (URLs) that were blocked by the anti-malware engine, Files\ \ or messages affected by zero-hour auto purge (ZAP), Files or messages that were\ \ blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and\ \ impersonation protection features in anti-phishing policies.\n\nThreat Protection\ \ Status Report Detects Spearphishing Link attacks by the report capturing and\ \ displaying files or messages that were blocked by Safe Links, Safe Attachments,\ \ and impersonation protection features in phishing policies.\n\nLicense Requirements:\ \ \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan\ \ 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report related_score: T1566 score_category: detect score_value: partial - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Threat Protection Status Report capability_group: m365-defender capability_id: DEF-TPSR-E3 comments: "Threat protection status report is a single view that brings together\ \ information about malicious content and malicious email detected and blocked\ \ by Exchange Online Protection (EOP) and Defender for Office 365. The report\ \ provides the count of email messages with malicious content. For example: Files\ \ or website addresses (URLs) that were blocked by the anti-malware engine, Files\ \ or messages affected by zero-hour auto purge (ZAP), Files or messages that were\ \ blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and\ \ impersonation protection features in anti-phishing policies.\n\nThreat Protection\ \ Status Report Detects Impersonation attacks by the report capturing and displaying\ \ files or messages that were blocked by Safe Links, Safe Attachments, and impersonation\ \ protection features in phishing policies.\n\nLicense Requirements: \nExchange\ \ Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft\ \ Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report score_category: detect score_value: partial - attack_object_id: T1204 attack_object_name: User Execution capability_description: Safe Links capability_group: m365-defender capability_id: DEF-SLNK-E3 comments: "Microsoft Defender for O365 Safe Links scanning protects your organization\ \ from malicious links that are used in phishing and other attacks. Safe Links\ \ provides URL scanning and rewriting of inbound email messages during mail flow,\ \ and time-of-click verification of URLs and links in email messages, Teams, and\ \ supported Office 365 apps. \n\nSafe Links Detects User Execution attacks due\ \ to Safe Links immediately checking the URL's before opening the websites. If\ \ the URL points to a website that has been determined to be malicious, a malicious\ \ website warning page opens.\n\nLicense Requirements:\nMicrosoft Defender for\ \ Office 365 plan 1 and plan 2, Microsoft Defender XDR\n" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages score_category: detect score_value: significant - attack_object_id: T1204.001 attack_object_name: Malicious Link capability_description: Safe Links capability_group: m365-defender capability_id: DEF-SLNK-E3 comments: "Microsoft Defender for O365 Safe Links scanning protects your organization\ \ from malicious links that are used in phishing and other attacks. Safe Links\ \ provides URL scanning and rewriting of inbound email messages during mail flow,\ \ and time-of-click verification of URLs and links in email messages, Teams, and\ \ supported Office 365 apps. \n\nSafe Links Detects Malicious Links attacks due\ \ to Safe Links immediately checking the URL's before opening the websites. If\ \ the URL points to a website that has been determined to be malicious, a malicious\ \ website warning page opens.\n\nLicense Requirements:\nMicrosoft Defender for\ \ Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages related_score: T1204 score_category: detect score_value: significant - attack_object_id: T1204.003 attack_object_name: Malicious Image capability_description: Safe Links capability_group: m365-defender capability_id: DEF-SLNK-E3 comments: "M365's Safe Attachments is a feature that provides advanced email security\ \ by scanning attachments for malicious content and using a virtual environment\ \ to check for malicious actions in a process known as detonation. Safe Attachments\ \ for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect\ \ against emerging threats. If a suspicious file is identified, this file can\ \ be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\n\ Mirosoft 365 E5, Defender for Office Plan 1, Microsoft 365 E3 with ATP add-on" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide related_score: T1204 score_category: detect score_value: significant - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Safe Links capability_group: m365-defender capability_id: DEF-SLNK-E3 comments: "Microsoft Defender for O365 Safe Links scanning protects your organization\ \ from malicious links that are used in phishing and other attacks. Safe Links\ \ provides URL scanning and rewriting of inbound email messages during mail flow,\ \ and time-of-click verification of URLs and links in email messages, Teams, and\ \ supported Office 365 apps. \n\nSafe Links Detects Internal Spearphishing attacks\ \ due to Safe Links immediately checking the URL's before opening the websites.\ \ You can add entries to the existing policies or configure different lists in\ \ different Safe Links policies to determine if certain websites are necessary\ \ for business operations. If the URL points to a website that has been identified\ \ as a phishing attack, a Phishing attempt warning page will open. \n\nLicense\ \ Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft\ \ Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages score_category: detect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Safe Links capability_group: m365-defender capability_id: DEF-SLNK-E3 comments: "Microsoft Defender for O365 Safe Links scanning protects your organization\ \ from malicious links that are used in phishing and other attacks. Safe Links\ \ provides URL scanning and rewriting of inbound email messages during mail flow,\ \ and time-of-click verification of URLs and links in email messages, Teams, and\ \ supported Office 365 apps. \n\nSafe Links Detects Phishing attacks due to Safe\ \ Links immediately checking the URL's before opening the websites. If the URL\ \ points to a website that has been identified as a phishing attack, a Phishing\ \ attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender\ \ for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages score_category: detect score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Safe Links capability_group: m365-defender capability_id: DEF-SLNK-E3 comments: "Microsoft Defender for O365 Safe Links scanning protects your organization\ \ from malicious links that are used in phishing and other attacks. Safe Links\ \ provides URL scanning and rewriting of inbound email messages during mail flow,\ \ and time-of-click verification of URLs and links in email messages, Teams, and\ \ supported Office 365 apps. \n\nSafe Links Detects Spearphishing attacks due\ \ to Safe Links immediately checking the URL's before opening the websites. You\ \ can add entries to the existing policies or configure different lists in different\ \ Safe Links policies to determine if certain websites are necessary for business\ \ operations. If the URL points to a website that has been identified as a phishing\ \ attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\n\ Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages related_score: T1566 score_category: detect score_value: significant - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: 'The Advanced Anti-phishing control includes features that can be used to Respond to unusual communication patterns that may indicate Internal Spearphishing. AAP for Defender for O365 supports impersonation protection, which provides multiple options in reaction to a detected impersonation attempt. For example, the ability to redirect the email to specified recipients, add new recipients as Bcc, send it to the Junk Email folder, place the message in quarantine, or even automatically delete it. This scores Partial in the Respond category for its ability to potentially contain the impact of or alert others to the need to remediate internal spearphishing attempts. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365 score_category: protect score_value: partial - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes features that can be used\ \ to detect and warn users against unusual communication patterns that may indicate\ \ Internal Spearphishing. The first contact safety tip, which will report the\ \ first time a user gets a message from a sender, or if they often don\u2019t\ \ get messages from that sender may alert users to suspicious communications from\ \ legitimate, but unexpected users in their organization. This scores Partial\ \ in the Detect category for its near real-time processing and indication of unexpected\ \ email communications. Detection of suspicious communication will not be equally\ \ accurate, depending on the accounts in question. \n\nLicense Requirements:\n\ Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365 score_category: detect score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes respond mechanisms that can\ \ be used to quarantine and limit user interaction with phishing messages, including\ \ those that contain Spearphishing Attachments and Links, that employ email as\ \ the means of communication. This covers responses to some, but not all of this\ \ technique\u2019s sub-techniques, resulting in an overall score of Partial for\ \ the Respond category. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5\ \ (includes Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide score_category: respond score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes features that may detect\ \ phishing messages, including those that contain Spearphishing Attachments and\ \ Links, that employ email as the means of communication. In particular, AAP may\ \ identify and isolate spoofing attempts and warn of unusual communication patterns\ \ for the sender\u2019s email. This covers detection of some, but not all of this\ \ technique\u2019s sub-techniques, resulting in an overall score of Partial for\ \ the Detect category. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5\ \ (includes Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-settings - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide score_category: detect score_value: partial - attack_object_id: T1566 attack_object_name: Phishing capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes configurable policies that\ \ protect against methods of phishing, including those that contain Spearphishing\ \ Attachments and Links, that employ email as the means of communication. This\ \ covers protection against some, but not all of this technique\u2019s sub-techniques,\ \ resulting in an overall score of Partial for the Protect category. \n\nLicense\ \ Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365\ \ Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#unauthenticated-sender-indicators - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide score_category: protect score_value: partial - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: 'The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails targeting users with Spearphishing Attachments. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected. Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Partial for the Respond category for its ability to contain, possibly quarantine and limit user interaction with flagged emails. Note the response will be insufficient in the event a user interacts with and executes the malicious Spearphishing attachment. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide related_score: T1566 score_category: respond score_value: partial - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes several mechanisms that can\ \ detect and warn a user against suspicious emails and reduce the likelihood of\ \ the user falling victim to malicious emails with Spearphishing Attachments.\ \ Detections include implicit email authentication, which include unauthenticated\ \ sender indicators that warn the user of potential email spoofing based on SPF\ \ or DMARC checks, and first contact safety tip, which will report the first time\ \ a user gets a message from a sender, or if they often don\u2019t get messages\ \ from that sender. This scores Significant for the Detect category, for its high\ \ coverage against email coming emails, near real-time processing of new emails,\ \ and fairly accurate detection rates. Note that AAP is focused on detecting malicious\ \ emails, not the processing and analysis of attachments. \n\nLicense Requirements:\n\ Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-settings - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide related_score: T1566 score_category: detect score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes configurable policies that\ \ control anti-phishing protection settings that can help protect users by filtering\ \ out and even blocking suspicious emails, and reduce the likelihood of the user\ \ falling victim to malicious emails with Spearphishing Attachments. These protection\ \ policies are configurable across different user groups, and can be tied to Actions\ \ designed to help organizations Respond to the suspicious messages. This scores\ \ Partial in the Protect category for its ability to minimize, filter, and flag\ \ potentially malicious emails end users receive. However, it should be noted\ \ that the AAP control on its own may not further protect against a user proceeding\ \ to interact with malicious attachments in a flagged email, depending on how\ \ an organization configures follow up Actions and how a user may interact with\ \ the message. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes\ \ Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#unauthenticated-sender-indicators - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide related_score: T1566 score_category: protect score_value: partial - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes several mechanisms that can\ \ be used to respond to malicious emails targeting users with Spearphishing Links.\ \ Responses include the ability to automatically move suspicious messages to the\ \ Junk Email, but additional settings also exist that allow a message to be quarantined\ \ or rejected. Spoof settings also allow for different quarantine policies, which\ \ define how users can interact with these messages. This scores Partial for the\ \ Respond category for its ability to contain, possibly quarantine and limit user\ \ interaction with flagged emails. Note the response will be insufficient in the\ \ event a user clicks on, interacts with, and falls victim to the result of a\ \ malicious link. \nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes\ \ Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide related_score: T1566 score_category: respond score_value: partial - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes several mechanisms that can\ \ detect and warn a user against suspicious emails and reduce the likelihood of\ \ the user falling victim to malicious emails with Spearphishing Links. Detections\ \ include implicit email authentication, which include unauthenticated sender\ \ indicators that warn the user of potential email spoofing based on SPF or DMARC\ \ checks, and first contact safety tip, which will report the first time a user\ \ gets a message from a sender, or if they often don\u2019t get messages from\ \ that sender. This scores Significant for the Detect category, for its high coverage\ \ against email coming emails, near real-time processing of new emails, and fairly\ \ accurate detection rates. Note that AAP is focused on detecting suspicious emails,\ \ not the processing and detection of potentially malicious email links. \n\n\ License Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office\ \ 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-settings - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide related_score: T1566 score_category: detect score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes configurable policies that\ \ control anti-phishing protection settings that can help protect users by filtering\ \ out and even blocking suspicious emails, and reduce the likelihood of the user\ \ falling victim to malicious emails with Spearphishing Links. These protection\ \ policies are configurable across different user groups, and can be tied to Actions\ \ designed to help organizations Respond to the suspicious messages. This scores\ \ Partial in the Protect category for its ability to minimize, filter, and flag\ \ potentially malicious emails end users receive. However, it should be noted\ \ that the AAP control on its own may not further protect against a user proceeding\ \ to click on a malicious link in a flagged email, depending on how an organization\ \ configures follow up Actions and how a user may interact with the message. \n\ \nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office\ \ 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#unauthenticated-sender-indicators - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide related_score: T1566 score_category: protect score_value: partial - attack_object_id: T1656 attack_object_name: Impersonation capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: 'The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails detected that may be part of Impersonation using email communications. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected. Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Minimal for the Respond category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures. License Requirements: Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where - can%20use%20in%20another%20scam. score_category: respond score_value: minimal - attack_object_id: T1656 attack_object_name: Impersonation capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes several mechanisms that can\ \ detect and warn a user against suspicious emails and reduce the likelihood of\ \ the user falling victim to suspicious email communications resulting from Impersonation.\ \ Detections include implicit email authentication, which include unauthenticated\ \ sender indicators that warn the user of potential email spoofing based on SPF\ \ or DMARC checks, and first contact safety tip, which will report the first time\ \ a user gets a message from a sender, or if they often don\u2019t get messages\ \ from that sender. This scores Minimal for the Detect category, due to relatively\ \ low or no coverage against the scope of the Impersonation technique and its\ \ example procedures. However, against specific email-based implementations, coverage\ \ will be near real-time and high for the criteria covered. \n\nLicense Requirements:\n\ Microsoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where - can%20use%20in%20another%20scam. score_category: detect score_value: minimal - attack_object_id: T1656 attack_object_name: Impersonation capability_description: 'Advanced Anti-Phishing ' capability_group: m365-defender capability_id: DEF-AAPH-E5 comments: "The Advanced Anti-phishing control includes configurable policies that\ \ control anti-phishing protection settings that can help protect in the event\ \ of business email compromise and email fraud campaigns, which may help protect\ \ against some methods of Impersonation. These protection policies are configurable\ \ across different user groups, and can be tied to Actions designed to help organizations\ \ Respond to the suspicious messages. This scores Minimal in the Protect category\ \ given the ability to flag potentially malicious emails provides relatively low\ \ or no coverage against the scope of the Impersonation technique and its example\ \ procedures. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes\ \ Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide - https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where - can%20use%20in%20another%20scam. score_category: protect score_value: minimal - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: AntiSpam capability_group: eop capability_id: EOP-ASP-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform. License requirements: M365 E3' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: AntiSpam capability_group: eop capability_id: EOP-ASP-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform. License requirements: M365 E3' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: AntiSpam capability_group: eop capability_id: EOP-ASP-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform. License requirements: M365 E3' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide related_score: T1566 score_category: protect score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: AntiSpam capability_group: eop capability_id: EOP-ASP-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform. License requirements: M365 E3' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide related_score: T1566 score_category: protect score_value: significant - attack_object_id: T1656 attack_object_name: Impersonation capability_description: AntiSpam capability_group: eop capability_id: EOP-ASP-E3 comments: 'In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP. To help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform. License requirements: M365 E3' mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1534 attack_object_name: Internal Spearphishing capability_description: Anti-Spoofing capability_group: m365-defender capability_id: DEF-ASP-E3 comments: "The anti-spoofing technology in Microsoft O365 specifically examines\ \ forgery of the From header in the message body, because that header value is\ \ the message sender that's shown in email clients. When EOP has high confidence\ \ that the From header is forged, the message is identified as spoofed. The following\ \ anti-spoofing technologies are available in Microsoft O365: email authentication,\ \ spoof intelligence insight, allow or block spoofed senders in the tenant allow/block\ \ List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's\ \ anti-spoofing technology detects Internal Spearphishing attacks due to spoof\ \ detections report, where users can view information about phishing attempts\ \ \n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for\ \ Office 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide score_category: detect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Anti-Spoofing capability_group: m365-defender capability_id: DEF-ASP-E3 comments: "The anti-spoofing technology in Microsoft O365 specifically examines\ \ forgery of the From header in the message body, because that header value is\ \ the message sender that's shown in email clients. When EOP has high confidence\ \ that the From header is forged, the message is identified as spoofed. The following\ \ anti-spoofing technologies are available in Microsoft O365: email authentication,\ \ spoof intelligence insight, allow or block spoofed senders in the tenant allow/block\ \ List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's\ \ anti-spoofing technology protects from Phishing attacks due to it's mechanisms\ \ provided which provides email authentication by DKIM, and anti-phishing policies\n\ \nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office\ \ 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1566.002 attack_object_name: Spearphishing Link capability_description: Anti-Spoofing capability_group: m365-defender capability_id: DEF-ASP-E3 comments: "The anti-spoofing technology in Microsoft O365 specifically examines\ \ forgery of the From header in the message body, because that header value is\ \ the message sender that's shown in email clients. When EOP has high confidence\ \ that the From header is forged, the message is identified as spoofed. The following\ \ anti-spoofing technologies are available in Microsoft O365: email authentication,\ \ spoof intelligence insight, allow or block spoofed senders in the tenant allow/block\ \ List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's\ \ anti-spoofing technology protects from Spearphishing Link attacks due to it's\ \ mechanisms provided which provides email authentication by DKIM, and anti-phishing\ \ policies\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender\ \ for Office 365 plan 1 and plan 2, Microsoft XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide related_score: T1566 score_category: protect score_value: significant - attack_object_id: T1656 attack_object_name: Impersonation capability_description: Anti-Spoofing capability_group: m365-defender capability_id: DEF-ASP-E3 comments: "The anti-spoofing technology in Microsoft O365 specifically examines\ \ forgery of the From header in the message body, because that header value is\ \ the message sender that's shown in email clients. When EOP has high confidence\ \ that the From header is forged, the message is identified as spoofed. The following\ \ anti-spoofing technologies are available in Microsoft O365: email authentication,\ \ spoof intelligence insight, allow or block spoofed senders in the tenant allow/block\ \ List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's\ \ anti-spoofing technology protects from Impersonation attacks due to impersonation\ \ protection provided with anti-phishing policies.\n\nLicense Requirements: \n\ Microsoft Exchange Online Protection, Defender for Office 365 plan 1 and plan\ \ 2, Microsoft XDR" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide score_category: protect score_value: significant - attack_object_id: T1564.012 attack_object_name: File/Path Exclusions capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: Purview's Information Protection capabilities allow for several restrictions to be placed on files. External users or users with insufficient privileges can have read-only mode enforced, ensuring that nothing gets written to excluded locations in the file system. mapping_type: technique_score references: [] related_score: T1564 score_category: protect score_value: partial - attack_object_id: T1020 attack_object_name: Automated Exfiltration capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Automated\ \ Exfiltration attacks due to Information Protection preventing company data from\ \ being exfiltrated by external users, by blocking file downloads in real time,\ \ using the Defender for Cloud Apps session controls.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: protect score_value: significant - attack_object_id: T1048 attack_object_name: Exfiltration Over Alternative Protocol capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Exfiltration\ \ Over Alternative Protocol attacks due to it preventing users from uploading\ \ unprotected data to the cloud, by using the Defender for Cloud Apps session\ \ controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan\ \ 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: protect score_value: significant - attack_object_id: T1070 attack_object_name: Indicator Removal capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Indicator\ \ Removal attacks due to it encrypting files containing personally identifying\ \ information and other sensitive data that is shared in a cloud app and applying\ \ sensitivity labels to limit access only to employees in your company.\n\nLicense\ \ Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: protect score_value: significant - attack_object_id: T1070.001 attack_object_name: Clear Windows Event Logs capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Indicator\ \ Removal attacks due to it encrypting files containing personally identifying\ \ information and other sensitive data that is shared in a cloud app and applying\ \ sensitivity labels to limit access only to employees in your company.\n\nLicense\ \ Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection related_score: T1070 score_category: protect score_value: significant - attack_object_id: T1070.002 attack_object_name: Clear Linux or Mac System Logs capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Indicator\ \ Removal attacks due to it encrypting files containing personally identifying\ \ information and other sensitive data that is shared in a cloud app and applying\ \ sensitivity labels to limit access only to employees in your company.\n\nLicense\ \ Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection related_score: T1070 score_category: protect score_value: significant - attack_object_id: T1087 attack_object_name: Account Discovery capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Detects Account Discovery\ \ attacks due to Information Protection Detecting when certain files that belong\ \ to a specific user group are being accessed excessively by a user who is not\ \ part of the group, which could be a potential insider threat.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: detect score_value: significant - attack_object_id: T1087.004 attack_object_name: Cloud Account capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Detects Cloud Account attacks\ \ due to Information Protection Detecting when certain files that belong to a\ \ specific user group are being accessed excessively by a user who is not part\ \ of the group, which could be a potential insider threat.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection related_score: T1087 score_category: detect score_value: significant - attack_object_id: T1119 attack_object_name: Automated Collection capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Automated\ \ Collection attacks due to it encrypting files containing personally identifying\ \ information and other sensitive data that is shared in a cloud app and applying\ \ sensitivity labels to limit access only to employees in your company.\n\nLicense\ \ Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: protect score_value: significant - attack_object_id: T1530 attack_object_name: Data from Cloud Storage capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Data from\ \ Cloud Storage attacks due to it encrypting files containing personally identifying\ \ information and other sensitive data that is shared in a cloud app and applying\ \ sensitivity labels to limit access only to employees in your company.\n\nLicense\ \ Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: detect score_value: significant - attack_object_id: T1546 attack_object_name: Event Triggered Execution capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Detects Event Triggered\ \ Execution attacks due to Information Protection Detecting when certain files\ \ that belong to a specific user group are being accessed excessively by a user\ \ who is not part of the group, which could be a potential insider threat.\n\n\ License Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: detect score_value: significant - attack_object_id: T1552 attack_object_name: Unsecured Credentials capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Detects Unsecured Credential\ \ attacks due to it detecting and encrypting files containing personally identifying\ \ information and other sensitive data that is shared in a cloud app and applying\ \ sensitivity labels to limit access only to employees in your company.\n\nLicense\ \ Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: detect score_value: significant - attack_object_id: T1552.008 attack_object_name: Chat Messages capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Detects Chat message attacks\ \ due to it encrypting files containing personally identifying information and\ \ other sensitive data that is shared in a cloud app and applying sensitivity\ \ labels to limit access only to employees in your company.\n\nLicense Requirements:\ \ \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection related_score: T1552 score_category: detect score_value: significant - attack_object_id: T1567 attack_object_name: Exfiltration Over Web Service capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Exfiltration\ \ Over Web Service attacks due to it preventing users from uploading unprotected\ \ data to the cloud, by using the Defender for Cloud Apps session controls.\n\n\ License Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection score_category: protect score_value: significant - attack_object_id: T1567.004 attack_object_name: Exfiltration Over Webhook capability_description: Information Protection capability_group: purview capability_id: PUR-INPR-E5 comments: "Defender for Cloud Apps file policies allow you to enforce a wide range\ \ of automated processes. Policies can be set to provide Information Protection,\ \ including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive\ \ content shared publicly. \n\nInformation Protection Protects from Exfiltration\ \ Over Webhook attacks due to it preventing users from uploading unprotected data\ \ to the cloud, by using the Defender for Cloud Apps session controls.\n\nLicense\ \ Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection related_score: T1567 score_category: protect score_value: significant - attack_object_id: T1566 attack_object_name: Phishing capability_description: Threat Tracker capability_group: m365-defender capability_id: DEF-THTR-E5 comments: "The Threat Tracker control includes noteworthy trackers, which highlights\ \ newly detected malicious files found with Safe Attachments, that may alert on\ \ Phishing emails, if they contain malicious attachments. Specifically, noteworthy\ \ trackers will highlight malicious files that were not previously found by Microsoft\ \ in your email flow or in other customers\u2019 emails. This scores Minimal for\ \ Detection, based on the low coverage of this technique\u2019s sub-techniques\ \ and procedures. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes\ \ Defender for Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers?view=o365-worldwide#trackers-and-microsoft-defender-for-office-365 score_category: detect score_value: minimal - attack_object_id: T1566.001 attack_object_name: Spearphishing Attachment capability_description: Threat Tracker capability_group: m365-defender capability_id: DEF-THTR-E5 comments: "The Threat Tracker control includes noteworthy trackers, which highlights\ \ newly detected malicious files found with Safe Attachments, that may alert on\ \ malicious Spearphishing Attachments. Specifically, noteworthy trackers will\ \ highlight malicious files that were not previously found by Microsoft in your\ \ email flow or in other customers\u2019 emails. This scores Partial for Detection,\ \ for the ability to highlight potential new threats , although it is the Safe\ \ Attachments control that denotes and analyzes email attachments to begin with.\ \ \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for\ \ Office 365 Plan 2)" mapping_type: technique_score references: - https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers?view=o365-worldwide#trackers-and-microsoft-defender-for-office-365 related_score: T1566 score_category: detect score_value: partial metadata: attack_version: '16.1' author: Center for Threat-Informed Defense capability_groups: entra-id: Microsoft Entra ID eop: Exchange Online Protection m365-defender: Microsoft 365 Defender purview: Microsoft Purview contact: ctid@mitre.org creation_date: 07/18/2025 last_update: 07/24/2025 mapping_framework: m365 mapping_framework_version: 07/18/2025 mapping_types: technique_score: description: '' name: Technique Scores mapping_version: '' organization: Center for Threat-Informed Defense technology_domain: enterprise