{"metadata": {"mapping_version": "", "technology_domain": "enterprise", "attack_version": "16.1", "mapping_framework": "m365", "mapping_framework_version": "07/18/2025", "author": "Center for Threat-Informed Defense", "contact": "ctid@mitre.org", "organization": "Center for Threat-Informed Defense", "creation_date": "07/18/2025", "last_update": "07/24/2025", "mapping_types": {"technique_score": {"name": "Technique Scores", "description": ""}}, "capability_groups": {"m365-defender": "Microsoft 365 Defender", "entra-id": "Microsoft Entra ID", "eop": "Exchange Online Protection", "purview": "Microsoft Purview"}}, "mapping_objects": [{"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1059", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-apis2 licensing", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-apis"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1586.003", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1586", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1621", "attack_object_name": "Multi-Factor Authentication Request Generation", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policy-common?tabs=secure-foundation", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-policies", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1074", "attack_object_name": "Data Staged", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only provides the ability to restrict file downloads for a limited set of applications and therefore its overall Coverage score is minimal.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1074.001", "attack_object_name": "Local Data Staging", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1074", "comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to collect and stage files.  This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1074.002", "attack_object_name": "Remote Data Staging", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1074", "comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to collect and stage files.  This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only provides minimal protection for this technique's procedure examples along and also only protects one of its sub-techniques resulting in an overall Minimal score.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1078", "comments": "This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection).  Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "Conditional Access can be used to enforce MFA for users which provides significant protection against  password compromises, requiring an adversary to complete an additional authentication method before their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files.  Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict  cut, copy and paste operations.  This can impede an adversary's ability to collect valuable information and/or files from the application.   This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "Conditional Access, when granting (risky) users access to cloud storage, specifically OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to exfiltrate data from OneDrive.  The protection coverage provided by this control is Minimal as it doesn't provide protection for other storage services available on Azure such as the Azure Storage service.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1074", "attack_object_name": "Data Staged", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only provides the ability to restrict file downloads for a limited set of applications and therefore its overall Coverage score is minimal.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1074.001", "attack_object_name": "Local Data Staging", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1074", "comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to collect and stage files.  This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1074.002", "attack_object_name": "Remote Data Staging", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1074", "comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to collect and stage files.  This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only provides minimal protection for this technique's procedure examples along and also only protects one of its sub-techniques resulting in an overall Minimal score.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1078", "comments": "This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection).  Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "Conditional Access can be used to enforce MFA for users which provides significant protection against  password compromises, requiring an adversary to complete an additional authentication method before their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files.  Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict  cut, copy and paste operations.  This can impede an adversary's ability to collect valuable information and/or files from the application.   This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "Conditional Access, when granting (risky) users access to cloud storage, specifically OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to exfiltrate data from OneDrive.  The protection coverage provided by this control is Minimal as it doesn't provide protection for other storage services available on Azure such as the Azure Storage service.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "respond", "score_value": "minimal", "comments": "This control only protects cloud accounts and therefore its overall coverage is minimal resulting in a Minimal respond score for this technique.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "respond", "score_value": "minimal", "comments": "This control only protects cloud accounts and therefore its overall coverage is minimal resulting in a Minimal respond score for this technique.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "respond", "score_value": "partial", "related_score": "T1078", "comments": "Security controls like Azure AD Identity Protection can raise a user's risk level asynchronously after they have used a valid account to access organizational data.  This CAE control can respond to this change in the users risky state to terminate the user's access within minutes or enforce an additional authentication method such as MFA.   This mitigates the impact of an adversary using a valid account.  This is control only forces the user to re-authenticate and doesn't resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. ", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "respond", "score_value": "partial", "related_score": "T1078", "comments": "Security controls like Azure AD Identity Protection can raise a user's risk level asynchronously after they have used a valid account to access organizational data.  This CAE control can respond to this change in the users risky state to terminate the user's access within minutes or enforce an additional authentication method such as MFA.   This mitigates the impact of an adversary using a valid account.  This is control only forces the user to re-authenticate and doesn't resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. ", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1496.001", "attack_object_name": "Compute Hijacking", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1496", "comments": "In the event that a session is hijacked, continuous access evaluation can be used to terminate the session, potentially before any malicious actions can occur.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1496.004", "attack_object_name": "Cloud Service Hijacking", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1496", "comments": "In the event that a session is hijacked, continuous access evaluation can be used to terminate the session, potentially before any malicious actions can occur.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CA-E3", "capability_description": "Conditional Access", "mapping_type": "technique_score", "attack_object_id": "T1557.004", "attack_object_name": "Evil Twin", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1557", "comments": "Conditional Access policies can restrict devices, potentially stopping them from connecting to an Evil Twin network.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/overview"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1098", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1098.006", "attack_object_name": "Additional Container Cluster Roles", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1098", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation "]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1114.002", "attack_object_name": "Remote Email Collection", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1114", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1134.001", "attack_object_name": "Token Impersonation/Theft", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1134", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1539", "attack_object_name": "Steal Web Session Cookie", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1548.005", "attack_object_name": "Temporary Elevated Cloud Access", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1548", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1548.006", "attack_object_name": "TCC Manipulation", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1548", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": []}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1556", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide", "https://learn.microsoft.com/en-us/entra/identity-platform/app-resilience-continuous-access-evaluation?tabs=dotnet", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation-strict-enforcement", "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-continuous-access-evaluation"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1585", "attack_object_name": "Establish Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1585.002", "attack_object_name": "Email Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1585", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1585.003", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1585", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1586", "attack_object_name": "Compromise Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1586.002", "attack_object_name": "Email Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1586", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1586.003", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1586", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1586.003", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1586", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "EID-CAE-E3", "capability_description": "Continuous Access Evaluation", "mapping_type": "technique_score", "attack_object_id": "T1651", "attack_object_name": "Cloud Administration Command", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-trust-continuous-access-evaluation-microsoft-365?view=o365-worldwide"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1218.015", "attack_object_name": "Electron Applications", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1218", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1546.017", "attack_object_name": "Udev Rules", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "related_score": "T1546", "comments": "Audit Solutions can be used to continuously monitor the Udev rules for modifications or additions, allowing for detection of abnormalities.", "references": []}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1556.009", "attack_object_name": "Conditional Access Policies", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "related_score": "T1556", "comments": "Audit Solutions can be used to continuously monitor the conditional access policies for modifications or additions, allowing for detection of abnormalities.", "references": []}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1574.014", "attack_object_name": "AppDomainManager", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1574", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1665", "attack_object_name": "Hide Infrastructure", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Use of Audit Solutions can reveal unusual activity occurring in the environment, potentially allowing for identification of C2 infrastructure or other malicious infrastructure.", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1666", "attack_object_name": "Modify Cloud Resource Hierarchy", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Audit Solutions can be used to continuously monitor the cloud resource hierarchy for modifications or additions, allowing for detection of abnormalities.", "references": []}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Command and Scripting Interpreter attacks due to Audit Solutions providing the visibility to monitor log files for process execution and monitor contextual data about a running process.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1059", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Cloud API attacks due to Audit Solutions providing the visibility to review command history and history of executed API commands in cloud audit logs to determine if unauthorized or suspicious commands were executed.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1070", "attack_object_name": "Indicator Removal", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1070.001", "attack_object_name": "Clear Windows Event Logs", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1070", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1070.002", "attack_object_name": "Clear Linux or Mac System Logs", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1070", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1070.003", "attack_object_name": "Clear Command History", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1070", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1070.008", "attack_object_name": "Clear Mailbox Data", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1070", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Clear Mailbox Data Rule attacks due to administrators can use use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1070.009", "attack_object_name": "Clear Persistence", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1070", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1070.009", "attack_object_name": "Clear Persistence", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1070", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Valid Account attacks due to Audit Solutions providing the visibility to allow admins to regularly audit user accounts for activity and deactivate or remove any that are no longer needed.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Cloud Account attacks due to Audit Solutions providing the visibility to allow admins to regularly audit user accounts for activity and deactivate or remove any that are no longer needed.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Account Discovery attacks due to the File and Page Audit Log activities which monitors for access to file resources that contain local accounts and groups information and looks for non-admin objects (such as users or processes) attempting to access restricted file resources.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1087", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Cloud Account attacks due to Audit Solution allowing admins to search and routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Email Collection attacks due to in an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1114.002", "attack_object_name": "Remote Email Collection", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1114", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Remote Email Collection attacks due to in O365 environments, admins can consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1114.003", "attack_object_name": "Email Forwarding Rule", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1114", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Email Forwarding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Data from Information Repository attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Steal Application Access Token attacks due to Audit Solutions providing the visibility to allow admins to audit all cloud accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, admins can perform an audit of all OAuth applications and the permissions they have been granted to access organizational data.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Data from Cloud Storage attacks due to Audit Solutions providing the visibility to frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Event Triggered Execution attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1548", "attack_object_name": "Abuse Elevation Control Mechanism", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Abuse Elevation Control Mechanism attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1548.005", "attack_object_name": "Temporary Elevated Cloud Access", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1548", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Temporary Elevated Cloud Access attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#auditlogrecordtype", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1548.006", "attack_object_name": "TCC Manipulation", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1548", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Temporary Elevated Cloud Access attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": []}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Unsecured Credential attacks due to Audit Solutions providing the visibility to allow admins to preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1552.008", "attack_object_name": "Chat Messages", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1552", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Chat Messages attacks due to Audit Solutions providing the visibility to allow admins to preemptively search through communication services to find shared unsecured credentials.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Modify Authentication Process attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1556", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Multi-Factor Authentication attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Impair Defense attacks due to Audit Solutions providing the visibility to allow admins to routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1562", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Disable or Modify Cloud Log attacks due to the user administration Audit Log activities which monitors for changes to account settings associated with users that may impact defensive logging capabilities.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Hide Artifacts attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1564.008", "attack_object_name": "Email Hiding Rules", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1564", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Email Hiding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Phishing attacks due to the File and Page Audit Log activities which monitors for newly constructed files from phishing messages.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-log-activities", "https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1566", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Spearphishing Link Process attacks due to Audit Solutions providing the visibility to allow admins to audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Forge Web Credential attacks due to Audit Solutions providing the visibility to allow administrators to perform an audit of all access lists and the permissions they have been granted to access web applications and services.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5", "references": ["https://learn.microsoft.com/en-us/purview/audit-solutions-overview"]}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1485.001", "attack_object_name": "Lifecycle-Triggered Deletion", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1485", "comments": "Purview's auditing solutions may be able to detect if lifecycle settings have been altered, allowing the changes to potentially be reverted before deletion occurs.", "references": []}, {"capability_id": "PUR-AUS-E5", "capability_description": "Audit Solutions", "mapping_type": "technique_score", "attack_object_id": "T1546.017", "attack_object_name": "Udev Rules", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "related_score": "T1546", "comments": "Audit Solutions can be used to continuously monitor the Udev rules for modifications or additions, allowing for detection of abnormalities.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1578.005", "attack_object_name": "Modify Cloud Compute Configurations", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1578", "comments": "This control can identify anomalous admin activity.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1003", "attack_object_name": "OS Credential Dumping", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides significant and partial detection for a few of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal coverage score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1003.003", "attack_object_name": "NTDS", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1003", "comments": "The documentation for this control's \"Data exfiltration over SMB (external ID 2030)\" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers.  This is specific to domain controllers and therefore results in a reduced coverage score.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1003.006", "attack_object_name": "DCSync", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1003", "comments": "This control's \"Suspected DCSync attack (replication of directory services) (external ID 2006)\" alert can detect DCSync attacks.  The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1021.002", "attack_object_name": "SMB/Windows Admin Shares", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Psexec.  This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers.  Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.\nThis control's \"Data exfiltration over SMB (external ID 2030)\" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB.\n", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1047", "attack_object_name": "Windows Management Instrumentation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via WMI.  This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers.  Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.\n", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1048.003", "attack_object_name": "Exfiltration Over Unencrypted Non-C2 Protocol", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1048", "comments": "This control's \"Suspicious communication over DNS (external ID 2031)\" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions.  The accuracy of this control is unknown and therefore its score has been assessed as Partial.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1059.001", "attack_object_name": "PowerShell", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1059", "comments": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Powershell.  This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers.  Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1069", "attack_object_name": "Permission Groups Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1069.002", "attack_object_name": "Domain Groups", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1069", "comments": "This control's \"Security principal reconnaissance (LDAP) (external ID 2038)\" alert can be used to detect when an adversary \"perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that use methods not previously observed.\"  This alert employs machine learning which should reduce the number of false positives.\nAdditionally, this control's \"User and Group membership reconnaissance (SAMR) (external ID 2021)\" alert can detect this sub-technique and also employs machine learning which should reduce the false-positive rate.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1071", "attack_object_name": "Application Layer Protocol", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1071.004", "attack_object_name": "DNS", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1071", "comments": "This control's \"Suspicious communication over DNS (external ID 2031)\" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions.  The accuracy of this control is unknown and therefore its score has been assessed as Partial.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1087.002", "attack_object_name": "Domain Account", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1087", "comments": "The following alert of this control is able to detect domain account discovery:  \"Account enumeration reconnaissance (external ID 2003)\".  This shouldn't occur frequently and therefore the false positive rate should be minimal.\nThe \"Security principal reconnaissance (LDAP) (external ID 2038)\" alert is also relevant and its machine learning capabilities should reduce the false positive rate.\nThe \"User and IP address reconnaissance (SMB) (external ID 2012)\" alert can also provide a detection on a variation of this sub-technique.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This controls's \"Suspicious additions to sensitive groups (external ID 2024)\" alert can utilize machine learning to detect when an attacker adds users to highly privileged groups. Adding users is done to gain access to more resources, and gain persistency.  This detection relies on profiling the group modification activities of users, and alerting when an abnormal addition to a sensitive group is observed. Defender for Identity profiles continuously. \nThis alert provides Partial coverage of this technique with a reduced false-positive rate by utilizing machine learning models.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control provides significant detection of some of the sub-techniques of this technique and has therefore been assessed an overall score of Partial.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "This control's \"Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)\" alert can detect these brute force sub-techniques.  It incorporates a machine learning feature that should reduce the number of false positives.\nSimilarly, its \"Suspected Brute Force attack (LDAP) (external ID 2004)\" alert can detect brute force attacks using LDAP simple binds.\nThe \"Suspected Brute Force attack (SMB) (external ID 2033)\" alert is also relevant but the details are sparse.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "This control's \"Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)\" alert can detect these brute force sub-techniques.  It incorporates a machine learning feature that should reduce the number of false positives.\nSimilarly, its \"Suspected Brute Force attack (LDAP) (external ID 2004)\" alert can detect brute force attacks using LDAP simple binds.\nThe \"Suspected Brute Force attack (SMB) (external ID 2033)\" alert is also relevant but the details are sparse.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control's \"Suspicious VPN connection (external ID 2025)\" alert utilizes machine learning models to learn  normal VPN connections for a user and detect deviations from the norm.  This detection is specific to VPN traffic and therefore its overall coverage is Minimal. ", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1201", "attack_object_name": "Password Policy Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control's \"Active Directory attributes reconnaissance (LDAP) (external ID 2210)\" alert may be able to detect this operation.  There are statements in the documentation for the alert, such as: \"Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...\", that  may indicate support for detecting this technique.  The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1207", "attack_object_name": "Rogue Domain Controller", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "This control's \"Suspected DCShadow attack (domain controller promotion) (external ID 2028)\" and \"Suspected DCShadow attack (domain controller replication request) (external ID 2029)\" alerts can detect this technique.  Also should be a low false positive rate as the quantity and identity of domain controllers on the network should change very infrequently.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1210", "attack_object_name": "Exploitation of Remote Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control's \"Remote code execution over DNS (external ID 2036)\" alert can look for an attacker attempting to exploit CVE-2018-8626, a remote code execution vulnerability exists in Windows Domain Name System (DNS) servers.  In this detection, a Defender for Identity security alert is triggered when DNS queries suspected of exploiting the CVE-2018-8626 security vulnerability are made against a domain controller in the network.  \nLikewise this controls \"Suspected SMB packet manipulation (CVE-2020-0796 exploitation)\" alert can detect a remote code execution vulnerability with SMBv3.\nBecause these detections are specific to a few CVEs, its coverage is Minimal resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1482", "attack_object_name": "Domain Trust Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control's \"Active Directory attributes reconnaissance (LDAP) (external ID 2210)\" alert may be able to detect this operation.  There are statements in the documentation for the alert, such as: \"Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...\", that  may indicate support for detecting this technique.  The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1543", "attack_object_name": "Create or Modify System Process", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1543.003", "attack_object_name": "Windows Service", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1543", "comments": "This control's \"Suspicious service creation (external ID 2026)\" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization.  As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1543.005", "attack_object_name": "Container Service", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1543", "comments": "This control's \"Suspicious service creation (external ID 2026)\" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization.  As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control provides partial detection for some of this technique's sub-techniques  (due to unknown false-positive/true-positive rate), resulting in a Partial score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1550.002", "attack_object_name": "Pass the Hash", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1550", "comments": "This control's \"Suspected identity theft (pass-the-hash) (external ID 2017)\" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.\nThis control's \"Suspected identity theft (pass-the-ticket) (external ID 2018)\" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1550.003", "attack_object_name": "Pass the Ticket", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1550", "comments": "This control's \"Suspected identity theft (pass-the-hash) (external ID 2017)\" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.\nThis control's \"Suspected identity theft (pass-the-ticket) (external ID 2018)\" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1555", "attack_object_name": "Credentials from Password Stores", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides minimal detection for some of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1555.003", "attack_object_name": "Credentials from Web Browsers", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1555", "comments": "This control's \"Malicious request of Data Protection API master key (external ID 2020)\" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. DPAPI is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data.   This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1555.004", "attack_object_name": "Windows Credential Manager", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1555", "comments": "This control's \"Malicious request of Data Protection API master key (external ID 2020)\" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. Windows Credential Manager utilizes DPAPI to securely store sensitive information like passwords.   This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1556.001", "attack_object_name": "Domain Controller Authentication", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1556", "comments": "This control's \"Suspected skeleton key attack (encryption downgrade) (external ID 2010)\" alert can detect skeleton attacks.  This alert provides partial protection as it detects on a specific type of malware, Skeleton malware, and its usage of weaker encryption algorithms to hash the user's passwords on the domain controller.  The description of the alert implies it utilizes machine learning to look for anomalous usage of weak encryption algorithms which should result in a reduced false positive rate.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the other, resulting in an overall Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1557.001", "attack_object_name": "LLMNR/NBT-NS Poisoning and SMB Relay", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1557", "comments": "This control's \"Suspected NTLM relay attack (Exchange account) (external ID 2037)\" alert can detect NTLM relay attack specific to the Exchange service.  Because this detection is limited to this variation of the sub-technique, its coverage score is Minimal resulting in an overall Minimal score.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1558", "attack_object_name": "Steal or Forge Kerberos Tickets", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control provides partial detection for most of this technique's sub-techniques, resulting in an overall Partial score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1558.001", "attack_object_name": "Golden Ticket", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1558", "comments": "This control has numerous alerts that can detect Golden Ticket attacks from multiple perspectives.  The accuracy of these alerts is unknown resulting in a partial score.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1558.003", "attack_object_name": "Kerberoasting", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1558", "comments": "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.  \nSimilarly its \"Suspected AS-REP Roasting attack (external ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy of these alerts is unknown and therefore its score has been assessed as Partial.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1558.004", "attack_object_name": "AS-REP Roasting", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1558", "comments": "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.  \nSimilarly its \"Suspected AS-REP Roasting attack (external ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy of these alerts is unknown and therefore its score has been assessed as Partial.", "references": []}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1569", "attack_object_name": "System Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/what-is"]}, {"capability_id": "DEF-ID-E5", "capability_description": "Microsoft Defender for Identity", "mapping_type": "technique_score", "attack_object_id": "T1569.002", "attack_object_name": "Service Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1569", "comments": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Psexec.  This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers.  Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.", "references": []}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1003", "attack_object_name": "OS Credential Dumping", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1003.006", "attack_object_name": "DCSync", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1003", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1011", "attack_object_name": "Exfiltration Over Other Network Medium", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1018", "attack_object_name": "Remote System Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1046", "attack_object_name": "Network Service Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1049", "attack_object_name": "System Network Connections Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1069", "attack_object_name": "Permission Groups Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1069.002", "attack_object_name": "Domain Groups", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1069", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1087.002", "attack_object_name": "Domain Account", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1087", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1134", "attack_object_name": "Access Token Manipulation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1134", "attack_object_name": "Access Token Manipulation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1134.001", "attack_object_name": "Token Impersonation/Theft", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1134", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1134.001", "attack_object_name": "Token Impersonation/Theft", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1134", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1134.005", "attack_object_name": "SID-History Injection", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1134", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1187", "attack_object_name": "Forced Authentication", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1202", "attack_object_name": "Indirect Command Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": [" https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1210", "attack_object_name": "Exploitation of Remote Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1484", "attack_object_name": "Domain or Tenant Policy Modification", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1484", "attack_object_name": "Domain or Tenant Policy Modification", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1484.001", "attack_object_name": "Group Policy Modification", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1484", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1550.002", "attack_object_name": "Pass the Hash", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1550", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1552.004", "attack_object_name": "Private Keys", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1552", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1555", "attack_object_name": "Credentials from Password Stores", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/alerts-overview"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1556.001", "attack_object_name": "Domain Controller Authentication", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1556", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1557", "attack_object_name": "Adversary-in-the-Middle", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1557.001", "attack_object_name": "LLMNR/NBT-NS Poisoning and SMB Relay", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1557", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1558", "attack_object_name": "Steal or Forge Kerberos Tickets", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1558.001", "attack_object_name": "Golden Ticket", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1558", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1558.001", "attack_object_name": "Golden Ticket", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1558", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1558.003", "attack_object_name": "Kerberoasting", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1558", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1558.004", "attack_object_name": "AS-REP Roasting", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1558", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-SECA-E3", "capability_description": "Security Alerts", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR.", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1016.001", "attack_object_name": "Internet Connection Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1016", "comments": "Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1016.002", "attack_object_name": "Wi-Fi Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1016", "comments": "Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1021.007", "attack_object_name": "Cloud Services", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "related_score": "T1021", "comments": "Defender for Cloud leverages anomaly detection policies and Audit logging to mitigate Cloud Services based attacks.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", " https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1027.006", "attack_object_name": "HTML Smuggling", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1027", "comments": "File policies in Microsoft Defender for Cloud perform content inspection which can provide continuous scans for detect and remediate any violations. ", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/data-protection-policies"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1027.007", "attack_object_name": "Dynamic API Resolution", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1027", "comments": "This control can protect against abuse of dynamic API resolution.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-apis-deploy", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-apis-introduction"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1027.008", "attack_object_name": "Stripped Payloads", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1027", "comments": "Defender utilizes File Policies which allows file sandboxing and filtering based on file metadata. ", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy", " https://learn.microsoft.com/en-us/defender-cloud-apps/data-protection-policies"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1027.009", "attack_object_name": "Embedded Payloads", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1027", "comments": "This control can detect embedded payloads through DLP content inspection", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/content-inspection"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1027.010", "attack_object_name": "Command Obfuscation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1027", "comments": "This control can detect command obsfucation attacks through anomaly detection policies", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1071", "attack_object_name": "Application Layer Protocol", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include  \"Suspicious inbox forwarding\" and \"Suspicious inbox manipulation rule\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1071.003", "attack_object_name": "Mail Protocols", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1071", "comments": "This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include \"Suspicious inbox forwarding\" and \"Suspicious inbox manipulation rule\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1071.005", "attack_object_name": "Publish/Subscribe Protocols", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1071", "comments": "This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include  \"Suspicious inbox forwarding\" and \"Suspicious inbox manipulation rule\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1078.001", "attack_object_name": "Default Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1078.002", "attack_object_name": "Domain Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1098", "comments": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1098.002", "attack_object_name": "Additional Email Delegate Permissions", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1098", "comments": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1098", "comments": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1110", "comments": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1110", "comments": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1110", "comments": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1119", "attack_object_name": "Automated Collection", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "comments": "This control's Information protection policies can detect and encrypt sensitive information at rest on supported platforms, which can inhibit automated data collection activities.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1119", "attack_object_name": "Automated Collection", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect sensitive information at rest, which may be indicative of data collection activities.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "comments": "This control's polices for access control can limit abuse of external facing remote services.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1213.004", "attack_object_name": "Customer Relationship Management Software", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1213", "comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1649", "attack_object_name": "Steal or Forge Authentication Certificates", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "comments": "This control can protect authentication certificates by\u00a0allowing you to create access and session policies that leverage device tags and valid client certificates", "references": ["https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/hunt-for-compromised-azure-subscriptions-using-microsoft-defender-for-cloud-apps/3607121", " https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1187", "attack_object_name": "Forced Authentication", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "comments": "This control can provide significant protection against forced authentication methods by restricting actions associated with multiple file access methods such as SMB.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1187", "attack_object_name": "Forced Authentication", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "This control can alert on anomalous sharing attempts of confidential data.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect outdated client browser software, which is a common target of exploitation in drive-by compromises.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "m365-defender", "score_category": "protect", "score_value": "minimal", "comments": "This control can provide fine-grained access control to information sharing repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.  Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1213.001", "attack_object_name": "Confluence", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1213.001", "attack_object_name": "Confluence", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1213", "comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1213", "comments": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1219", "attack_object_name": "Remote Access Software", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "comments": "This control can limit potential C2 via unapproved remote access software.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1219", "attack_object_name": "Remote Access Software", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can identify potential malicious activity associated with the use or attempted use of unapproved remote access software.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1484", "attack_object_name": "Domain or Tenant Policy Modification", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control can detect admin activity from risky IP addresses.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1484.001", "attack_object_name": "Group Policy Modification", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1484", "comments": "This control can detect admin activity from risky IP addresses.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1484.002", "attack_object_name": "Trust Modification", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1484", "comments": "This control can detect admin activity from risky IP addresses.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1485", "attack_object_name": "Data Destruction", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can identify deletion activity which could be potential malicious data destruction. Relevant Alerts include \"Multiple storage deletion activities\", \"Multiple VM deletion activity\", \"Unusual file deletion activity (by user), \"Suspicous email deletion activiy\", and \"Ransomware activity\".\n", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1486", "attack_object_name": "Data Encrypted for Impact", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect a range of ransomware-related activities including encryption. Relevant alert include \"Ransomware activities\" and \"Unusual file deletion activity (by user)\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1496", "attack_object_name": "Resource Hijacking", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1496.001", "attack_object_name": "Compute Hijacking", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1496", "comments": "This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1496.002", "attack_object_name": "Bandwidth Hijacking", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1496", "comments": "This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1496.003", "attack_object_name": "SMS Pumping", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1496", "comments": "This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1496.004", "attack_object_name": "Cloud Service Hijacking", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1496", "comments": "This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1526", "attack_object_name": "Cloud Service Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect anomalous user activity that may be associated with cloud service discovery. Relevant alert is \"Unusual file share activty (by user)\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "comments": "This control can restrict user app permissions which can limit the potential for theft of application access tokens.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect potentially risky apps. Relevant alerts include \"Misleading publisher name for an Oauth app\" and \"Misleading OAuth app name\". ", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect use of unsanctioned business apps and data exfil to unsanctioned storage apps.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control can identify anomalous admin activity.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control can identify anomalous user impersonation activity, which can be an element of internal spearphishing. Relevant alert is \"Unusual impersonated activity (by user)\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1535", "attack_object_name": "Unused/Unsupported Cloud Regions", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect unusual region and activity for cloud resources (preview feature as of this writing).  Relevant alert is \"Suspicious creation activity for cloud region\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1558.005", "attack_object_name": "Ccache Files", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1558", "comments": "Defender for Cloud Apps provides endpoint detection and response (EDR) capabilities. This can potentially block attempts to steal ccache files.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1565", "attack_object_name": "Data Manipulation", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "comments": "This control can detect and encrypt sensitive information at rest on supported platforms and restrict access.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1565.001", "attack_object_name": "Stored Data Manipulation", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1565", "comments": "This control can detect and encrypt sensitive information at rest on supported platforms.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "comments": "This control can limit user methods to send data over web services.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is \"Unusual file download (by user)\".", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1567.001", "attack_object_name": "Exfiltration to Code Repository", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1567", "comments": "This control can identify large volume potential exfiltration activity.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1567.001", "attack_object_name": "Exfiltration to Code Repository", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1567", "comments": "This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is \"Unusual file download (by user)\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1567", "comments": "This control can identify large volume potential exfiltration activity.", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1567", "comments": "This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is \"Unusual file download (by user)\".", "references": []}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1574.013", "attack_object_name": "KernelCallbackTable", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1574", "comments": "This control offers behavior prevention capabilities for cloud environments that can be configured to block some types of behaviors related to process injection/memory tampering.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1578", "attack_object_name": "Modify Cloud Compute Infrastructure", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control can identify anomalous admin activity.\nRelevant alerts include \"Multiple storage deletion activities\", \"Multiple VM creation activities\", and \"Suspicious creation activity for cloud region\". ", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1578.001", "attack_object_name": "Create Snapshot", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1578", "comments": "This control can identify anomalous admin activity.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1578.002", "attack_object_name": "Create Cloud Instance", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1578", "comments": "This control can identify anomalous admin activity.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1578.003", "attack_object_name": "Delete Cloud Instance", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1578", "comments": "This control can identify anomalous admin activity.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1578.004", "attack_object_name": "Revert Cloud Instance", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1578", "comments": "This control can identify anomalous admin activity.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery", "https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection", "https://learn.microsoft.com/en-us/defender-cloud-apps/investigate-anomaly-alerts"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1666", "attack_object_name": "Modify Cloud Resource Hierarchy", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control can detect suspicious or anomalous behavior indicative of potential threats, like attempts to transfer subscriptions to unauthorized tenants.", "references": ["https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/hunt-for-compromised-azure-subscriptions-using-microsoft-defender-for-cloud-apps/3607121", " https://www.microsoft.com/en-us/security/blog/2023/07/25/cryptojacking-understanding-and-defending-against-cloud-compute-resource-abuse/"]}, {"capability_id": "DEF-CAPP-E5", "capability_description": "Defender for Cloud Apps", "mapping_type": "technique_score", "attack_object_id": "T1053.007", "attack_object_name": "Container Orchestration Job", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1053", "comments": "Microsoft 365 Defender for Cloud Apps can scan images and containers for threats and vulnerabilities, as well as identify misconfigurations for remediation.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-cloud-discovery"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1021", "attack_object_name": "Remote Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1021.007", "attack_object_name": "Cloud Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": []}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1021.007", "attack_object_name": "Cloud Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1021", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1059", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1072", "attack_object_name": "Software Deployment Tools", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078.001", "attack_object_name": "Default Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1078", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1078", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1080", "attack_object_name": "Taint Shared Content", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1110", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1110", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1110", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1110", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1114.002", "attack_object_name": "Remote Email Collection", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1114", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1114.002", "attack_object_name": "Remote Email Collection", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1114", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1114.003", "attack_object_name": "Email Forwarding Rule", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1114", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1114.003", "attack_object_name": "Email Forwarding Rule", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1114", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1136", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1137", "attack_object_name": "Office Application Startup", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1204", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1204", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1211", "attack_object_name": "Exploitation for Defense Evasion", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1213", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1548", "attack_object_name": "Abuse Elevation Control Mechanism", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1550.001", "attack_object_name": "Application Access Token", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1550", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1562", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1564.008", "attack_object_name": "Email Hiding Rules", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1564", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1566", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1566", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1567.002", "attack_object_name": "Exfiltration to Cloud Storage", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1567", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1567.004", "attack_object_name": "Exfiltration Over Webhook", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "related_score": "T1567", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1651", "attack_object_name": "Cloud Administration Command", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "DEF-SSCO-E3", "capability_description": "Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1657", "attack_object_name": "Financial Theft", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide", "https://security.microsoft.com/securescore?"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1021.007", "attack_object_name": "Cloud Services", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1021", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, use of strong two-factor for remote service accounts will mitigate an adversary's ability to leverage stolen credentials.\n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://m365maps.com/files/Entra-ID-All.htm", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1078", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://m365maps.com/files/Entra-ID-All.htm", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., additional cloud permissions, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984", "https://m365maps.com/files/Entra-ID-All.htm"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., additional cloud roles, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://m365maps.com/files/Entra-ID-All.htm", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://m365maps.com/files/Entra-ID-All.htm", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "This control provides significant protection against this brute force technique by completing obviating the need for passwords by replacing it with passwordless credentials.", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-passwordless"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods", "https://m365maps.com/files/Entra-ID-All.htm"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.", "references": []}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods", "https://m365maps.com/files/Entra-ID-All.htm"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.", "references": []}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods", "https://m365maps.com/files/Entra-ID-All.htm"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.", "references": []}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods", "https://m365maps.com/files/Entra-ID-All.htm"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials.", "references": []}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1136", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://m365maps.com/files/Entra-ID-All.htm", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, account deletion etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods", "https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984", "https://m365maps.com/files/Entra-ID-All.htm"]}, {"capability_id": "EID-PWLA-E3", "capability_description": "Passwordless Authentication", "mapping_type": "technique_score", "attack_object_id": "T1539", "attack_object_name": "Steal Web Session Cookie", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/all-your-creds-are-belong-to-us/ba-p/855124", "https://m365maps.com/files/Entra-ID-All.htm", "https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-methods"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1021.008", "attack_object_name": "Direct Cloud VM Connections", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1021", "comments": "As this technique involves the use of Valid Accounts, Defender's behavioral analytics and Conditional Access can also lead to the detection of Direct Cloud VM Connections.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-suspicious-activity", " https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins", " https://learn.microsoft.com/en-us/defender-cloud-apps/conditional-access-app-control-how-to-overview"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1021.008", "attack_object_name": "Direct Cloud VM Connections", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1021", "comments": "As this technique involves the use of Valid Accounts, Entra ID Protection's partial detection of the use of Valid Accounts for malicious purposes can also lead to the detection of Direct Cloud VM Connections.", "references": []}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "comments": "This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in an overall Partial detection score.", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk", "https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1078.002", "attack_object_name": "Domain Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.:  Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial.\n\nThe temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).", "references": []}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "This control provides risk detections that can be used to detect suspicious uses of valid accounts, e.g.:  Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.  Microsoft utilizes machine learning and heuristic systems to reduce the false positive rate but there will be false positives.\nThe temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day).", "references": []}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "respond", "score_value": "significant", "related_score": "T1078", "comments": "Response Type:  Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.", "references": []}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1098", "comments": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "detect", "score_value": "minimal", "comments": "This control provides Minimal detection for one of this technique's sub-techniques while not providing any detection for the remaining, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk", "https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "respond", "score_value": "minimal", "comments": "Provides significant response capabilities for one of this technique's sub-techniques (Password Spray).  Due to this capability being specific to one of its sub-techniques and not its remaining sub-techniques, the coverage score is Minimal resulting in an overall Minimal score.", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk", "https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1110", "comments": "This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts.  Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and  98 percent precision.  The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours).", "references": []}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "respond", "score_value": "significant", "related_score": "T1110", "comments": "Response Type:  Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies.", "references": []}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.\n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies", "https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.\n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies", "https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1586.003", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1586", "comments": "Cloud accounts should have complex and unique passwords across all systems on the network. Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1621", "attack_object_name": "Multi-Factor Authentication Request Generation", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.\n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies", "https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "comments": "This control can be effective at detecting forged web credentials because it uses environmental properties (e.g. IP address, device info, etc.) to detect risky users and sign-ins even when valid credentials are utilized.  It provides partial coverage of this technique's sub-techniques and therefore has been assessed a Partial score.", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk", "https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "entra-id", "score_category": "respond", "score_value": "partial", "comments": "Provides Significant response capabilities for one of this technique's sub-techniques (SAML tokens).", "references": ["https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-investigate-risk", "https://learn.microsoft.com/en-us/entra/id-protection/overview-identity-protection", "https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azuread-identity-protection-adds-support-for-federated/ba-p/244328"]}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1606.002", "attack_object_name": "SAML Tokens", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1606", "comments": "This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity.  Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial.", "references": []}, {"capability_id": "EID-IDPR-E5", "capability_description": "ID Protection", "mapping_type": "technique_score", "attack_object_id": "T1606.002", "attack_object_name": "SAML Tokens", "capability_group": "entra-id", "score_category": "respond", "score_value": "significant", "related_score": "T1606", "comments": "Response Type:  Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies.", "references": []}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1027", "attack_object_name": "Obfuscated Files or Information", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1036.007", "attack_object_name": "Double File Extension", "capability_group": "eop", "score_category": "protect", "score_value": "minimal", "related_score": "T1036", "comments": "M365's Antimalware capability can be used to block specified file types from executing. This can be configured to only block nonessential file types (such as .exe files), which could prevent files with double extensions from being opened. However, this does not combat the technique as a whole.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1036.010", "attack_object_name": "Masquerade Account Name", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1036", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": []}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1059.001", "attack_object_name": "PowerShell", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1059", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1059.006", "attack_object_name": "Python", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1059", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1059", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1080", "attack_object_name": "Taint Shared Content", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1204", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1566", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1027", "attack_object_name": "Obfuscated Files or Information", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1080", "attack_object_name": "Taint Shared Content", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1204", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1204", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1204.003", "attack_object_name": "Malicious Image", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1204", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1213", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1213.005", "attack_object_name": "Messaging Applications", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1213", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": []}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1566", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1566", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-QUAR-E3", "capability_description": "Quarantine Policies", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://security.microsoft.com/quarantinePolicies.", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-policies?view=o365-worldwide#anatomy-of-a-quarantine-policy"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1027", "attack_object_name": "Obfuscated Files or Information", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1059.001", "attack_object_name": "PowerShell", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1059", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1059.006", "attack_object_name": "Python", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1059", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1059", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1080", "attack_object_name": "Taint Shared Content", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1204", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1204", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1566", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1566", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ZHAP-E3", "capability_description": "Zero Hour Auto Purge", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-malware-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1027.011", "attack_object_name": "Fileless Storage", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1027", "comments": "This control can protect against fileless storage attacks.", "references": ["https://learn.microsoft.com/en-us/defender-endpoint/microsoft-defender-antivirus-windows"]}, {"capability_id": "EOP-AMW-E3", "capability_description": "Antimalware", "mapping_type": "technique_score", "attack_object_id": "T1027.012", "attack_object_name": "LNK Icon Smuggling", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "related_score": "T1027", "comments": "This control can protect against LNK icon smuggling.", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/proxy-intro-aad"]}, {"capability_id": "EOP-APH-E3", "capability_description": "Anti-Phishing", "mapping_type": "technique_score", "attack_object_id": "T1027.013", "attack_object_name": "Encrypted/Encoded File", "capability_group": "eop", "score_category": "protect", "score_value": "partial", "related_score": "T1027", "comments": "Exchange Online Protection's anti-phishing methods can protect against encrypted malicious files by scanning attachments and potentially quarantining them. Due to this being only one avenue, the rating is judged to be partial.", "references": []}, {"capability_id": "EOP-APH-E3", "capability_description": "Anti-Phishing", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["[]"]}, {"capability_id": "EOP-APH-E3", "capability_description": "Anti-Phishing", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1566", "comments": "Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["[]"]}, {"capability_id": "EOP-APH-E3", "capability_description": "Anti-Phishing", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1566", "comments": "Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["[]"]}, {"capability_id": "EOP-APH-E3", "capability_description": "Anti-Phishing", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["[]"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1036", "attack_object_name": "Masquerading", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1036.001", "attack_object_name": "Invalid Code Signature", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1036", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1036.001", "attack_object_name": "Invalid Code Signature", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1036", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1036.005", "attack_object_name": "Match Legitimate Name or Location", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1036", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1036.005", "attack_object_name": "Match Legitimate Name or Location", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1036", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1036.006", "attack_object_name": "Space after Filename", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1036", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1036.006", "attack_object_name": "Space after Filename", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1036", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1204", "comments": "Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1204", "comments": "Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1553", "attack_object_name": "Subvert Trust Controls", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control only provides detection for some of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1553", "attack_object_name": "Subvert Trust Controls", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "This control only provides detection for some of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1553.002", "attack_object_name": "Code Signing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1553", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1553.002", "attack_object_name": "Code Signing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1553", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1553.005", "attack_object_name": "Mark-of-the-Web Bypass", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1553", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-AACI-E3", "capability_description": "Adaptive Application Control Integration", "mapping_type": "technique_score", "attack_object_id": "T1554", "attack_object_name": "Compromise Host Software Binary", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While name and publisher-based allow lists may fail to detect malicious modifications to executable client binaries, hash-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent", " https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview", " https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1036.008", "attack_object_name": "Masquerade File Type", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1036", "comments": "Safe Attachment scanning can detect if an email attachment is potentially malicious, including if its filetype is being obfuscated.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1204", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1204", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1566", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1566", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet", "Ref: https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-about?view=o365-worldwide"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1598", "attack_object_name": "Phishing for Information", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1598", "attack_object_name": "Phishing for Information", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1598.002", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1598", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/mdo-security-comparison?view=o365-worldwide#defender-for-office-365-plan-1-vs-plan-2-cheat-sheet"]}, {"capability_id": "DEF-SATT-E3", "capability_description": "Safe Attachments", "mapping_type": "technique_score", "attack_object_id": "T1598.002", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1598", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1036.010", "attack_object_name": "Masquerade Account Name", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "related_score": "T1036", "comments": "Anti-Phishing measures in Microsoft 365 Defender include settings explicitly designed to protect against fake accounts masquerading as legitimate accounts, such as if the names or email addresses are too close to the real one.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", " https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where", "can%20use%20in%20another%20scam."]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1040", "attack_object_name": "Network Sniffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control's \"Stop clear text credentials exposure\" provides a recommendation to run the \"Entities exposing credentials in clear text\" assessment that monitors your traffic for any entities exposing credentials in clear text (via LDAP simple-bind).  This assessment seems specific to LDAP simple-binds and coupled with the fact that it is a recommendation and is not enforced, results in a Minimal score.\n", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", " https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", " https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", " https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control provides recommendations that can lead to protecting against the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited protection for this technique's procedure examples. Consequently, its overall protection coverage score is minimal.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "minimal", "comments": "This control provides recommendations that can lead to the detection of the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited detection for this technique's procedure examples. Consequently, its overall detection coverage score is minimal.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078.001", "attack_object_name": "Default Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1078", "comments": "This control's \"Protect and manage local admin passwords with Microsoft LAPS\"  recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS.  This can help reduce the compromise of local administrator accounts.\nBecause this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078.002", "attack_object_name": "Domain Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1078", "comments": "This control's \"Remove dormant accounts from sensitive groups\" recommendation recommends reviewing dormant (domain) accounts from sensitive groups via an assessment report that can identify sensitive accounts that are dormant.\nBecause these are recommendations and do not actually enforce the protections coupled with being limited to sensitive accounts, the assessed score is Minimal. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078.003", "attack_object_name": "Local Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1078", "comments": "This control's \"Protect and manage local admin passwords with Microsoft LAPS\"  recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS.  This can help reduce the compromise of local administrator accounts.\nBecause this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations of MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.  See the mapping for MFA for more details.  \nThis control's \"Use limited administrative roles\" recommendation recommends reviewing and limiting the number of accounts with global admin privilege, reducing what an adversary can do with a compromised valid account.\nBecause these are recommendations and do not actually enforce the protections, the assessed score is capped at Partial. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "This control's \"Turn on sign-in risk policy\" and \"Turn on user risk policy\" recommendations recommend enabling Azure AD Identity Protection which can lead to detecting adversary usage of valid accounts.  See the mapping for Azure AD Identity Protection.", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The MFA recommendation provides significant protection against password compromises, but because this is a recommendation and doesn't actually enforce MFA, the assessed score is capped at Partial. ", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.  \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.  \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.  \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.  \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "comments": "This control's \"Configure VPN Integration\" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack.  Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1134", "attack_object_name": "Access Token Manipulation", "capability_group": "entra-id", "score_category": "detect", "score_value": "minimal", "comments": "This control provides a recommendation that can lead to detecting one of this technique's sub-techniques while not providing recommendations relevant to its procedure examples nor its remaining sub-techniques.  It is subsequently scored as Minimal.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1134.005", "attack_object_name": "SID-History Injection", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1134", "comments": "This control's \"Remove unsecure SID history attributes from entities\" recommendation promotes running the \"Unsecure SID history attributes\" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky.  Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial. ", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "This control's \"Do not allow users to grant consent to unmanaged applications\" recommendation can protect against an adversary constructing a malicious application designed to be granted access to resources with the target user's OAuth token by ensuring users can not be fooled into granting consent to the application. \nDue to this being a recommendation, its score is capped at Partial.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "This control's \"Designate more than one global admin\" can enable recovery from an adversary locking a global administrator account (deleted, locked, or manipulated (ex: changed credentials)).  Due to this being a recommendation, its score is capped as Partial.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "This control provides recommendations that lead to protections for some of the sub-techniques of this technique.  Due to it only providing a recommendation, its score has been capped at Partial.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1550.002", "attack_object_name": "Pass the Hash", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1550", "comments": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities.  Because this is a recommendation, its score has been capped as Partial.", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1550.003", "attack_object_name": "Pass the Ticket", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1550", "comments": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities.  Because this is a recommendation, its score has been capped as Partial.", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control's \"Resolve unsecure account attributes\" provides recommendations that can lead to strengthening how accounts are stored in Active Directory.  This control provides recommendations specific to a few types of unsecured credentials (reversible and weakly encrypted credentials) while not providing recommendations for any other, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1552.007", "attack_object_name": "Container API", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1552", "comments": "This control's \"Resolve unsecure account attributes\" provides recommendations that can lead to strengthening how accounts are stored.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1558", "attack_object_name": "Steal or Forge Kerberos Tickets", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "This control provides recommendations that lead to protections for some of the sub-techniques of this technique and therefore its overall protection coverage is Partial.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1558.001", "attack_object_name": "Golden Ticket", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1558", "comments": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks that may result in an adversary acquiring a golden ticket.  It recommends running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities such as the KRBTGT on the domain controller.  Because this is a recommendation, its score has been capped as Partial.", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1558.003", "attack_object_name": "Kerberoasting", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1558", "comments": "This control's \"Modify unsecure Kerberos delegations to prevent impersonation\" recommendation promotes running the \"Unsecure Kerberos delegation\" report that can identify accounts that have unsecure Kerberos delegation configured.  Unsecured Kerberos delegation can lead to exposing account TGTs to more hosts resulting in an increased attack surface for Kerberoasting.  Due to this control providing a recommendation its score is capped at Partial.", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1558.004", "attack_object_name": "AS-REP Roasting", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1558", "comments": "This control's \"Resolve unsecure account attributes\" recommendation can lead to detecting Active Directory accounts which do not require Kerberos preauthentication.  Preauthentication offers protection against offline (Kerberos) Password Cracking.  \nBecause this is a recommendation its score is capped as Partial.", "references": []}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "comments": "This control's \"Turn on sign-in risk policy\" and \"Turn on user risk policy\" recommendations recommend the usage of Azure AD Identity Protection which can detect one of the sub-techniques of this technique.  This is a recommendation and therefore the score is capped at Partial.", "references": ["https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-identity-secure-score", "https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#", "https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unsecure-account-attributes", "https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675"]}, {"capability_id": "EID-IDSS-E3", "capability_description": "Identity Secure Score", "mapping_type": "technique_score", "attack_object_id": "T1606.002", "attack_object_name": "SAML Tokens", "capability_group": "entra-id", "score_category": "detect", "score_value": "partial", "related_score": "T1606", "comments": "This control's \"Turn on sign-in risk policy\" and \"Turn on user risk policy\" recommendations recommend enabling Azure AD Identity Protection which can detect the malicious usage of SAML Tokens.  This is a recommendation and therefore the score is capped at Partial.", "references": []}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1055.015", "attack_object_name": "ListPlanting", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1055", "comments": "Defender's automated investigation and response can potentially detect a ListPlanting attack using endpoint scanning capabilities.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1078", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1114.003", "attack_object_name": "Email Forwarding Rule", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1114", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1137", "attack_object_name": "Office Application Startup", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1204", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1204", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1564.008", "attack_object_name": "Email Hiding Rules", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1564", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1566", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "related_score": "T1566", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-AIR-E5", "capability_description": "Automated Investigation and Response", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "respond", "score_value": "significant", "comments": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. ", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/email-analysis-investigations?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/address-compromised-users-quickly?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/air-about?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Command and Scripting Interpreter attacks due to Incident Response monitoring for reconnaissance and discovery alerts which monitors for subsequent behavior related to discovery.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/reconnaissance-discovery-alerts", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1059", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Cloud API attacks due to Incident Response monitoring for api activity security alerts which reviews cloud audit logs to determine if unauthorized or suspicious commands were executed.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-for-azure-ddos-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to valid account attacks due to Incident Response monitoring for newly constructed logon behavior that may obtain and abuse credentials of existing accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1087", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to cloud account attacks due to Incident Response monitoring the activity of cloud accounts to detect abnormal or malicious behavior.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Account Manipulation attacks due to Incident Response monitoring for persistence and privilege escalation alerts which monitors for newly constructed processes indicative of modifying account settings.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1098", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Additional Cloud Credential attacks due to Incident Response monitoring for persistence and privilege escalation alerts which monitors for unexpected changes to cloud user accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/persistence-privilege-escalation-alerts", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1098.002", "attack_object_name": "Additional Email Delegate Permissions", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1098", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Additional Email Delegate Permission attacks due to Incident Response monitoring for default alert policies which provides built-in alert policies that help identify Exchange admin permissions abuse and account permissions changes.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/purview/alert-policies", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1098", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Additional Cloud Role attacks due to Incident Response monitoring for permission alert policies which collect usage logs from cloud administrator accounts to identify unusual activity.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/purview/alert-policies", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Brute Force attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1110", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Password Guessing attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password guessing attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1110", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Password Cracking attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1110", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Password Spraying attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1110", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Credential Stuffing attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from credential stuffing attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-password-spray", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Create Account attacks due to Incident Response monitoring for newly executed processes associated with account creations.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-for-azure-ddos-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1136", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Cloud Account attacks due to Incident Response monitoring for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-for-azure-ddos-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Data from Information Repository attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1213", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Sharepoint attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Data from Cloud Storage attacks due to Incident Response monitoring for security alerts that represent unusual queries to the cloud provider's storage service.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1531", "attack_object_name": "Account Access Removal", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Account Access Removal attacks due to Incident Response monitoring for password change security alerts which monitors for changes made to user accounts for unexpected modification of properties.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/defender-for-identity/credential-access-alerts", "https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference#alerts-for-azure-ddos-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1538", "attack_object_name": "Cloud Service Dashboard", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Cloud Service Dashboard attacks due to Incident Response monitoring for newly constructed logon behavior across cloud service management consoles and the aggregated alerts allowing admins to correlate security systems with login information, such as user accounts, IP addresses, and login names.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to use alternate authentication material attacks due to Incident Response monitoring for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, and suspicious account behavior across systems that share accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1550.001", "attack_object_name": "Application Access Token", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1550", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to application access token attacks due to Incident Response monitoring for the use of application access tokens to interact with resources or services that do not fit the organization baseline.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1550.004", "attack_object_name": "Web Session Cookie", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1550", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to web session cookie attacks due to Incident Response monitoring for third-party application logging, messaging, other service artifacts that provide context of user authentication to web applications, and/or anomalous access of websites/cloud-based applications.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to unsecure credential attacks due to Incident Response monitoring for newly executed processes, suspicious file access activity, and application logs for activity that may highlight malicious attempts to access application data.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1552.008", "attack_object_name": "Chat Messages", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1552", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to chat messages attacks due to Incident Response monitoring application logs for activity that may highlight malicious attempts to access application data.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Modify Authentication Process attacks due to Incident Response monitoring for newly created files, suspicious modification of files, and newly constructed logon behavior across systems that share accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1556", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Multi-Factor Authentication attacks due to Incident Response monitoring for logon sessions for user accounts that did not require MFA for authentication.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Impair Defense attacks due to Incident Response monitoring for changes to account settings, newly executed processes, and abnormal execution of API functions.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1562", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Disable or Modify Cloud Log attacks due to Incident Response monitoring for changes to account settings and logs for API calls to disable logging.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Hide Artifact attacks due to Incident Response monitoring for newly constructed user accounts, contextual data about accounts, contextual data about files, and newly constructed files.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1564.008", "attack_object_name": "Email Hiding Rules", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1564", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Email Hiding Rules attacks due to Incident Response being able to monitor for creation or modification of suspicious inbox rules.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Phishing attacks due to its phishing Incident Response playbook which monitors for messaging, and/or other artifacts that may send phishing messages to gain access to victim systems.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-phishing", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1598.003", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1598", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack.  Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to spearphishing link attacks due to its phishing Incident Response playbook which monitors for messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-phishing", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1598.004", "attack_object_name": "Spearphishing Voice", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1598", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to spearphishing voice attacks due to its phishing Incident Response playbook which monitors call logs from corporate devices to identify patterns of potential voice phishing.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/security/operations/incident-response-playbook-phishing", "https://learn.microsoft.com/en-us/security/operations/incident-response-playbooks", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Forge Web Credentials attacks due to Incident Response monitoring for credential access alert policies which monitors for anomalous authentication activity.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1606.002", "attack_object_name": "SAML Tokens", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "related_score": "T1606", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to SAML Token attacks due to Incident Response monitoring for credential access alert policies which monitors for anomalous authentication activity.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "DEF-IR-E5", "capability_description": "Incident Response", "mapping_type": "technique_score", "attack_object_id": "T1621", "attack_object_name": "Multi-Factor Authentication Request Generation", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Multi-Factor Authentication Request Generation attacks due to Incident Response monitoring MFA application logs for suspicious events.\n\nLicense Requirements:\nMicrosoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1059", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1078.001", "attack_object_name": "Default Accounts", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1098", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1098", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1133", "attack_object_name": "External Remote Services", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1213", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1586.003", "attack_object_name": "Cloud Accounts", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "related_score": "T1586", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "PUR-PAM-E5", "capability_description": "Privileged Access Management", "mapping_type": "technique_score", "attack_object_id": "T1651", "attack_object_name": "Cloud Administration Command", "capability_group": "purview", "score_category": "detect", "score_value": "partial", "comments": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers.", "references": ["https://learn.microsoft.com/en-us/purview/privileged-access-management"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1059", "comments": "Using Role-Based Access Control to create a zero-trust environment can ensure that only accounts explicitly granted access to API tools can use them. This prevents unauthorized use and potential exploitation/misuse.", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", " https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1059", "attack_object_name": "Command and Scripting Interpreter", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "The RBAC control can be used to partially protect against the abuse of Cloud APIs but does not provide protection against this technique's other sub-techniques or other example procedures. Due to its Minimal coverage score, it receives a score of minimal. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1059.009", "attack_object_name": "Cloud API", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1059", "comments": "The RBAC control can be used to implement the principle of least privilege to limit API functionality administrative accounts can take. This scores Partial for its ability to minimize the actions these accounts can perform. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "The RBAC control can be used to implement the principle of least privilege for account management, reducing the potential actions that can be taken with Valid Default and Cloud Accounts. Although RBAC can limit the actions the adversary can take if a Valid Account has been compromised, it does not protect against different variations of the technique's procedure. Due to overall Minimal coverage, it receives an overall score of Minimal. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1078.001", "attack_object_name": "Default Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "The RBAC control can be used to implement the principle of least privilege for account management, reducing the available actions an adversary can perform with a default account. This scores Partial for its ability to minimize the overall accounts with management privileges.  \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "The RBAC control can be used to implement the principle of least privilege for account management, reducing the available actions an adversary can perform with a cloud account. This scores Partial for its ability to minimize the overall accounts with management privileges.  \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "The RBAC control can be used to partially protect against Cloud Account Discovery, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives an overall score of minimal. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1087", "comments": "The RBAC control can be used to implement the principle of least privilege for account management, limiting the accounts that can be used to perform account discovery. This scores Partial for its ability to minimize the overall accounts with these role privileges.  \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can generally be used to  implement the principle of least privilege to protect against the number of accounts with management capabilities. This has Partial coverage of Account Manipulation sub-techniques, resulting in an overall score of Partial. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud credentials.  This receives a score of Partial for its ability to minimize known accounts with the ability to add credentials.\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud roles. This receives a score of Partial for its ability to minimize known accounts with the ability to add roles. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1127.002", "attack_object_name": "ClickOnce", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1127", "comments": "Incorporating Role-Based Access Control can help to ensure that only those who need to use ClickOnce applications may do so, protecting against the threat of misuse.", "references": []}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "The RBAC control can generally be used to implement the principle of least privilege to protect against account creation. For the given product space, this control helps protect against only against Cloud Account creation, and none of this technique\u2019s other sub-techniques or procedures. Due to overall Minimal coverage, it receives an overall score of Minimal. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1136", "comments": "The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts that can create new accounts. This receives a score of Partial for its ability to minimize known accounts with the ability to create new accounts. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can be used to implement the principle of least privilege to properly manage accounts and permissions of parties in trusted relationships. This scores Partial for its ability to minimize the the potential abuse by the party and if it is comprised by an adversary. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1213", "attack_object_name": "Data from Information Repositories", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can generally be used to protect against and limit adversary access to valuable information repositories. Although it does not have full coverage of this technique's sub-techniques, it also helps protect against Procedure examples, resulting in an overall score of Partial. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1213.003", "attack_object_name": "Code Repositories", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1213.004", "attack_object_name": "Customer Relationship Management Software", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1213", "comments": "The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1216.002", "attack_object_name": "SyncAppvPublishingServer", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1216", "comments": "The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1484", "attack_object_name": "Domain or Tenant Policy Modification", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can be used to implement the principle of least privilege to limit administrative accounts. This scores Partial for its ability to minimize the overall accounts that can modify domain policies. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/concept-understand-roles", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1484.002", "attack_object_name": "Trust Modification", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1484", "comments": "The RBAC control can be used to implement the principle of least privilege to limit accounts with the access to domain trusts. This scores Partial for its ability to minimize the overall accounts with these privileges.  \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/concept-understand-roles", "https://learn.microsoft.com/en-us/defender-cloud-apps/manage-admins", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can be used to implement the principle of least privilege, limiting accounts with access to application tokens. This receives a score of Partial for its ability to minimize the attack surface of accounts this ability. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can be used to implement the principle of least privilege for cloud data storage access to only those required. This scores Partial for its ability to minimize the attack surface of accounts with storage solution access.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1538", "attack_object_name": "Cloud Service Dashboard", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can be used to implement the principle of least privilege, limiting dashboard visibility to necessary accounts. This receives a score of Partial for its ability to minimize the discovery value a dashboard may have in the event of a compromised account. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1548.005", "attack_object_name": "Temporary Elevated Cloud Access", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "related_score": "T1548", "comments": "The RBAC control can be used to implement the principle of least privilege to limit the ability of cloud accounts to assume, create, or impersonate only required privileges. This scores Minimal for its ability to protect against the actions temporary elevated accounts can take. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "The RBAC control can be used to limit cloud accounts with authentication modification relevant privileges, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives a score of minimal. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1556", "comments": "The RBAC control can be used to implement the principle of least privilege to limit account management control of MFA. This scores Partial for its ability to minimize overall accounts with the ability to change or disable MFA. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1556.007", "attack_object_name": "Hybrid Identity", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1556", "comments": "The RBAC control can be used to implement the principle of least privilege to limit Global Administrator accounts, and ensure these accounts are cloud-only. This scores Partial for its ability to minimize hybrid accounts with administrative privileges.  \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "The RBAC control can be used to partially protect against the ability to Disable or Modify Cloud Logs, but has minimal coverage against this technique's other sub-techniques and example procedures. Due to its Minimal coverage score, it receives an overall score of minimal. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1562", "comments": "The RBAC control can be used to implement the principle of least privilege to limit users with permission to modify logging policies to those required. This scores Partial for its ability to minimize the overall accounts with the ability to modify cloud logging capabilities. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1648", "attack_object_name": "Serverless Execution", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can be used to implement the principle of least privilege to limit accounts with permissions for serverless services to those required. This scores Partial for its ability to minimize the overall accounts with this ability. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1651", "attack_object_name": "Cloud Administration Command", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The RBAC control can be used to implement the principle of least privilege for account management, limiting the number of Global and Intune administrators to those required. This scores Partial for its ability to minimize the overall accounts with associated privileges.   \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) ", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1480.002", "attack_object_name": "Mutual Exclusion", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1480", "comments": "Implementing Role-Based Access Control will help prevent access to sensitive resources, ensuring only those with the proper authorization can use them.", "references": []}, {"capability_id": "EID-RBAC-E3", "capability_description": "Role Based Access Control", "mapping_type": "technique_score", "attack_object_id": "T1546.016", "attack_object_name": "Installer Packages", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1546", "comments": "The RBAC control can be used to implement the principle of least privilege to limit the ability of accounts to utilize installer packages, reserving the ability to install software to those with higher privileges.", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/custom-overview"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1059.010", "attack_object_name": "AutoHotKey & AutoIT", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1059", "comments": "Defender's Advanced Threat Hunting can potentially detect if AutoHotKey and AutoIT are being misused or behaving in a way that is unexpected, alerting administrators to an issue and allowing for remediation/preventing extensive damage.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1059.011", "attack_object_name": "Lua", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1059", "comments": "Defender's Advanced Threat Hunting can protect against various types of malware, including those that exploit Lua scripts, by analyzing the behavioral characteristics of the program.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1027.014", "attack_object_name": "Polymorphic Code", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1027", "comments": "Defender's advanced threat hunting capabilities can potentially detect suspicious or changing behaviors in programs, which can be indicative of polymorphic code.", "references": []}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1027.014", "attack_object_name": "Polymorphic Code", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1027", "comments": "Defender's Advanced Threat Hunting can use Machine Learning models to identify malicious behavior, even if the code is polymorphic and attempts to disguise itself.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1036.009", "attack_object_name": "Break Process Trees", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1036", "comments": "Behavior-based machine learning techniques may be able to detect the presence of malware, even if the parent-child process tree is broken, by analyzing the program's behavior.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Alternative Protocol attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for newly constructed network connections.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Valid Account attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for newly constructed logon behavior.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1078", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Cloud Account attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Account Discovery attacks due to the DeviceProcessEvents table in the advanced hunting schema that contains information about process creation and related events which monitors for processes that can be used to enumerate user accounts and groups. \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1087", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Cloud Account attacks due to the DeviceProcessEvents table in the advanced hunting schema that contains information about process creation and related events which monitors logs for actions that could be taken to gather information about cloud accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-deviceprocessevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Brute Force attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Password Guessing attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Password Cracking attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Password Spraying attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Credential Stuffing attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Email Collection attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for unusual login activity from unknown or abnormal locations, especially for privileged accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1114.002", "attack_object_name": "Remote Email Collection", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1114", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Remote Email Collection attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for unusual login activity from unknown or abnormal locations, especially for privileged accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Drive-by-Compromise attacks due to the UrlClickEvents table in the advanced hunting schema which contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps which can inspect URLs for potentially known-bad domains or parameters.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-urlclickevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Trusted Relationship attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for newly constructed logon behavior.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Internal Spearphishing attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors network data for uncommon data flows\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1538", "attack_object_name": "Cloud Service Dashboard", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Cloud Service Dashboard attacks due to the IdentityInfo and IdentityLogonEvents tables in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps and information about user accounts obtained from various services, including Microsoft Entra ID.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityinfo-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Event-Triggered Execution attacks due to the DeviceFileEvents table in the advanced hunting schema which contains information about file creation, modification, and other file events.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Unsecured Credentials attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Modify-Authentication Process attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1556", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Multi-Factor Authentication attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Impair Defense attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for the abnormal execution of API functions. \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1562", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Disabling or Modifying Cloud Log attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors logs for API calls to disable logging. \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Phishing attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for the abnormal execution of API functions which monitors network data for uncommon data flows. \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1566", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Spearphishing Link attacks due to the UrlClickEvents table in the advanced hunting schema which contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps which can inspect URLs for potentially known-bad domains or parameters.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-urlclickevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Web Service attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for newly constructed network connections.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1567.004", "attack_object_name": "Exfiltration Over Webhook", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1567", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Webhook attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitor network data for uncommon data flows.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicenetworkevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Forge Web Credential attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for anomalous authentication activity.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-ATH-E5", "capability_description": "Advanced Threat Hunting", "mapping_type": "technique_score", "attack_object_id": "T1621", "attack_object_name": "Multi-Factor Authentication Request Generation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Multi-Factor Authentication Request Generation attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-tables?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwide"]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1068", "attack_object_name": "Exploitation for Privilege Escalation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1078", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1098", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1110", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1110", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1110", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1110", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1210", "attack_object_name": "Exploitation of Remote Services", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1213.002", "attack_object_name": "Sharepoint", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1213", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1550.002", "attack_object_name": "Pass the Hash", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1550", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-LM-E5", "capability_description": "Lateral Movements", "mapping_type": "technique_score", "attack_object_id": "T1550.003", "attack_object_name": "Pass the Ticket", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1550", "comments": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts.", "references": [" \\thttps://learn.microsoft.com/en-us/defender-for-identity/understand-lateral-movement-paths "]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Valid Account attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1078", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Cloud Account attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Account Discovery attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-faq", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1087", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Cloud Account attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-faq", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Brute Force attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Password Guessing attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Password Cracking attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Password Spraying attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1110", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Credential Stuffing attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1199", "attack_object_name": "Trusted Relationship", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Trusted Relationship attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Steal Application Access Token attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1538", "attack_object_name": "Cloud Service Dashboard", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Cloud Service Dashboard attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1548", "attack_object_name": "Abuse Elevation Control Mechanism", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Protects against Abuse Elevation Control Mechanism attacks due to the governance feature where admins can create proactive or reactive policies to protect your users from using noncompliant or malicious apps and limiting the access of risky apps to your data.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Modify Authentication attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1556", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Multi-Factor Authentication attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Protects against Impair Defense attacks due to the governance feature where admins can create proactive or reactive policies to protect your users from using noncompliant or malicious apps and limiting the access of risky apps to your data to ensure that only approved security applications are used and running.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1562", "attack_object_name": "Impair Defenses", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance detects Impair Defense attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1562", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Disable or Modify Cloud Log attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1562.008", "attack_object_name": "Disable or Modify Cloud Logs", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "related_score": "T1562", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance protects against Disable or Modify Cloud Log attacks due to the governance feature where admins can create proactive or reactive policies to protect your users from using noncompliant or malicious apps and limiting the access of risky apps to your data to ensure that only approved security applications are used and running.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Phishing attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk helping an admin to confirm that the OAuth app is delivered from an unknown source and is performing unusual activities. \n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1606", "attack_object_name": "Forge Web Credentials", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Forge Web Credentials attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-faq", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1606.002", "attack_object_name": "SAML Tokens", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1606", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects SAML Token attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "DEF-APGV-E5", "capability_description": "App Governance", "mapping_type": "technique_score", "attack_object_id": "T1621", "attack_object_name": "Multi-Factor Authentication Request Generation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Multi-Factor Authentication Request Generation attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-anomaly-detection-alerts#initial-access-alerts", "https://learn.microsoft.com/en-us/defender-cloud-apps/app-governance-manage-app-governance"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only protects cloud accounts and therefore its overall protection coverage is Minimal.", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.  This is an incomplete protection measure though as the adversary may also have obtained credentials enabling bypassing the additional authentication method. ", "references": []}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1078", "comments": "Requiring the use of MFA for all users can significantly reduce the likelihood of adversaries gaining access to the environment's cloud accounts.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation,  changes to permissions, etc.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa", "https://www.microsoft.com/en-us/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1098.002", "attack_object_name": "Additional Email Delegate Permissions", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making modifications, such as changes to email delegate permissions. ", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1098", "comments": "Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1098.005", "attack_object_name": "Device Registration", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Requiring the use of MFA to register devices in Entra ID along with conditional access policies can reduce the likelihood of successfu use of this technique.", "references": ["https://learn.microsoft.com/en-us/entra/identity/conditional-access/howto-conditional-access-policy-all-users-mfa"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": []}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before access is permitted.", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "MFA can significantly reduce the impact of a password cracking, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques, for example: phishing, brute force, credential stuffing, key logging, etc.", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": []}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "MFA can significantly reduce the impact of a password spraying, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques: phishing, brute force, credential stuffing, key logging, etc.", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted.", "references": []}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "MFA can significantly reduce the impact of a password spraying, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques: phishing, brute force, credential stuffing, key logging, etc.", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1136", "comments": "MFA can significantly reduce the impact from adversaries creating accounts by requiring an additional authentication method for verification (e.g., Microsoft Authenticator, Authenticator Lite (in Outlook), Windows Hello for Business, FIDO2 security key, OATH hardware token (preview), OATH software token, SMS, Voice call, etc.)", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mfa-howitworks"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "MFA provides significant protection by enforcing and restricting access to resources (e.g., cloud storage, APIs, etc.).", "references": ["[]"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": " Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. ", "references": ["https://techcommunity.microsoft.com/t5/microsoft-entra-blog/your-pa-word-doesn-t-matter/ba-p/731984", "https://www.microsoft.com/en-us/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1566", "comments": " Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. ", "references": ["https://www.microsoft.com/en-us/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1566", "comments": " Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. ", "references": ["https://www.microsoft.com/en-us/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/"]}, {"capability_id": "EID-MFA-E3", "capability_description": "Multifactor Authentication", "mapping_type": "technique_score", "attack_object_id": "T1621", "attack_object_name": "Multi-Factor Authentication Request Generation", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "Entra MFA can be used to implement limits upon the maximum number of MFA request prompts that can be sent to users in period of time and throttles sign-in attempts in certain cases involving repeated authentication requests.", "references": []}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "Accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. \n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy"]}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "This control provides partial protection for most of this technique's sub-techniques and therefore has been scored as Partial.", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy#password-policies-that-only-apply-to-cloud-user-accounts"]}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. \n\nBy default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy"]}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "The password restrictions provided by the default Password policy along with the lockout threshold and duration settings is an effective protection against this Password Guessing sub-technique.", "references": []}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1110", "comments": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy"]}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.\nIn regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted.   Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold.  This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).", "references": []}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy"]}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy"]}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.\nIn regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted.   Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold.  This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing).", "references": []}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy"]}, {"capability_id": "EID-PWP-E3", "capability_description": "Password Policy", "mapping_type": "technique_score", "attack_object_id": "T1586.003", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1586", "comments": "Cloud accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-policy"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "Accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "With Microsoft Entra Password Protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your own business and security needs, you can define entries in a custom banned password list.\nWhen a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1110", "attack_object_name": "Brute Force", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "With Microsoft Entra Password Protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your own business and security needs, you can define entries in a custom banned password list.\nWhen a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.001", "attack_object_name": "Password Guessing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Microsoft Entra Password Protection efficiently blocks known weak passwords likely to be used in password guessing attacks. \n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.002", "attack_object_name": "Password Cracking", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Microsoft Entra Password Protection efficiently blocks known weak passwords likely to be used in password cracking attacks. \n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Microsoft Entra Password Protection efficiently blocks  known weak passwords likely to be used in password spray attacks. \n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.003", "attack_object_name": "Password Spraying", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "Microsoft Entra Password Protection efficiently blocks known weak passwords likely to be used in password spray attacks. \n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "With Microsoft Entra Password Protection, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1110.004", "attack_object_name": "Credential Stuffing", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1110", "comments": "With Microsoft Entra Password Protection, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PWPR-E3", "capability_description": "Password Protection", "mapping_type": "technique_score", "attack_object_id": "T1586.003", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1586", "comments": "Cloud accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/concept-password-ban-bad"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1078", "attack_object_name": "Valid Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "The PIM control supports an Access Review feature, which can partially be used to avoid stale role assignment for Valid Accounts: Cloud Accounts. The control does not protect against this technique's other sub-techniques, resulting in a Minimal coverage score, for an overall score of Minimal. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "This control's Access Review feature supports scheduling a routine review of cloud account permission levels to look for those that could allow an adversary to gain wide access.  This information can then be used to validate if such access is required and identify which (privileged) accounts should be monitored closely.  This reduces the availability of valid accounts to adversaries.  This review would normally be scheduled periodically, at most weekly, and therefore its temporal score is Partial.", "references": []}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1078.004", "attack_object_name": "Cloud Accounts", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "related_score": "T1078", "comments": "The PIM control supports an Access Review feature, which can be created to review privileged access  to avoid stale role assignments. Access Reviews can be scheduled routinely, and used to help evaluate the state of privileged access. Performing this review can help minimize the availability of valid accounts to adversaries. Although this review can be scheduled periodically, it would not occur at real-time frequency, and is therefore assigned Partial. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "This control provides significant protection for some of this technique's sub-techniques while not providing any protection for others, resulting in a Partial score.", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "entra-id", "score_category": "detect", "score_value": "minimal", "comments": "This control only provides detection for one of this technique's sub-techniques while not providing any detection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "entra-id", "score_category": "detect", "score_value": "minimal", "comments": "The PIM control can assist post-execution detection by alerting on the assignment of privileged Additional Cloud Roles. This is not extendable to detect against the technique's other sub-techniques, resulting in overall minimal detection coverage. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098", "attack_object_name": "Account Manipulation", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "The PIM control provides significant protection against multiple sub-techniques, although not all, resulting in partial coverage. The control scores Significant for the temporal aspects of its protection, which include requiring activation by eligible privileged roles, and confirming user identity with MFA before execution. \n\n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role", "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Privileged roles such as the Application Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique.  In addition these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.", "references": []}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098.001", "attack_object_name": "Additional Cloud Credentials", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "The PIM control can enforce on-activation requirements for privileged roles, such as the Application Administrator. Configuration can include an MFA requirement, which can provide additional protection against Additional Cloud Credentials. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role", "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user.", "references": []}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1098", "comments": "This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique.  Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal.", "references": []}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1098", "comments": "The PIM control can notify administrators when the Global Administrator and other administrator roles are assigned to an account, allowing it to be a method of detection for Additional Cloud Roles execution. PIM supports multiple security alerts, with customizable triggers, including numeric specificity. Following Microsoft's role based access control Best Practices, assignment of Global Administrator, among other administrative roles should be uncommon, resulting in an overall low false positive rate for detecting unexpected privileged role assignments. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/best-practices", "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts", "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098.003", "attack_object_name": "Additional Cloud Roles", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator. Configuration can include an MFA requirement, which can provide additional protection against Additional Cloud Roles. MFA can be required both when assigning these administrative roles, and/or when a user activates the role. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role", "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098.007", "attack_object_name": "Additional Local or Domain Groups", "capability_group": "entra-id", "score_category": "detect", "score_value": "significant", "related_score": "T1098", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": []}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1098.007", "attack_object_name": "Additional Local or Domain Groups", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1098", "comments": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n", "references": []}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "This control only provides protection for one of this technique's sub-techniques while not providing any detection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score.", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1136", "attack_object_name": "Create Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "partial", "comments": "The PIM control provides significant protection against Create Account: Cloud Account, but not against the technique's other sub-techniques. An overall score of Partial is provided, although overall coverage for the across the sub-techniques is minimal. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1136", "comments": "Privileged roles such as the User Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique.  In addition, these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface.", "references": []}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1136.003", "attack_object_name": "Cloud Account", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1136", "comments": "The PIM control can enforce on-activation requirements for privileged roles, such as the User Administrator. Configuration can include an MFA requirement, which can provide additional protection against Cloud Account creation. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-activate-role", "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1556", "attack_object_name": "Modify Authentication Process", "capability_group": "entra-id", "score_category": "protect", "score_value": "minimal", "comments": "The PIM control significantly protects against  the modification of Multi-Factor Authentication by placing limitations and restrictions on relevant privileged accounts. However, this is overall Minimal coverage relative to the all the technique's sub-techniques. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1556.006", "attack_object_name": "Multi-Factor Authentication", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "The PIM control can enforce on-activation requirements for privileged roles, such as the Conditional Access Administrator, Global Administrator or Security Administrator, which include privileges necessary to modify certain MFA settings. Configuration can include an MFA requirement, which can provide additional protection against modifying Multi-Factor Authentication. MFA can be required both when assigning these administrative roles, and/or when a user activates the role. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use.\n\n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/identity/authentication/tutorial-enable-azure-mfa", "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-how-to-configure-security-alerts", "https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1556.007", "attack_object_name": "Hybrid Identity", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "related_score": "T1556", "comments": "The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator, which may be used for modifying the hybrid identity authentication process from the cloud. Ideally, ensure these accounts are dedicated cloud-only rather than hybrid accounts. MFA can be required both when assigning Global Administrator, and/or when a user activates the role. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use. \n\n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EID-PIM-E5", "capability_description": "Privileged Identity Management", "mapping_type": "technique_score", "attack_object_id": "T1651", "attack_object_name": "Cloud Administration Command", "capability_group": "entra-id", "score_category": "protect", "score_value": "significant", "comments": "The PIM control can enforce on-activation requirements for privileged roles, such as Global Administrators. Configuration can include an MFA requirement, which can help limit the overall  privileged accounts available and their ability to execute administration commands. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance", "references": ["https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-configure"]}, {"capability_id": "EOP-MFR-E3", "capability_description": "Mail Flow Rules", "mapping_type": "technique_score", "attack_object_id": "T1114", "attack_object_name": "Email Collection", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules protects from Email Collection attacks due to the custom rules feature which allows you to define rules to encrypt email messages which provides an added layer of security to sensitive information sent over email.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/purview/define-mail-flow-rules-to-encrypt-email", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"]}, {"capability_id": "EOP-MFR-E3", "capability_description": "Mail Flow Rules", "mapping_type": "technique_score", "attack_object_id": "T1114.002", "attack_object_name": "Remote Email Collection", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1114", "comments": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules protects from Remote Email Collection attacks due to the custom rules feature which allows you to define rules to encrypt email messages which provides an added layer of security to sensitive information sent over email.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/purview/define-mail-flow-rules-to-encrypt-email", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"]}, {"capability_id": "EOP-MFR-E3", "capability_description": "Mail Flow Rules", "mapping_type": "technique_score", "attack_object_id": "T1114.003", "attack_object_name": "Email Forwarding Rule", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1114", "comments": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules protects from Email Forwarding Rule attacks due to the custom rules feature which allows you to define rules to encrypt email messages which provides an added layer of security to sensitive information sent over email.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/purview/define-mail-flow-rules-to-encrypt-email", "https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"]}, {"capability_id": "EOP-MFR-E3", "capability_description": "Mail Flow Rules", "mapping_type": "technique_score", "attack_object_id": "T1564", "attack_object_name": "Hide Artifacts", "capability_group": "eop", "score_category": "detect", "score_value": "significant", "comments": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules detects Hide Artifacts attacks due to the conditions property which examines message header fields that may attempt to hide artifacts associated with their behaviors to evade detection.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"]}, {"capability_id": "EOP-MFR-E3", "capability_description": "Mail Flow Rules", "mapping_type": "technique_score", "attack_object_id": "T1564.008", "attack_object_name": "Email Hiding Rules", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1564", "comments": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules protects from Email Hiding Rules attacks due to it's detection mechanisms that include the ability to audit inbox rules on a regular basis as they are in transit.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/exchange/security-and-compliance/mail-flow-rules/mail-flow-rules"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "related_score": "T1204", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1204", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "related_score": "T1204", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1204.002", "attack_object_name": "Malicious File", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1204", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1528", "attack_object_name": "Steal Application Access Token", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1539", "attack_object_name": "Steal Web Session Cookie", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1539", "attack_object_name": "Steal Web Session Cookie", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1550", "attack_object_name": "Use Alternate Authentication Material", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-teams?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "related_score": "T1566", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1566", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "related_score": "T1566", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1566", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1598", "attack_object_name": "Phishing for Information", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-simulation-automations?view=o365-worldwide#select-one-or-more-social-engineering-techniques"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1598", "attack_object_name": "Phishing for Information", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-get-started?view=o365-worldwide"]}, {"capability_id": "DEF-SIMT-E5", "capability_description": "ATT&CK Simulation Training", "mapping_type": "technique_score", "attack_object_id": "T1598.002", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1598", "comments": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2.", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/attack-simulation-training-payloads?view=o365-worldwide"]}, {"capability_id": "DEF-PSP-E3", "capability_description": "Preset Security Policies", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Drive-by-Compromise attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide"]}, {"capability_id": "DEF-PSP-E3", "capability_description": "Preset Security Policies", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects User Execution attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide", " https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide"]}, {"capability_id": "DEF-PSP-E3", "capability_description": "Preset Security Policies", "mapping_type": "technique_score", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1204", "comments": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Malicious Link attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide"]}, {"capability_id": "DEF-PSP-E3", "capability_description": "Preset Security Policies", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Internal Spearphishing attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide"]}, {"capability_id": "DEF-PSP-E3", "capability_description": "Preset Security Policies", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Phishing attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide"]}, {"capability_id": "DEF-PSP-E3", "capability_description": "Preset Security Policies", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1566", "comments": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Spearphishing Attachment attacks due to the Built-in protection preset security policy providing Safe Attachments protection to all recipients. Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).\n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide"]}, {"capability_id": "DEF-PSP-E3", "capability_description": "Preset Security Policies", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1566", "comments": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Spearphishing Link attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide"]}, {"capability_id": "DEF-PSP-E3", "capability_description": "Preset Security Policies", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Impersonation attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/preset-security-policies?view=o365-worldwide"]}, {"capability_id": "DEF-THEX-E5", "capability_description": "Threat Explorer", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Drive-by-Compromise attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden. With an organization blocking URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide"]}, {"capability_id": "DEF-THEX-E5", "capability_description": "Threat Explorer", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Phishing attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide"]}, {"capability_id": "DEF-THEX-E5", "capability_description": "Threat Explorer", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1566", "comments": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Spearphishing Attachment attacks by using Threat Explorer's System Override feature. The File extension blocked by org policy value, enables An organization's security team to block a file name extension through the anti-malware policy settings. These values will now be displayed in email details to help with investigations. Secops teams can also use the rich-filtering capability to filter on blocked file extensions.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide"]}, {"capability_id": "DEF-THEX-E5", "capability_description": "Threat Explorer", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1566", "comments": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Spearphishing Link attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide"]}, {"capability_id": "DEF-THEX-E5", "capability_description": "Threat Explorer", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Impersonation attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden. With an organization blocking URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-about?view=o365-worldwide#view-phishing-url-and-click-verdict-data", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-explorer-threat-hunting?view=o365-worldwide"]}, {"capability_id": "DEF-TPSR-E3", "capability_description": "Threat Protection Status Report", "mapping_type": "technique_score", "attack_object_id": "T1189", "attack_object_name": "Drive-by Compromise", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Drive-by-Compromise attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies. With an organization filtering URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report"]}, {"capability_id": "DEF-TPSR-E3", "capability_description": "Threat Protection Status Report", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Internal Spearphishing attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report"]}, {"capability_id": "DEF-TPSR-E3", "capability_description": "Threat Protection Status Report", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Phishing attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report"]}, {"capability_id": "DEF-TPSR-E3", "capability_description": "Threat Protection Status Report", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1566", "comments": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Spearphishing Attachment attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report"]}, {"capability_id": "DEF-TPSR-E3", "capability_description": "Threat Protection Status Report", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1566", "comments": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Spearphishing Link attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report"]}, {"capability_id": "DEF-TPSR-E3", "capability_description": "Threat Protection Status Report", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Impersonation attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-security?view=o365-worldwide#threat-protection-status-report"]}, {"capability_id": "DEF-SLNK-E3", "capability_description": "Safe Links", "mapping_type": "technique_score", "attack_object_id": "T1204", "attack_object_name": "User Execution", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects User Execution attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been determined to be malicious, a malicious website warning page opens.\n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR\n", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages"]}, {"capability_id": "DEF-SLNK-E3", "capability_description": "Safe Links", "mapping_type": "technique_score", "attack_object_id": "T1204.001", "attack_object_name": "Malicious Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1204", "comments": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects Malicious Links attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been determined to be malicious, a malicious website warning page opens.\n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages"]}, {"capability_id": "DEF-SLNK-E3", "capability_description": "Safe Links", "mapping_type": "technique_score", "attack_object_id": "T1204.003", "attack_object_name": "Malicious Image", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1204", "comments": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments-for-spo-odfb-teams-configure?view=o365-worldwide"]}, {"capability_id": "DEF-SLNK-E3", "capability_description": "Safe Links", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects Internal Spearphishing attacks due to Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages"]}, {"capability_id": "DEF-SLNK-E3", "capability_description": "Safe Links", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects Phishing attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages"]}, {"capability_id": "DEF-SLNK-E3", "capability_description": "Safe Links", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1566", "comments": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects Spearphishing attacks due to Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-about?view=o365-worldwide#safe-links-settings-for-email-messages"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "comments": "The Advanced Anti-phishing control includes features that can be used to Respond to unusual communication patterns that may indicate Internal Spearphishing. AAP for Defender for O365 supports impersonation protection, which provides multiple options in reaction to a detected impersonation attempt. For example, the ability to redirect the email to specified recipients, add new recipients as Bcc, send it to the Junk Email folder, place the message in quarantine, or even automatically delete it. This scores Partial in the Respond category for its ability to potentially contain the impact of or alert others to the need to remediate internal spearphishing attempts.\n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "The Advanced Anti-phishing control includes features that can be used to detect and warn users against unusual communication patterns that may indicate Internal Spearphishing. The first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don\u2019t get messages from that sender may alert users to suspicious communications from legitimate, but unexpected users in their organization. This scores Partial in the Detect category for its near real-time processing and indication of unexpected email communications. Detection of suspicious communication will not be equally accurate, depending on the accounts in question. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#impersonation-settings-in-anti-phishing-policies-in-microsoft-defender-for-office-365"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "comments": "The Advanced Anti-phishing control includes respond mechanisms that can be used to quarantine and limit user interaction with phishing messages, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. This covers responses to some, but not all of this technique\u2019s sub-techniques, resulting in an overall score of Partial for the Respond category. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "comments": "The Advanced Anti-phishing control includes features that may detect phishing messages, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. In particular, AAP may identify and isolate spoofing attempts and warn of unusual communication patterns for the sender\u2019s email. This covers detection of some, but not all of this technique\u2019s sub-techniques, resulting in an overall score of Partial for the Detect category. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-settings", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "comments": "The Advanced Anti-phishing control includes configurable policies that protect against methods of phishing, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. This covers protection against some, but not all of this technique\u2019s sub-techniques, resulting in an overall score of Partial for the Protect category. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#unauthenticated-sender-indicators", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "related_score": "T1566", "comments": "The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails targeting users with Spearphishing Attachments. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected.  Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Partial for the Respond category for its ability to contain, possibly quarantine and limit user interaction with flagged emails. Note the response will be insufficient in the event a user interacts with and executes the malicious Spearphishing attachment.\n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1566", "comments": "The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Attachments. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don\u2019t get messages from that sender. This scores Significant for the Detect category, for its high coverage against email coming emails, near real-time processing of new emails, and fairly accurate detection rates. Note that AAP is focused on detecting malicious emails, not the processing and analysis of attachments.  \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-settings", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1566", "comments": "The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect users by filtering out and even blocking suspicious emails, and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Attachments. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Partial in the Protect category for its ability to minimize, filter, and flag potentially malicious emails end users receive. However, it should be noted that the AAP control on its own may not further protect against a user proceeding to interact with malicious attachments in a flagged email, depending on how an organization configures follow up Actions and how a user may interact with the message. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#unauthenticated-sender-indicators", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "respond", "score_value": "partial", "related_score": "T1566", "comments": "The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails targeting users with Spearphishing Links. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected.  Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Partial for the Respond category for its ability to contain, possibly quarantine and limit user interaction with flagged emails. Note the response will be insufficient in the event a user clicks on, interacts with, and falls victim to the result of a malicious link. \nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/quarantine-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-protection-and-sender-dmarc-policies", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "related_score": "T1566", "comments": "The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Links. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don\u2019t get messages from that sender. This scores Significant for the Detect category, for its high coverage against email coming emails, near real-time processing of new emails, and fairly accurate detection rates. Note that AAP is focused on detecting suspicious emails, not the processing and detection of potentially malicious email links. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#spoof-settings", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "protect", "score_value": "partial", "related_score": "T1566", "comments": "The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect users by filtering out and even blocking suspicious emails, and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Links. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Partial in the Protect category for its ability to minimize, filter, and flag potentially malicious emails end users receive. However, it should be noted that the AAP control on its own may not further protect against a user proceeding to click on a malicious link in a flagged email, depending on how an organization configures follow up Actions and how a user may interact with the message. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#first-contact-safety-tip", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide#unauthenticated-sender-indicators", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-policies-about?view=o365-worldwide"]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "respond", "score_value": "minimal", "comments": "The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails detected that may be part of Impersonation using email communications. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected.  Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Minimal for the Respond category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures.\n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where", "can%20use%20in%20another%20scam."]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to suspicious email communications resulting from Impersonation. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don\u2019t get messages from that sender. This scores Minimal for the Detect category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures. However, against specific email-based implementations, coverage will be near real-time and high for the criteria covered. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where", "can%20use%20in%20another%20scam."]}, {"capability_id": "DEF-AAPH-E5", "capability_description": "Advanced Anti-Phishing ", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "protect", "score_value": "minimal", "comments": "The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect in the event of business email compromise and email fraud campaigns, which may help protect against some methods of Impersonation. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Minimal in the Protect category given the ability to flag potentially malicious emails provides relatively low or no coverage against the scope of the Impersonation technique and its example procedures. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-about?view=o365-worldwide", "https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where", "can%20use%20in%20another%20scam."]}, {"capability_id": "EOP-ASP-E3", "capability_description": "AntiSpam", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-ASP-E3", "capability_description": "AntiSpam", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-ASP-E3", "capability_description": "AntiSpam", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1566", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-ASP-E3", "capability_description": "AntiSpam", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "related_score": "T1566", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide"]}, {"capability_id": "EOP-ASP-E3", "capability_description": "AntiSpam", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "eop", "score_category": "protect", "score_value": "significant", "comments": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-policies-configure?view=o365-worldwide", "https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-protection-about?view=o365-worldwide"]}, {"capability_id": "DEF-ASP-E3", "capability_description": "Anti-Spoofing", "mapping_type": "technique_score", "attack_object_id": "T1534", "attack_object_name": "Internal Spearphishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "significant", "comments": "The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's anti-spoofing technology detects Internal Spearphishing attacks due to spoof detections report, where users can view information about phishing attempts \n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide"]}, {"capability_id": "DEF-ASP-E3", "capability_description": "Anti-Spoofing", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "comments": "The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's anti-spoofing technology protects from Phishing attacks due to it's mechanisms provided which provides email authentication by DKIM, and anti-phishing policies\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide"]}, {"capability_id": "DEF-ASP-E3", "capability_description": "Anti-Spoofing", "mapping_type": "technique_score", "attack_object_id": "T1566.002", "attack_object_name": "Spearphishing Link", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "related_score": "T1566", "comments": "The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's anti-spoofing technology protects from Spearphishing Link attacks due to it's mechanisms provided which provides email authentication by DKIM, and anti-phishing policies\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide"]}, {"capability_id": "DEF-ASP-E3", "capability_description": "Anti-Spoofing", "mapping_type": "technique_score", "attack_object_id": "T1656", "attack_object_name": "Impersonation", "capability_group": "m365-defender", "score_category": "protect", "score_value": "significant", "comments": "The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's anti-spoofing technology protects from Impersonation attacks due to impersonation protection provided with anti-phishing policies.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-phishing-protection-spoofing-about?view=o365-worldwide"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1564.012", "attack_object_name": "File/Path Exclusions", "capability_group": "purview", "score_category": "protect", "score_value": "partial", "related_score": "T1564", "comments": "Purview's Information Protection capabilities allow for several restrictions to be placed on files. External users or users with insufficient privileges can have read-only mode enforced, ensuring that nothing gets written to excluded locations in the file system.", "references": []}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1020", "attack_object_name": "Automated Exfiltration", "capability_group": "purview", "score_category": "protect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Automated Exfiltration attacks due to Information Protection preventing company data from being exfiltrated by external users, by blocking file downloads in real time, using the Defender for Cloud Apps session controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1048", "attack_object_name": "Exfiltration Over Alternative Protocol", "capability_group": "purview", "score_category": "protect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Exfiltration Over Alternative Protocol attacks due to it preventing users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1070", "attack_object_name": "Indicator Removal", "capability_group": "purview", "score_category": "protect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Indicator Removal attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1070.001", "attack_object_name": "Clear Windows Event Logs", "capability_group": "purview", "score_category": "protect", "score_value": "significant", "related_score": "T1070", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Indicator Removal attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1070.002", "attack_object_name": "Clear Linux or Mac System Logs", "capability_group": "purview", "score_category": "protect", "score_value": "significant", "related_score": "T1070", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Indicator Removal attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1087", "attack_object_name": "Account Discovery", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Account Discovery attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1087.004", "attack_object_name": "Cloud Account", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "related_score": "T1087", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Cloud Account attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1119", "attack_object_name": "Automated Collection", "capability_group": "purview", "score_category": "protect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Automated Collection attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1530", "attack_object_name": "Data from Cloud Storage", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Data from Cloud Storage attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1546", "attack_object_name": "Event Triggered Execution", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Event Triggered Execution attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1552", "attack_object_name": "Unsecured Credentials", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Unsecured Credential attacks due to it detecting and encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1552.008", "attack_object_name": "Chat Messages", "capability_group": "purview", "score_category": "detect", "score_value": "significant", "related_score": "T1552", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Chat message attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1567", "attack_object_name": "Exfiltration Over Web Service", "capability_group": "purview", "score_category": "protect", "score_value": "significant", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Exfiltration Over Web Service attacks due to it preventing users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "PUR-INPR-E5", "capability_description": "Information Protection", "mapping_type": "technique_score", "attack_object_id": "T1567.004", "attack_object_name": "Exfiltration Over Webhook", "capability_group": "purview", "score_category": "protect", "score_value": "significant", "related_score": "T1567", "comments": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Exfiltration Over Webhook attacks due to it preventing users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2", "references": ["https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection"]}, {"capability_id": "DEF-THTR-E5", "capability_description": "Threat Tracker", "mapping_type": "technique_score", "attack_object_id": "T1566", "attack_object_name": "Phishing", "capability_group": "m365-defender", "score_category": "detect", "score_value": "minimal", "comments": "The Threat Tracker control includes noteworthy trackers, which highlights newly detected malicious files found with Safe Attachments, that may alert on Phishing emails, if they contain malicious attachments. Specifically, noteworthy trackers will highlight malicious files that were not previously found by Microsoft in your email flow or in other customers\u2019 emails. This scores Minimal for Detection, based on the low coverage of this technique\u2019s sub-techniques and procedures. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers?view=o365-worldwide#trackers-and-microsoft-defender-for-office-365"]}, {"capability_id": "DEF-THTR-E5", "capability_description": "Threat Tracker", "mapping_type": "technique_score", "attack_object_id": "T1566.001", "attack_object_name": "Spearphishing Attachment", "capability_group": "m365-defender", "score_category": "detect", "score_value": "partial", "related_score": "T1566", "comments": "The Threat Tracker control includes noteworthy trackers, which highlights newly detected malicious files found with Safe Attachments, that may alert on malicious Spearphishing Attachments. Specifically, noteworthy trackers will highlight malicious files that were not previously found by Microsoft in your email flow or in other customers\u2019 emails. This scores Partial for Detection,  for the ability to highlight potential new threats , although it is the Safe Attachments control that denotes and analyzes email attachments to begin with. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)", "references": ["https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/threat-trackers?view=o365-worldwide#trackers-and-microsoft-defender-for-office-365"]}]}