{"name": "m365 overview", "versions": {"navigator": "4.8.0", "layer": "4.4", "attack": "16.1"}, "sorting": 3, "description": "m365 heatmap overview of m365 mappings, scores are the number of associated entries", "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.009", "score": 8, "comment": " Related to: \n \u2022EOP-AMW-E3\n\u2022PUR-PAM-E5\n\u2022DEF-ZHAP-E3\n\u2022EID-RBAC-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Cloud API attacks due to Audit Solutions providing the visibility to review command history and history of executed API commands in cloud audit logs to determine if unauthorized or suspicious commands were executed.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Cloud API attacks due to Incident Response monitoring for api activity security alerts which reviews cloud audit logs to determine if unauthorized or suspicious commands were executed.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Using Role-Based Access Control to create a zero-trust environment can ensure that only accounts explicitly granted access to API tools can use them. This prevents unauthorized use and potential exploitation/misuse."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit API functionality administrative accounts can take. This scores Partial for its ability to minimize the actions these accounts can perform. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1078", "score": 19, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022EID-IDSS-E3\n\u2022EID-PWP-E3\n\u2022PUR-PAM-E5\n\u2022EID-PWPR-E3\n\u2022DEF-CAPP-E5\n\u2022DEF-ATH-E5\n\u2022DEF-LM-E5\n\u2022EID-CAE-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-AIR-E5\n\u2022EID-RBAC-E3\n\u2022EID-PIM-E5\n\u2022EID-MFA-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides minimal protection for this technique's procedure examples along and also only protects one of its sub-techniques resulting in an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides minimal protection for this technique's procedure examples along and also only protects one of its sub-techniques resulting in an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only protects cloud accounts and therefore its overall coverage is minimal resulting in a Minimal respond score for this technique."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only protects cloud accounts and therefore its overall coverage is minimal resulting in a Minimal respond score for this technique."}, {"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Valid Account attacks due to Audit Solutions providing the visibility to allow admins to regularly audit user accounts for activity and deactivate or remove any that are no longer needed.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides partial detection for some of this technique's sub-techniques and procedure examples resulting in an overall Partial detection score."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides recommendations that can lead to protecting against the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited protection for this technique's procedure examples. Consequently, its overall protection coverage score is minimal."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides recommendations that can lead to the detection of the malicious usage of valid cloud accounts but does not provide recommendations for the remaining sub-techniques Additionally, it provides limited detection for this technique's procedure examples. Consequently, its overall detection coverage score is minimal."}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to valid account attacks due to Incident Response monitoring for newly constructed logon behavior that may obtain and abuse credentials of existing accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for account management, reducing the potential actions that can be taken with Valid Default and Cloud Accounts. Although RBAC can limit the actions the adversary can take if a Valid Account has been compromised, it does not protect against different variations of the technique's procedure. Due to overall Minimal coverage, it receives an overall score of Minimal. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Valid Account attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for newly constructed logon behavior.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Valid Account attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only protects cloud accounts and therefore its overall protection coverage is Minimal."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. \n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides protection for one of this technique's sub-techniques while not providing any protection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The PIM control supports an Access Review feature, which can partially be used to avoid stale role assignment for Valid Accounts: Cloud Accounts. The control does not protect against this technique's other sub-techniques, resulting in a Minimal coverage score, for an overall score of Minimal. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1110", "score": 16, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022DEF-LM-E5\n\u2022EID-IDSS-E3\n\u2022EID-PWP-E3\n\u2022EID-PWPR-E3\n\u2022EID-CAE-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022DEF-ATH-E5\n\u2022EID-MFA-E3\n\u2022DEF-SSCO-E3\n\u2022EID-PWLA-E3\n\u2022DEF-ID-E5\n\u2022DEF-CAPP-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which provides significant protection against  password compromises, requiring an adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which provides significant protection against  password compromises, requiring an adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides significant detection of some of the sub-techniques of this technique and has therefore been assessed an overall score of Partial."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control provides significant protection against this brute force technique by completing obviating the need for passwords by replacing it with passwordless credentials."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides Minimal detection for one of this technique's sub-techniques while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Provides significant response capabilities for one of this technique's sub-techniques (Password Spray).  Due to this capability being specific to one of its sub-techniques and not its remaining sub-techniques, the coverage score is Minimal resulting in an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The MFA recommendation provides significant protection against password compromises, but because this is a recommendation and doesn't actually enforce MFA, the assessed score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Brute Force attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Brute Force attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Brute Force attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA provides significant protection against password compromises, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides partial protection for most of this technique's sub-techniques and therefore has been scored as Partial."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. \n\nBy default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "With Microsoft Entra Password Protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your own business and security needs, you can define entries in a custom banned password list.\nWhen a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "With Microsoft Entra Password Protection, default global banned password lists are automatically applied to all users in a Microsoft Entra tenant. To support your own business and security needs, you can define entries in a custom banned password list.\nWhen a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}]}, {"techniqueID": "T1110.001", "score": 15, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022DEF-LM-E5\n\u2022EID-IDSS-E3\n\u2022EID-PWP-E3\n\u2022EID-PWPR-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022DEF-ATH-E5\n\u2022EID-MFA-E3\n\u2022DEF-SSCO-E3\n\u2022EID-PWLA-E3\n\u2022DEF-ID-E5\n\u2022DEF-CAPP-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted."}, {"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control's \"Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)\" alert can detect these brute force sub-techniques.  It incorporates a machine learning feature that should reduce the number of false positives.\nSimilarly, its \"Suspected Brute Force attack (LDAP) (external ID 2004)\" alert can detect brute force attacks using LDAP simple binds.\nThe \"Suspected Brute Force attack (SMB) (external ID 2033)\" alert is also relevant but the details are sparse."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.  \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Password Guessing attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password guessing attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Password Guessing attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Password Guessing attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The password restrictions provided by the default Password policy along with the lockout threshold and duration settings is an effective protection against this Password Guessing sub-technique."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra Password Protection efficiently blocks known weak passwords likely to be used in password guessing attacks. \n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}]}, {"techniqueID": "T1110.002", "score": 12, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022DEF-LM-E5\n\u2022EID-IDSS-E3\n\u2022EID-PWP-E3\n\u2022EID-PWPR-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022EID-MFA-E3\n\u2022EID-PWLA-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.  \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Password Cracking attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Password Cracking attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Password Cracking attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password cracking, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques, for example: phishing, brute force, credential stuffing, key logging, etc."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.\nIn regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted.   Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold.  This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing)."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra Password Protection efficiently blocks known weak passwords likely to be used in password cracking attacks. \n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}]}, {"techniqueID": "T1110.003", "score": 15, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022DEF-LM-E5\n\u2022EID-IDSS-E3\n\u2022EID-PWP-E3\n\u2022EID-PWPR-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022DEF-ATH-E5\n\u2022EID-MFA-E3\n\u2022DEF-SSCO-E3\n\u2022EID-PWLA-E3\n\u2022DEF-ID-E5\n\u2022DEF-CAPP-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted."}, {"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control's \"Suspected Brute Force attack (Kerberos, NTLM) (external ID 2023)\" alert can detect these brute force sub-techniques.  It incorporates a machine learning feature that should reduce the number of false positives.\nSimilarly, its \"Suspected Brute Force attack (LDAP) (external ID 2004)\" alert can detect brute force attacks using LDAP simple binds.\nThe \"Suspected Brute Force attack (SMB) (external ID 2033)\" alert is also relevant but the details are sparse."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control specifically provides detection of Password Spray attacks for Azure Active Directory accounts.  Microsoft documentation states that this detection is based on a machine learning algorithm that has been improved with the latest improvement yielding a 100 percent increase in recall and  98 percent precision.  The temporal factor for this detection is Partial as its detection is described as offline (i.e. detections may not show up in reporting for two to twenty-four hours)."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Response Type:  Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in (such as Password Spray attack) manually and also supports automation via its user and sign-in risk policies."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.  \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Password Spraying attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from password spraying attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Password Spraying attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Password Spraying attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password spraying, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques: phishing, brute force, credential stuffing, key logging, etc."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra Password Protection efficiently blocks  known weak passwords likely to be used in password spray attacks. \n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra Password Protection efficiently blocks known weak passwords likely to be used in password spray attacks. \n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}]}, {"techniqueID": "T1110.004", "score": 13, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022DEF-LM-E5\n\u2022EID-IDSS-E3\n\u2022EID-PWP-E3\n\u2022EID-PWPR-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022DEF-ATH-E5\n\u2022EID-MFA-E3\n\u2022EID-PWLA-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Conditional Access can be used to enforce MFA for users which can significantly reduce the impact of a password compromise, requiring an adversary to complete an additional authentication method before  their access is permitted."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect some activity indicative of brute force attempts to login. Relevant alert is \"Multiple failed login attempts\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control provides significant protection against password based attacks by completing obviating the need for passwords by replacing it with passwordless credentials."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations for enabling MFA can significantly lead to reducing the impact of a password compromise of accounts, requiring the adversary to complete an additional authentication method before their access is permitted.\nThis control's \"Do not expire passwords\" recommendation also can lead to mitigating the Password Guessing or Cracking sub-techniques by disabling password reset which tends to lead to users selecting weaker passwords.  \nThis control's \"Enable policy to block legacy authentication\" and \"Stop legacy protocols communication\" recommendations can lead to protecting against these brute force attacks as Microsoft research has shown organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled. Additionally, the same research shows that more than 99 percent of password spray and more than 97 percent of credential stuffing attacks use legacy authentication.\nThis control's \"Resolve unsecure account attributes\" recommendation can lead to detecting accounts with disabled (Kerberos) Preauthentication which can enable offline Password Cracking.\nBecause these are recommendations and do not actually enforce MFA, the assessed score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Credential Stuffing attacks due to its password spray Incident Response playbook which monitors for many failed authentication attempts across various accounts that may result from credential stuffing attempts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Credential Stuffing attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors authentication logs for system and application login failures of Valid Accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Credential Stuffing attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password compromise, requiring the adversary to complete an additional authentication method before their access is permitted."}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact of a password spraying, requiring the adversary to complete an additional authentication method before access is permitted. Based on studies, your account is less likely to get compromised by 99.9% by enabling MFA against the following techniques: phishing, brute force, credential stuffing, key logging, etc."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The password restrictions provided by the default Password policy can provide partial protection against password cracking but a determined adversary with sufficient resources can still be successful with this attack vector.\nIn regards to Credential Stuffing, the password policy's lockout threshold can be partially effective in mitigating this sub-technique as it may lock the account before the correct credential is attempted.   Although with credential stuffing, the number of passwords attempted for an account is often (much) fewer than with Password Guessing reducing the effectiveness of a lockout threshold.  This led to its score being assessed as Partial rather than Significant (as was assessed for Password Guessing)."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "A password policy is applied to all user accounts that are created and managed directly in Microsoft Entra ID. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "With Microsoft Entra Password Protection, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "With Microsoft Entra Password Protection, you can define entries in a custom banned password list. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}]}, {"techniqueID": "T1586.003", "score": 6, "comment": " Related to: \n \u2022EID-IDPR-E5\n\u2022EID-PWP-E3\n\u2022PUR-PAM-E5\n\u2022EID-CAE-E3\n\u2022EID-CA-E3\n\u2022EID-PWPR-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Cloud accounts should have complex and unique passwords across all systems on the network. Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-PWP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Cloud accounts should have complex and unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. By default, an account is locked out after 10 unsuccessful sign-in attempts with the wrong password. Further incorrect sign-in attempts lock out the user in real time for increasing durations of time.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "EID-PWPR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Cloud accounts should have complex and unique passwords across all systems on the network. When a password is changed or reset for any user in a Microsoft Entra tenant, the current version of the global banned password list is used to validate the strength of the password. This validation check results in stronger passwords for all Microsoft Entra customers.\n\nLicense Requirements:\nMicrosoft Entra ID Free, Microsoft Entra ID P1, or Microsoft Entra ID P2"}]}, {"techniqueID": "T1621", "score": 6, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022EID-MFA-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Multiple conditions along can be combined to create fine-grained and specific policies that partially enforce access controls to account resources that adversaries may attempt to abuse: conditional access to Cloud APIs, blocking legacy authentication, requiring multi-factor authentication for users, block access by location, block access to unsupported devices, failed login attempts, account lockout policies, etc.. These features may require Microsoft Entra ID P2."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.\n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Multi-Factor Authentication Request Generation attacks due to Incident Response monitoring MFA application logs for suspicious events.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Multi-Factor Authentication Request Generation attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Multi-Factor Authentication Request Generation attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra MFA can be used to implement limits upon the maximum number of MFA request prompts that can be sent to users in period of time and throttles sign-in attempts in certain cases involving repeated authentication requests."}]}, {"techniqueID": "T1074", "score": 1, "comment": " Related to: \n \u2022EID-CA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides the ability to restrict file downloads for a limited set of applications and therefore its overall Coverage score is minimal."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides the ability to restrict file downloads for a limited set of applications and therefore its overall Coverage score is minimal."}]}, {"techniqueID": "T1074.001", "score": 1, "comment": " Related to: \n \u2022EID-CA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to collect and stage files.  This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to collect and stage files.  This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this."}]}, {"techniqueID": "T1074.002", "score": 1, "comment": " Related to: \n \u2022EID-CA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to collect and stage files.  This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint and OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint/OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to collect and stage files.  This offers minimal coverage as it requires the target application to support such a feature that can be triggered by this control and to date only a few (Office) applications support this."}]}, {"techniqueID": "T1078.004", "score": 14, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022DEF-AIR-E5\n\u2022EID-IDSS-E3\n\u2022DEF-LM-E5\n\u2022EID-RBAC-E3\n\u2022EID-CA-E3\n\u2022DEF-ATH-E5\n\u2022PUR-AUS-E5\n\u2022EID-PIM-E5\n\u2022EID-MFA-E3\n\u2022EID-PWLA-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection).  Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can protect against the abuse of valid cloud accounts by requiring MFA or blocking access altogether based on signals such as the user's IP location information, device compliance state, risky sign-in/user state (through integration with Azure AD Identity Protection).  Additionally, session controls that can limit what a valid user can do within an app can also be triggered based on the aforementioned triggers."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Security controls like Azure AD Identity Protection can raise a user's risk level asynchronously after they have used a valid account to access organizational data.  This CAE control can respond to this change in the users risky state to terminate the user's access within minutes or enforce an additional authentication method such as MFA.   This mitigates the impact of an adversary using a valid account.  This is control only forces the user to re-authenticate and doesn't resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. "}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Security controls like Azure AD Identity Protection can raise a user's risk level asynchronously after they have used a valid account to access organizational data.  This CAE control can respond to this change in the users risky state to terminate the user's access within minutes or enforce an additional authentication method such as MFA.   This mitigates the impact of an adversary using a valid account.  This is control only forces the user to re-authenticate and doesn't resolve the usage of a valid account (i.e. password change) and is therefore a containment type of response. "}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Cloud Account attacks due to Audit Solutions providing the visibility to allow admins to regularly audit user accounts for activity and deactivate or remove any that are no longer needed.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., brute force, token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides risk detections that can be used to detect suspicious uses of valid accounts, e.g.:  Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.  Microsoft utilizes machine learning and heuristic systems to reduce the false positive rate but there will be false positives.\nThe temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day)."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Response Type:  Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Require MFA for administrative roles\" and \"Ensure all users can complete multi-factor authentication for secure access\" recommendations of MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.  See the mapping for MFA for more details.  \nThis control's \"Use limited administrative roles\" recommendation recommends reviewing and limiting the number of accounts with global admin privilege, reducing what an adversary can do with a compromised valid account.\nBecause these are recommendations and do not actually enforce the protections, the assessed score is capped at Partial. "}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Turn on sign-in risk policy\" and \"Turn on user risk policy\" recommendations recommend enabling Azure AD Identity Protection which can lead to detecting adversary usage of valid accounts.  See the mapping for Azure AD Identity Protection."}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for account management, reducing the available actions an adversary can perform with a cloud account. This scores Partial for its ability to minimize the overall accounts with management privileges.  \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Cloud Account attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Cloud Account attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "MFA can provide protection against an adversary that obtains valid credentials by requiring the adversary to complete an additional authentication process before access is permitted.  This is an incomplete protection measure though as the adversary may also have obtained credentials enabling bypassing the additional authentication method. "}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Requiring the use of MFA for all users can significantly reduce the likelihood of adversaries gaining access to the environment's cloud accounts."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's Access Review feature supports scheduling a routine review of cloud account permission levels to look for those that could allow an adversary to gain wide access.  This information can then be used to validate if such access is required and identify which (privileged) accounts should be monitored closely.  This reduces the availability of valid accounts to adversaries.  This review would normally be scheduled periodically, at most weekly, and therefore its temporal score is Partial."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The PIM control supports an Access Review feature, which can be created to review privileged access  to avoid stale role assignments. Access Reviews can be scheduled routinely, and used to help evaluate the state of privileged access. Performing this review can help minimize the availability of valid accounts to adversaries. Although this review can be scheduled periodically, it would not occur at real-time frequency, and is therefore assigned Partial. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1213", "score": 8, "comment": " Related to: \n \u2022PUR-PAM-E5\n\u2022DEF-QUAR-E3\n\u2022EID-RBAC-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides the ability to restrict an adversary from collecting valuable information for a limited set of applications (SharePoint, Exchange, OneDrive) and therefore its overall Coverage score is minimal."}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Data from Information Repository attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can provide fine-grained access control to information sharing repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.  Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Data from Information Repository attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can generally be used to protect against and limit adversary access to valuable information repositories. Although it does not have full coverage of this technique's sub-techniques, it also helps protect against Procedure examples, resulting in an overall score of Partial. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1213.002", "score": 9, "comment": " Related to: \n \u2022DEF-LM-E5\n\u2022PUR-PAM-E5\n\u2022DEF-QUAR-E3\n\u2022EID-RBAC-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files.  Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict  cut, copy and paste operations.  This can impede an adversary's ability to collect valuable information and/or files from the application.   This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Conditional Access (CA), when granting (risky) users access to Office applications like SharePoint can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to SharePoint with no ability to download, print, or sync files.  Furthermore, with its integration with Microsoft Cloud App Security, it can even restrict  cut, copy and paste operations.  This can impede an adversary's ability to collect valuable information and/or files from the application.   This protection is partial as it doesn't prohibit an adversary from potentially viewing sensitive information and manually collecting it, for example simply writing down information by hand."}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Sharepoint attacks due to Incident Response being able to monitor for newly constructed logon behavior within Microsoft SharePoint.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}]}, {"techniqueID": "T1530", "score": 11, "comment": " Related to: \n \u2022DEF-LM-E5\n\u2022PUR-PAM-E5\n\u2022DEF-QUAR-E3\n\u2022EID-RBAC-E3\n\u2022EID-CA-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022PUR-INPR-E5\n\u2022EID-MFA-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Conditional Access, when granting (risky) users access to cloud storage, specifically OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to exfiltrate data from OneDrive.  The protection coverage provided by this control is Minimal as it doesn't provide protection for other storage services available on Azure such as the Azure Storage service."}, {"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Conditional Access, when granting (risky) users access to cloud storage, specifically OneDrive, can restrict what they can do in these applications using its app-enforced restrictions.   For example, it can enforce that users on unmanaged devices will have browser-only access to OneDrive with no ability to download, print, or sync files.  This can impede an adversary's ability to exfiltrate data from OneDrive.  The protection coverage provided by this control is Minimal as it doesn't provide protection for other storage services available on Azure such as the Azure Storage service."}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Data from Cloud Storage attacks due to Audit Solutions providing the visibility to frequently check permissions on cloud storage to ensure proper permissions are set to deny open or unprivileged access to resources.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect use of unsanctioned business apps and data exfil to unsanctioned storage apps."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Data from Cloud Storage attacks due to Incident Response monitoring for security alerts that represent unusual queries to the cloud provider's storage service.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for cloud data storage access to only those required. This scores Partial for its ability to minimize the attack surface of accounts with storage solution access.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA provides significant protection by enforcing and restricting access to resources (e.g., cloud storage, APIs, etc.)."}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Data from Cloud Storage attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1496.001", "score": 2, "comment": " Related to: \n \u2022DEF-CAPP-E5\n\u2022EID-CA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "In the event that a session is hijacked, continuous access evaluation can be used to terminate the session, potentially before any malicious actions can occur."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\"."}]}, {"techniqueID": "T1496.004", "score": 2, "comment": " Related to: \n \u2022DEF-CAPP-E5\n\u2022EID-CA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "In the event that a session is hijacked, continuous access evaluation can be used to terminate the session, potentially before any malicious actions can occur."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\"."}]}, {"techniqueID": "T1557.004", "score": 1, "comment": " Related to: \n \u2022EID-CA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Conditional Access policies can restrict devices, potentially stopping them from connecting to an Evil Twin network."}]}, {"techniqueID": "T1098.003", "score": 10, "comment": " Related to: \n \u2022EID-IDPR-E5\n\u2022DEF-LM-E5\n\u2022PUR-PAM-E5\n\u2022EID-CAE-E3\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022EID-PIM-E5\n\u2022EID-MFA-E3\n\u2022EID-PWLA-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\"."}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., additional cloud roles, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Additional Cloud Role attacks due to Incident Response monitoring for permission alert policies which collect usage logs from cloud administrator accounts to identify unusual activity.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud roles. This receives a score of Partial for its ability to minimize known accounts with the ability to add roles. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can require MFA to be triggered when the Global Administrator role is assigned to an account or when the role is activated by a user."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can notify administrators whenever the Global Administrator role is assigned to an account and can therefore be used to detect the execution of this sub-technique.  Assigning the Global Administrator role to an account is an infrequent operation and as a result, the false positive rate should be minimal."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The PIM control can notify administrators when the Global Administrator and other administrator roles are assigned to an account, allowing it to be a method of detection for Additional Cloud Roles execution. PIM supports multiple security alerts, with customizable triggers, including numeric specificity. Following Microsoft's role based access control Best Practices, assignment of Global Administrator, among other administrative roles should be uncommon, resulting in an overall low false positive rate for detecting unexpected privileged role assignments. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator. Configuration can include an MFA requirement, which can provide additional protection against Additional Cloud Roles. MFA can be required both when assigning these administrative roles, and/or when a user activates the role. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1098.006", "score": 1, "comment": " Related to: \n \u2022EID-CAE-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}]}, {"techniqueID": "T1114", "score": 6, "comment": " Related to: \n \u2022DEF-AIR-E5\n\u2022EID-CAE-E3\n\u2022EOP-MFR-E3\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Email Collection attacks due to in an Exchange environment, Administrators can use Get-InboxRule to discover and remove potentially malicious auto-forwarding rules.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Email Collection attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for unusual login activity from unknown or abnormal locations, especially for privileged accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "EOP-MFR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules protects from Email Collection attacks due to the custom rules feature which allows you to define rules to encrypt email messages which provides an added layer of security to sensitive information sent over email.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}]}, {"techniqueID": "T1114.002", "score": 5, "comment": " Related to: \n \u2022EOP-MFR-E3\n\u2022EID-CAE-E3\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Remote Email Collection attacks due to in O365 environments, admins can consider using PurviewAudit to collect MailItemsAccessed events and monitoring for unusual email access behavior.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Remote Email Collection attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for unusual login activity from unknown or abnormal locations, especially for privileged accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "EOP-MFR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules protects from Remote Email Collection attacks due to the custom rules feature which allows you to define rules to encrypt email messages which provides an added layer of security to sensitive information sent over email.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}]}, {"techniqueID": "T1134.001", "score": 2, "comment": " Related to: \n \u2022EID-CAE-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1531", "score": 5, "comment": " Related to: \n \u2022EID-IDSS-E3\n\u2022EID-CAE-E3\n\u2022DEF-IR-E5\n\u2022EID-PWLA-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify anomalous admin activity."}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, account deletion etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Designate more than one global admin\" can enable recovery from an adversary locking a global administrator account (deleted, locked, or manipulated (ex: changed credentials)).  Due to this being a recommendation, its score is capped as Partial."}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Account Access Removal attacks due to Incident Response monitoring for password change security alerts which monitors for changes made to user accounts for unexpected modification of properties.\n\nLicense Requirements:\nMicrosoft Defender XDR"}]}, {"techniqueID": "T1539", "score": 3, "comment": " Related to: \n \u2022DEF-SIMT-E5\n\u2022EID-CAE-E3\n\u2022EID-PWLA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity from credential attacks (e.g., token theft, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}]}, {"techniqueID": "T1548.005", "score": 3, "comment": " Related to: \n \u2022EID-CAE-E3\n\u2022PUR-AUS-E5\n\u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Temporary Elevated Cloud Access attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit the ability of cloud accounts to assume, create, or impersonate only required privileges. This scores Minimal for its ability to protect against the actions temporary elevated accounts can take. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1548.006", "score": 2, "comment": " Related to: \n \u2022EID-CAE-E3\n\u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Temporary Elevated Cloud Access attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}]}, {"techniqueID": "T1556.006", "score": 8, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022EID-CAE-E3\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022EID-PIM-E5\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Multi-Factor Authentication attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.\n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Multi-Factor Authentication attacks due to Incident Response monitoring for logon sessions for user accounts that did not require MFA for authentication.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit account management control of MFA. This scores Partial for its ability to minimize overall accounts with the ability to change or disable MFA. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Multi-Factor Authentication attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Multi-Factor Authentication attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The PIM control can enforce on-activation requirements for privileged roles, such as the Conditional Access Administrator, Global Administrator or Security Administrator, which include privileges necessary to modify certain MFA settings. Configuration can include an MFA requirement, which can provide additional protection against modifying Multi-Factor Authentication. MFA can be required both when assigning these administrative roles, and/or when a user activates the role. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use.\n\n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1585", "score": 1, "comment": " Related to: \n \u2022EID-CAE-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}]}, {"techniqueID": "T1585.002", "score": 1, "comment": " Related to: \n \u2022EID-CAE-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}]}, {"techniqueID": "T1585.003", "score": 1, "comment": " Related to: \n \u2022EID-CAE-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}]}, {"techniqueID": "T1586", "score": 1, "comment": " Related to: \n \u2022EID-CAE-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}]}, {"techniqueID": "T1586.002", "score": 1, "comment": " Related to: \n \u2022EID-CAE-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}]}, {"techniqueID": "T1651", "score": 5, "comment": " Related to: \n \u2022PUR-PAM-E5\n\u2022EID-CAE-E3\n\u2022EID-RBAC-E3\n\u2022EID-PIM-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-CAE-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for account management, limiting the number of Global and Intune administrators to those required. This scores Partial for its ability to minimize the overall accounts with associated privileges.   \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The PIM control can enforce on-activation requirements for privileged roles, such as Global Administrators. Configuration can include an MFA requirement, which can help limit the overall  privileged accounts available and their ability to execute administration commands. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1218.015", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}]}, {"techniqueID": "T1546.017", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Audit Solutions can be used to continuously monitor the Udev rules for modifications or additions, allowing for detection of abnormalities."}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Audit Solutions can be used to continuously monitor the Udev rules for modifications or additions, allowing for detection of abnormalities."}]}, {"techniqueID": "T1556.009", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Audit Solutions can be used to continuously monitor the conditional access policies for modifications or additions, allowing for detection of abnormalities."}]}, {"techniqueID": "T1574.014", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Sharepoint attacks due to Audit Solutions providing the visibility to allow admins to consider periodic review of accounts and privileges for critical and sensitive repositories.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}]}, {"techniqueID": "T1665", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Use of Audit Solutions can reveal unusual activity occurring in the environment, potentially allowing for identification of C2 infrastructure or other malicious infrastructure."}]}, {"techniqueID": "T1666", "score": 2, "comment": " Related to: \n \u2022PUR-AUS-E5\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Audit Solutions can be used to continuously monitor the cloud resource hierarchy for modifications or additions, allowing for detection of abnormalities."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect suspicious or anomalous behavior indicative of potential threats, like attempts to transfer subscriptions to unauthorized tenants."}]}, {"techniqueID": "T1059", "score": 7, "comment": " Related to: \n \u2022EOP-AMW-E3\n\u2022PUR-PAM-E5\n\u2022DEF-ZHAP-E3\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Command and Scripting Interpreter attacks due to Audit Solutions providing the visibility to monitor log files for process execution and monitor contextual data about a running process.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Command and Scripting Interpreter attacks due to Incident Response monitoring for reconnaissance and discovery alerts which monitors for subsequent behavior related to discovery.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The RBAC control can be used to partially protect against the abuse of Cloud APIs but does not provide protection against this technique's other sub-techniques or other example procedures. Due to its Minimal coverage score, it receives a score of minimal. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1070", "score": 2, "comment": " Related to: \n \u2022PUR-AUS-E5\n\u2022PUR-INPR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Indicator Removal attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1070.001", "score": 2, "comment": " Related to: \n \u2022PUR-AUS-E5\n\u2022PUR-INPR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Indicator Removal attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1070.002", "score": 2, "comment": " Related to: \n \u2022PUR-AUS-E5\n\u2022PUR-INPR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Indicator Removal attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1070.003", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}]}, {"techniqueID": "T1070.008", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Clear Mailbox Data Rule attacks due to administrators can use use Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious transport rules.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}]}, {"techniqueID": "T1070.009", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Indicator Removal attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}]}, {"techniqueID": "T1087", "score": 7, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-RBAC-E3\n\u2022PUR-AUS-E5\n\u2022PUR-INPR-E5\n\u2022DEF-ID-E5\n\u2022DEF-ATH-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Account Discovery attacks due to the File and Page Audit Log activities which monitors for access to file resources that contain local accounts and groups information and looks for non-admin objects (such as users or processes) attempting to access restricted file resources.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The RBAC control can be used to partially protect against Cloud Account Discovery, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives an overall score of minimal. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Account Discovery attacks due to the DeviceProcessEvents table in the advanced hunting schema that contains information about process creation and related events which monitors for processes that can be used to enumerate user accounts and groups. \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Account Discovery attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Account Discovery attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1087.004", "score": 6, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022PUR-INPR-E5\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Cloud Account attacks due to Audit Solution allowing admins to search and routinely check user permissions to ensure only the expected users have the ability to list IAM identities or otherwise discover cloud accounts.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to cloud account attacks due to Incident Response monitoring the activity of cloud accounts to detect abnormal or malicious behavior.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for account management, limiting the accounts that can be used to perform account discovery. This scores Partial for its ability to minimize the overall accounts with these role privileges.  \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Cloud Account attacks due to the DeviceProcessEvents table in the advanced hunting schema that contains information about process creation and related events which monitors logs for actions that could be taken to gather information about cloud accounts.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Cloud Account attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Cloud Account attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1114.003", "score": 4, "comment": " Related to: \n \u2022DEF-AIR-E5\n\u2022EOP-MFR-E3\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Email Forwarding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "EOP-MFR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules protects from Email Forwarding Rule attacks due to the custom rules feature which allows you to define rules to encrypt email messages which provides an added layer of security to sensitive information sent over email.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}]}, {"techniqueID": "T1528", "score": 6, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022DEF-SIMT-E5\n\u2022EID-IDSS-E3\n\u2022EID-RBAC-E3\n\u2022PUR-AUS-E5\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Steal Application Access Token attacks due to Audit Solutions providing the visibility to allow admins to audit all cloud accounts to ensure that they are necessary and that the permissions granted to them are appropriate. Additionally, admins can perform an audit of all OAuth applications and the permissions they have been granted to access organizational data.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can restrict user app permissions which can limit the potential for theft of application access tokens."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect potentially risky apps. Relevant alerts include \"Misleading publisher name for an Oauth app\" and \"Misleading OAuth app name\". "}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Do not allow users to grant consent to unmanaged applications\" recommendation can protect against an adversary constructing a malicious application designed to be granted access to resources with the target user's OAuth token by ensuring users can not be fooled into granting consent to the application. \nDue to this being a recommendation, its score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege, limiting accounts with access to application tokens. This receives a score of Partial for its ability to minimize the attack surface of accounts this ability. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Steal Application Access Token attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}]}, {"techniqueID": "T1546", "score": 4, "comment": " Related to: \n \u2022PUR-AUS-E5\n\u2022PUR-INPR-E5\n\u2022DEF-ATH-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Event Triggered Execution attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Event-Triggered Execution attacks due to the DeviceFileEvents table in the advanced hunting schema which contains information about file creation, modification, and other file events.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Event Triggered Execution attacks due to Information Protection Detecting when certain files that belong to a specific user group are being accessed excessively by a user who is not part of the group, which could be a potential insider threat.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1548", "score": 3, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Abuse Elevation Control Mechanism attacks due to it's DataInsightsRestApiAudit AuditLogRecord type which logs cloud API calls to assume, create, or impersonate additional roles, policies, and permissions.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Protects against Abuse Elevation Control Mechanism attacks due to the governance feature where admins can create proactive or reactive policies to protect your users from using noncompliant or malicious apps and limiting the access of risky apps to your data.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}]}, {"techniqueID": "T1552", "score": 5, "comment": " Related to: \n \u2022EID-IDSS-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022PUR-INPR-E5\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Unsecured Credential attacks due to Audit Solutions providing the visibility to allow admins to preemptively search for files containing passwords or other credentials and take actions to reduce the exposure risk when found.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Resolve unsecure account attributes\" provides recommendations that can lead to strengthening how accounts are stored in Active Directory.  This control provides recommendations specific to a few types of unsecured credentials (reversible and weakly encrypted credentials) while not providing recommendations for any other, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to unsecure credential attacks due to Incident Response monitoring for newly executed processes, suspicious file access activity, and application logs for activity that may highlight malicious attempts to access application data.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Unsecured Credentials attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Unsecured Credential attacks due to it detecting and encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1552.008", "score": 3, "comment": " Related to: \n \u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022PUR-INPR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Chat Messages attacks due to Audit Solutions providing the visibility to allow admins to preemptively search through communication services to find shared unsecured credentials.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to chat messages attacks due to Incident Response monitoring application logs for activity that may highlight malicious attempts to access application data.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Detects Chat message attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1556", "score": 9, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022EID-PIM-E5\n\u2022DEF-ID-E5\n\u2022DEF-ATH-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Modify Authentication Process attacks due to Audit Solutions providing the visibility to allow admins to review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "During each sign-in, Identity Protection runs all real-time sign-in detections generating a sign-in session risk level, indicating how likely the sign-in has been compromised. Based on this risk level, policies are then applied to protect the user and the organization.\n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Modify Authentication Process attacks due to Incident Response monitoring for newly created files, suspicious modification of files, and newly constructed logon behavior across systems that share accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The RBAC control can be used to limit cloud accounts with authentication modification relevant privileges, but does not provide protection against this technique's other sub-techniques or example procedures. Due to its Minimal coverage score, it receives a score of minimal. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Modify-Authentication Process attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Modify Authentication attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The PIM control significantly protects against  the modification of Multi-Factor Authentication by placing limitations and restrictions on relevant privileged accounts. However, this is overall Minimal coverage relative to the all the technique's sub-techniques. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1562", "score": 6, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Impair Defense attacks due to Audit Solutions providing the visibility to allow admins to routinely check account role permissions to ensure only expected users and roles have permission to modify defensive tools and settings.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Impair Defense attacks due to Incident Response monitoring for changes to account settings, newly executed processes, and abnormal execution of API functions.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The RBAC control can be used to partially protect against the ability to Disable or Modify Cloud Logs, but has minimal coverage against this technique's other sub-techniques and example procedures. Due to its Minimal coverage score, it receives an overall score of minimal. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Impair Defense attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for the abnormal execution of API functions. \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Protects against Impair Defense attacks due to the governance feature where admins can create proactive or reactive policies to protect your users from using noncompliant or malicious apps and limiting the access of risky apps to your data to ensure that only approved security applications are used and running.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance detects Impair Defense attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}]}, {"techniqueID": "T1562.008", "score": 6, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Disable or Modify Cloud Log attacks due to the user administration Audit Log activities which monitors for changes to account settings associated with users that may impact defensive logging capabilities.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Disable or Modify Cloud Log attacks due to Incident Response monitoring for changes to account settings and logs for API calls to disable logging.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit users with permission to modify logging policies to those required. This scores Partial for its ability to minimize the overall accounts with the ability to modify cloud logging capabilities. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Disabling or Modifying Cloud Log attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors logs for API calls to disable logging. \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Disable or Modify Cloud Log attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance protects against Disable or Modify Cloud Log attacks due to the governance feature where admins can create proactive or reactive policies to protect your users from using noncompliant or malicious apps and limiting the access of risky apps to your data to ensure that only approved security applications are used and running.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}]}, {"techniqueID": "T1564", "score": 4, "comment": " Related to: \n \u2022DEF-IR-E5\n\u2022EOP-MFR-E3\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Hide Artifacts attacks due to the File and Page Audit Log activities which monitors for newly constructed files, for contextual data about files, and for changes made to files.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Hide Artifact attacks due to Incident Response monitoring for newly constructed user accounts, contextual data about accounts, contextual data about files, and newly constructed files.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EOP-MFR-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules detects Hide Artifacts attacks due to the conditions property which examines message header fields that may attempt to hide artifacts associated with their behaviors to evade detection.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}]}, {"techniqueID": "T1564.008", "score": 5, "comment": " Related to: \n \u2022DEF-AIR-E5\n\u2022EOP-MFR-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Email Hiding Rule attacks due to administrators can use Get-InboxRule / Remove-InboxRule and Get-TransportRule / Remove-TransportRule to discover and remove potentially malicious auto-fowarding and transport rules.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Email Hiding Rules attacks due to Incident Response being able to monitor for creation or modification of suspicious inbox rules.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EOP-MFR-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) organizations without Exchange Online mailboxes can use Exchange Mail Flow Rules (also known as transport rules) to look for specific conditions on messages that pass through your organization and take action on them.  Mail Flow Rules take action on messages while they are in transit, not after the message is delivered to the mailbox. Mail flow rules contain a richer set of conditions, exceptions, and actions, which provides you with the flexibility to implement many types of messaging policies.\n\nMail Flow Rules protects from Email Hiding Rules attacks due to it's detection mechanisms that include the ability to audit inbox rules on a regular basis as they are in transit.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}]}, {"techniqueID": "T1566", "score": 21, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EOP-AMW-E3\n\u2022DEF-ZHAP-E3\n\u2022DEF-PSP-E3\n\u2022DEF-ASP-E3\n\u2022DEF-THTR-E5\n\u2022DEF-THEX-E5\n\u2022EOP-APH-E3\n\u2022DEF-SLNK-E3\n\u2022DEF-TPSR-E3\n\u2022DEF-ATH-E5\n\u2022DEF-SATT-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-SIMT-E5\n\u2022DEF-AIR-E5\n\u2022DEF-QUAR-E3\n\u2022EOP-ASP-E3\n\u2022DEF-AAPH-E5\n\u2022EID-MFA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions detects Phishing attacks due to the File and Page Audit Log activities which monitors for newly constructed files from phishing messages.\n\nLicense Requirements: \nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "EOP-APH-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Phishing attacks due to its phishing Incident Response playbook which monitors for messaging, and/or other artifacts that may send phishing messages to gain access to victim systems.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Phishing attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for the abnormal execution of API functions which monitors network data for uncommon data flows. \n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Phishing attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk helping an admin to confirm that the OAuth app is delivered from an unknown source and is performing unusual activities. \n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": " Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. "}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-PSP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Phishing attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-THEX-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Phishing attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-TPSR-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Phishing attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-SLNK-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects Phishing attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes respond mechanisms that can be used to quarantine and limit user interaction with phishing messages, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. This covers responses to some, but not all of this technique\u2019s sub-techniques, resulting in an overall score of Partial for the Respond category. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes features that may detect phishing messages, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. In particular, AAP may identify and isolate spoofing attempts and warn of unusual communication patterns for the sender\u2019s email. This covers detection of some, but not all of this technique\u2019s sub-techniques, resulting in an overall score of Partial for the Detect category. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes configurable policies that protect against methods of phishing, including those that contain Spearphishing Attachments and Links, that employ email as the means of communication. This covers protection against some, but not all of this technique\u2019s sub-techniques, resulting in an overall score of Partial for the Protect category. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "EOP-ASP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3"}, {"divider": true}, {"name": "control", "value": "DEF-ASP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's anti-spoofing technology protects from Phishing attacks due to it's mechanisms provided which provides email authentication by DKIM, and anti-phishing policies\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}, {"divider": true}, {"name": "control", "value": "DEF-THTR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Threat Tracker control includes noteworthy trackers, which highlights newly detected malicious files found with Safe Attachments, that may alert on Phishing emails, if they contain malicious attachments. Specifically, noteworthy trackers will highlight malicious files that were not previously found by Microsoft in your email flow or in other customers\u2019 emails. This scores Minimal for Detection, based on the low coverage of this technique\u2019s sub-techniques and procedures. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}]}, {"techniqueID": "T1566.002", "score": 16, "comment": " Related to: \n \u2022DEF-SIMT-E5\n\u2022DEF-AIR-E5\n\u2022DEF-THEX-E5\n\u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022EOP-APH-E3\n\u2022DEF-SLNK-E3\n\u2022DEF-PSP-E3\n\u2022DEF-AAPH-E5\n\u2022EOP-ASP-E3\n\u2022PUR-AUS-E5\n\u2022EID-MFA-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-TPSR-E3\n\u2022DEF-ASP-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Spearphishing Link Process attacks due to Audit Solutions providing the visibility to allow admins to audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "EOP-APH-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Spearphishing Link attacks due to the UrlClickEvents table in the advanced hunting schema which contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps which can inspect URLs for potentially known-bad domains or parameters.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": " Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. "}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-PSP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Spearphishing Link attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-THEX-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Spearphishing Link attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-TPSR-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Spearphishing Link attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-SLNK-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects Spearphishing attacks due to Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails targeting users with Spearphishing Links. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected.  Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Partial for the Respond category for its ability to contain, possibly quarantine and limit user interaction with flagged emails. Note the response will be insufficient in the event a user clicks on, interacts with, and falls victim to the result of a malicious link. \nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Links. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don\u2019t get messages from that sender. This scores Significant for the Detect category, for its high coverage against email coming emails, near real-time processing of new emails, and fairly accurate detection rates. Note that AAP is focused on detecting suspicious emails, not the processing and detection of potentially malicious email links. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect users by filtering out and even blocking suspicious emails, and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Links. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Partial in the Protect category for its ability to minimize, filter, and flag potentially malicious emails end users receive. However, it should be noted that the AAP control on its own may not further protect against a user proceeding to click on a malicious link in a flagged email, depending on how an organization configures follow up Actions and how a user may interact with the message. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "EOP-ASP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3"}, {"divider": true}, {"name": "control", "value": "DEF-ASP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's anti-spoofing technology protects from Spearphishing Link attacks due to it's mechanisms provided which provides email authentication by DKIM, and anti-phishing policies\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}]}, {"techniqueID": "T1606", "score": 8, "comment": " Related to: \n \u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022EID-IDSS-E3\n\u2022DEF-IR-E5\n\u2022PUR-AUS-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-ATH-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview auditing solutions provide an integrated solution to help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Thousands of user and admin operations performed in dozens of Microsoft 365 services and solutions are captured, recorded, and retained in your organization's unified audit log. Audit records for these events are searchable by security ops, IT admins, insider risk teams, and compliance and legal investigators in your organization. This capability provides visibility into the activities performed across your Microsoft 365 organization.\n\nMicrosoft's Audit Solutions protects from Forge Web Credential attacks due to Audit Solutions providing the visibility to allow administrators to perform an audit of all access lists and the permissions they have been granted to access web applications and services.\n\nLicense Requirements:\nMicrosoft 365 E3 and E5"}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can be effective at detecting forged web credentials because it uses environmental properties (e.g. IP address, device info, etc.) to detect risky users and sign-ins even when valid credentials are utilized.  It provides partial coverage of this technique's sub-techniques and therefore has been assessed a Partial score."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Provides Significant response capabilities for one of this technique's sub-techniques (SAML tokens)."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Turn on sign-in risk policy\" and \"Turn on user risk policy\" recommendations recommend the usage of Azure AD Identity Protection which can detect one of the sub-techniques of this technique.  This is a recommendation and therefore the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Forge Web Credentials attacks due to Incident Response monitoring for credential access alert policies which monitors for anomalous authentication activity.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Forge Web Credential attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for anomalous authentication activity.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Forge Web Credentials attacks due to App Governance tracking various app attributes and behaviors such as certification, data use, API access errors, and unused permissions that can indicate misuse and risk.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}]}, {"techniqueID": "T1485.001", "score": 1, "comment": " Related to: \n \u2022PUR-AUS-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-AUS-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Purview's auditing solutions may be able to detect if lifecycle settings have been altered, allowing the changes to potentially be reverted before deletion occurs."}]}, {"techniqueID": "T1578.005", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify anomalous admin activity."}]}, {"techniqueID": "T1003", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides significant and partial detection for a few of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal coverage score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1003.003", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The documentation for this control's \"Data exfiltration over SMB (external ID 2030)\" alert implies that it may be able to detect the transfer of sensitive data such as the Ntds.dit on monitored domain controllers.  This is specific to domain controllers and therefore results in a reduced coverage score."}]}, {"techniqueID": "T1003.006", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control's \"Suspected DCSync attack (replication of directory services) (external ID 2006)\" alert can detect DCSync attacks.  The false positive rate should be low due to the identity of domain controllers on the network changing infrequently and therefore replication requests received from non-domain controllers should be a red flag."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1021", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}]}, {"techniqueID": "T1021.002", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Psexec.  This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers.  Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.\nThis control's \"Data exfiltration over SMB (external ID 2030)\" alert may also be able to detect exfiltration of sensitive data on domain controllers using SMB.\n"}]}, {"techniqueID": "T1047", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via WMI.  This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers.  Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage.\n"}]}, {"techniqueID": "T1048", "score": 4, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-AIR-E5\n\u2022PUR-INPR-E5\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Alternative Protocol attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for newly constructed network connections.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Exfiltration Over Alternative Protocol attacks due to it preventing users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1048.003", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Suspicious communication over DNS (external ID 2031)\" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions.  The accuracy of this control is unknown and therefore its score has been assessed as Partial."}]}, {"techniqueID": "T1059.001", "score": 3, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-ZHAP-E3\n\u2022EOP-AMW-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Powershell.  This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers.  Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage."}, {"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}]}, {"techniqueID": "T1069", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides significant detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1069.002", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control's \"Security principal reconnaissance (LDAP) (external ID 2038)\" alert can be used to detect when an adversary \"perform suspicious LDAP enumeration queries or queries targeted to sensitive groups that use methods not previously observed.\"  This alert employs machine learning which should reduce the number of false positives.\nAdditionally, this control's \"User and Group membership reconnaissance (SAMR) (external ID 2021)\" alert can detect this sub-technique and also employs machine learning which should reduce the false-positive rate."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1071", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides Partial detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include  \"Suspicious inbox forwarding\" and \"Suspicious inbox manipulation rule\"."}]}, {"techniqueID": "T1071.004", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Suspicious communication over DNS (external ID 2031)\" alert can detect malicious communication over DNS used for data exfiltration, command, and control, and/or evading corporate network restrictions.  The accuracy of this control is unknown and therefore its score has been assessed as Partial."}]}, {"techniqueID": "T1087.002", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The following alert of this control is able to detect domain account discovery:  \"Account enumeration reconnaissance (external ID 2003)\".  This shouldn't occur frequently and therefore the false positive rate should be minimal.\nThe \"Security principal reconnaissance (LDAP) (external ID 2038)\" alert is also relevant and its machine learning capabilities should reduce the false positive rate.\nThe \"User and IP address reconnaissance (SMB) (external ID 2012)\" alert can also provide a detection on a variation of this sub-technique."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1098", "score": 10, "comment": " Related to: \n \u2022EID-IDPR-E5\n\u2022DEF-LM-E5\n\u2022PUR-PAM-E5\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022EID-PIM-E5\n\u2022EID-MFA-E3\n\u2022DEF-ID-E5\n\u2022DEF-CAPP-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This controls's \"Suspicious additions to sensitive groups (external ID 2024)\" alert can utilize machine learning to detect when an attacker adds users to highly privileged groups. Adding users is done to gain access to more resources, and gain persistency.  This detection relies on profiling the group modification activities of users, and alerting when an abnormal addition to a sensitive group is observed. Defender for Identity profiles continuously. \nThis alert provides Partial coverage of this technique with a reduced false-positive rate by utilizing machine learning models."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\"."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Account Manipulation attacks due to Incident Response monitoring for persistence and privilege escalation alerts which monitors for newly constructed processes indicative of modifying account settings.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can generally be used to  implement the principle of least privilege to protect against the number of accounts with management capabilities. This has Partial coverage of Account Manipulation sub-techniques, resulting in an overall score of Partial. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation,  changes to permissions, etc."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides significant protection for some of this technique's sub-techniques while not providing any protection for others, resulting in a Partial score."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides detection for one of this technique's sub-techniques while not providing any detection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The PIM control can assist post-execution detection by alerting on the assignment of privileged Additional Cloud Roles. This is not extendable to detect against the technique's other sub-techniques, resulting in overall minimal detection coverage. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The PIM control provides significant protection against multiple sub-techniques, although not all, resulting in partial coverage. The control scores Significant for the temporal aspects of its protection, which include requiring activation by eligible privileged roles, and confirming user identity with MFA before execution. \n\n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1133", "score": 4, "comment": " Related to: \n \u2022PUR-PAM-E5\n\u2022DEF-ID-E5\n\u2022EID-IDSS-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Suspicious VPN connection (external ID 2025)\" alert utilizes machine learning models to learn  normal VPN connections for a user and detect deviations from the norm.  This detection is specific to VPN traffic and therefore its overall coverage is Minimal. "}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's polices for access control can limit abuse of external facing remote services."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Configure VPN Integration\" recommendation can lead to detecting abnormal VPN connections that may be indicative of an attack.  Although this control provides a recommendation that is limited to a specific external remote service type of VPN, most of this technique's procedure examples are VPN related resulting in a Partial overall score."}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}]}, {"techniqueID": "T1201", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Active Directory attributes reconnaissance (LDAP) (external ID 2210)\" alert may be able to detect this operation.  There are statements in the documentation for the alert, such as: \"Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...\", that  may indicate support for detecting this technique.  The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned."}]}, {"techniqueID": "T1207", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control's \"Suspected DCShadow attack (domain controller promotion) (external ID 2028)\" and \"Suspected DCShadow attack (domain controller replication request) (external ID 2029)\" alerts can detect this technique.  Also should be a low false positive rate as the quantity and identity of domain controllers on the network should change very infrequently."}]}, {"techniqueID": "T1210", "score": 3, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-LM-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Remote code execution over DNS (external ID 2036)\" alert can look for an attacker attempting to exploit CVE-2018-8626, a remote code execution vulnerability exists in Windows Domain Name System (DNS) servers.  In this detection, a Defender for Identity security alert is triggered when DNS queries suspected of exploiting the CVE-2018-8626 security vulnerability are made against a domain controller in the network.  \nLikewise this controls \"Suspected SMB packet manipulation (CVE-2020-0796 exploitation)\" alert can detect a remote code execution vulnerability with SMBv3.\nBecause these detections are specific to a few CVEs, its coverage is Minimal resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}]}, {"techniqueID": "T1482", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Active Directory attributes reconnaissance (LDAP) (external ID 2210)\" alert may be able to detect this operation.  There are statements in the documentation for the alert, such as: \"Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure ...\", that  may indicate support for detecting this technique.  The level of detection though is unknown and therefore a conservative assessment of a Minimal score is assigned."}]}, {"techniqueID": "T1543", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}]}, {"techniqueID": "T1543.003", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Suspicious service creation (external ID 2026)\" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization.  As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection."}]}, {"techniqueID": "T1543.005", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Suspicious service creation (external ID 2026)\" alert is able to detect suspicious service creation on a domain controller or AD FS server in your organization.  As a result of this detecting being specific to these hosts, the coverage score is Minimal resulting in Minimal detection."}]}, {"techniqueID": "T1550", "score": 8, "comment": " Related to: \n \u2022DEF-SIMT-E5\n\u2022DEF-AIR-E5\n\u2022DEF-LM-E5\n\u2022EID-IDSS-E3\n\u2022DEF-IR-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides partial detection for some of this technique's sub-techniques  (due to unknown false-positive/true-positive rate), resulting in a Partial score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides recommendations that lead to protections for some of the sub-techniques of this technique.  Due to it only providing a recommendation, its score has been capped at Partial."}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to use alternate authentication material attacks due to Incident Response monitoring for third-party application logging, messaging, and/or other artifacts that may use alternate authentication material, and suspicious account behavior across systems that share accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}]}, {"techniqueID": "T1550.002", "score": 4, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-LM-E5\n\u2022EID-IDSS-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Suspected identity theft (pass-the-hash) (external ID 2017)\" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.\nThis control's \"Suspected identity theft (pass-the-ticket) (external ID 2018)\" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities.  Because this is a recommendation, its score has been capped as Partial."}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}]}, {"techniqueID": "T1550.003", "score": 3, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-LM-E5\n\u2022EID-IDSS-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Suspected identity theft (pass-the-hash) (external ID 2017)\" alert specifically looks for pass-the-hash attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned.\nThis control's \"Suspected identity theft (pass-the-ticket) (external ID 2018)\" alert specifically looks for pass-the-ticket attacks but there is not enough information to determine its effectiveness and therefore a conservative assessment of a Partial score is assigned."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks by recommending running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities.  Because this is a recommendation, its score has been capped as Partial."}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}]}, {"techniqueID": "T1555", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides minimal detection for some of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1555.003", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Malicious request of Data Protection API master key (external ID 2020)\" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. DPAPI is used by Windows to securely protect passwords saved by browsers, encrypted files, and other sensitive data.   This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score."}]}, {"techniqueID": "T1555.004", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Malicious request of Data Protection API master key (external ID 2020)\" alert can be used to detect when an attacker attempts to utilize the Data Protection API (DPAPI) to decrypt sensitive data using the backup of the master key stored on domain controllers. Windows Credential Manager utilizes DPAPI to securely store sensitive information like passwords.   This alert is specific to using DPAPI to retrieve the master backup key and therefore provides minimal coverage resulting in a Minimal score."}]}, {"techniqueID": "T1556.001", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Suspected skeleton key attack (encryption downgrade) (external ID 2010)\" alert can detect skeleton attacks.  This alert provides partial protection as it detects on a specific type of malware, Skeleton malware, and its usage of weaker encryption algorithms to hash the user's passwords on the domain controller.  The description of the alert implies it utilizes machine learning to look for anomalous usage of weak encryption algorithms which should result in a reduced false positive rate."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1557", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides minimal detection for one of this technique's sub-techniques, while not providing any detection for the other, resulting in an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1557.001", "score": 2, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Suspected NTLM relay attack (Exchange account) (external ID 2037)\" alert can detect NTLM relay attack specific to the Exchange service.  Because this detection is limited to this variation of the sub-technique, its coverage score is Minimal resulting in an overall Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1558", "score": 3, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022EID-IDSS-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides partial detection for most of this technique's sub-techniques, resulting in an overall Partial score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides recommendations that lead to protections for some of the sub-techniques of this technique and therefore its overall protection coverage is Partial."}]}, {"techniqueID": "T1558.001", "score": 3, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022EID-IDSS-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control has numerous alerts that can detect Golden Ticket attacks from multiple perspectives.  The accuracy of these alerts is unknown resulting in a partial score."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Reduce lateral movement path risk to sensitive entities\" recommendation can lead to protecting sensitive accounts against Pass-the-Hash and Pass-the-Ticket attacks that may result in an adversary acquiring a golden ticket.  It recommends running the Lateral-Movement-Paths report to understand and identify exactly how attackers can move laterally through the monitored network to gain access to privileged identities such as the KRBTGT on the domain controller.  Because this is a recommendation, its score has been capped as Partial."}]}, {"techniqueID": "T1558.003", "score": 3, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022EID-IDSS-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.  \nSimilarly its \"Suspected AS-REP Roasting attack (external ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy of these alerts is unknown and therefore its score has been assessed as Partial."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Modify unsecure Kerberos delegations to prevent impersonation\" recommendation promotes running the \"Unsecure Kerberos delegation\" report that can identify accounts that have unsecure Kerberos delegation configured.  Unsecured Kerberos delegation can lead to exposing account TGTs to more hosts resulting in an increased attack surface for Kerberoasting.  Due to this control providing a recommendation its score is capped at Partial."}]}, {"techniqueID": "T1558.004", "score": 3, "comment": " Related to: \n \u2022DEF-ID-E5\n\u2022EID-IDSS-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Suspected Kerberos SPN exposure (external ID 2410)\" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.  \nSimilarly its \"Suspected AS-REP Roasting attack (external ID 2412)\" alert is able to detect AS-REP Roasting sub-technique.\nThe accuracy of these alerts is unknown and therefore its score has been assessed as Partial."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Resolve unsecure account attributes\" recommendation can lead to detecting Active Directory accounts which do not require Kerberos preauthentication.  Preauthentication offers protection against offline (Kerberos) Password Cracking.  \nBecause this is a recommendation its score is capped as Partial."}]}, {"techniqueID": "T1569", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides Minimal detection for one of this technique's sub-techniques, while not providing any detection for the remaining, resulting in a Minimal score."}]}, {"techniqueID": "T1569.002", "score": 1, "comment": " Related to: \n \u2022DEF-ID-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ID-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Remote code execution attempt (external ID 2019)\" alert can detect Remote code execution via Psexec.  This may lead to false positives as administrative workstations, IT team members, and service accounts can all perform legitimate administrative tasks against domain controllers.  Additionally, this alert seems to be specific to detecting execution on domain controllers and AD FS servers, limiting its coverage."}]}, {"techniqueID": "T1011", "score": 1, "comment": " Related to: \n \u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1018", "score": 1, "comment": " Related to: \n \u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1046", "score": 1, "comment": " Related to: \n \u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1049", "score": 1, "comment": " Related to: \n \u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1068", "score": 2, "comment": " Related to: \n \u2022DEF-LM-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-LM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts."}]}, {"techniqueID": "T1134", "score": 2, "comment": " Related to: \n \u2022EID-IDSS-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control provides a recommendation that can lead to detecting one of this technique's sub-techniques while not providing recommendations relevant to its procedure examples nor its remaining sub-techniques.  It is subsequently scored as Minimal."}]}, {"techniqueID": "T1134.005", "score": 2, "comment": " Related to: \n \u2022EID-IDSS-E3\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Remove unsecure SID history attributes from entities\" recommendation promotes running the \"Unsecure SID history attributes\" report periodically which can lead to identifying accounts with SID History attributes which Microsoft Defender for Identity profiles to be risky.  Because this is a recommendation and not actually enforced, coupled with the detection its assessed score is capped at Partial. "}]}, {"techniqueID": "T1187", "score": 2, "comment": " Related to: \n \u2022DEF-CAPP-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can provide significant protection against forced authentication methods by restricting actions associated with multiple file access methods such as SMB."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can alert on anomalous sharing attempts of confidential data."}]}, {"techniqueID": "T1202", "score": 1, "comment": " Related to: \n \u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1484", "score": 3, "comment": " Related to: \n \u2022EID-RBAC-E3\n\u2022DEF-CAPP-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can detect admin activity from risky IP addresses."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit administrative accounts. This scores Partial for its ability to minimize the overall accounts that can modify domain policies. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1484.001", "score": 2, "comment": " Related to: \n \u2022DEF-CAPP-E5\n\u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can detect admin activity from risky IP addresses."}]}, {"techniqueID": "T1552.004", "score": 1, "comment": " Related to: \n \u2022DEF-SECA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SECA-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.\n\nDefender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:\n\nReconnaissance and discovery alerts\nPersistence and privilege escalation alerts\nCredential access alerts\nLateral movement alerts\nOther alerts\n\n\nLicense: A Microsoft 365 security product license entitles customer use \n of Microsoft Defender XDR."}]}, {"techniqueID": "T1016.001", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique."}]}, {"techniqueID": "T1016.002", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique."}]}, {"techniqueID": "T1021.007", "score": 3, "comment": " Related to: \n \u2022EID-PWLA-E3\n\u2022DEF-CAPP-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud leverages anomaly detection policies and Audit logging to mitigate Cloud Services based attacks."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, use of strong two-factor for remote service accounts will mitigate an adversary's ability to leverage stolen credentials.\n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}]}, {"techniqueID": "T1027.006", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "File policies in Microsoft Defender for Cloud perform content inspection which can provide continuous scans for detect and remediate any violations. "}]}, {"techniqueID": "T1027.007", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can protect against abuse of dynamic API resolution."}]}, {"techniqueID": "T1027.008", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender utilizes File Policies which allows file sandboxing and filtering based on file metadata. "}]}, {"techniqueID": "T1027.009", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can detect embedded payloads through DLP content inspection"}]}, {"techniqueID": "T1027.010", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect command obsfucation attacks through anomaly detection policies"}]}, {"techniqueID": "T1071.003", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include \"Suspicious inbox forwarding\" and \"Suspicious inbox manipulation rule\"."}]}, {"techniqueID": "T1071.005", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include  \"Suspicious inbox forwarding\" and \"Suspicious inbox manipulation rule\"."}]}, {"techniqueID": "T1078.001", "score": 5, "comment": " Related to: \n \u2022EID-IDSS-E3\n\u2022PUR-PAM-E5\n\u2022EID-RBAC-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Protect and manage local admin passwords with Microsoft LAPS\"  recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS.  This can help reduce the compromise of local administrator accounts.\nBecause this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. "}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for account management, reducing the available actions an adversary can perform with a default account. This scores Partial for its ability to minimize the overall accounts with management privileges.  \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1078.002", "score": 3, "comment": " Related to: \n \u2022EID-IDPR-E5\n\u2022EID-IDSS-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity. \nRelevant alerts include \"Activity from anonymous IP address\" , \"Activity from infrequent country\", \"Activity from suspicious IP address\", \"Impossible Travel\", and \"Activity performed by terminated user\"."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "When Azure Active Directory (AAD) Federation is configured for a tenant, an adversary that compromises a domain credential can use it to access (Azure) cloud resources. Identity Protection supports applying its risk detections (e.g.:  Anonymous IP address, Atypical travel, Malware linked IP address, Unfamiliar sign-in properties, etc.) to federated identities thereby providing detection mitigation for this risk. Because this detection is specific to an adversary utilizing valid domain credentials to access cloud resources and does not mitigate the usage of valid domain credentials to access on-premise resources, this detection has been scored as Partial.\n\nThe temporal factor of this control's detection is low because although there are some real-time detections most are offline detections (multi-day)."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Remove dormant accounts from sensitive groups\" recommendation recommends reviewing dormant (domain) accounts from sensitive groups via an assessment report that can identify sensitive accounts that are dormant.\nBecause these are recommendations and do not actually enforce the protections coupled with being limited to sensitive accounts, the assessed score is Minimal. "}]}, {"techniqueID": "T1098.001", "score": 8, "comment": " Related to: \n \u2022EID-IDPR-E5\n\u2022PUR-PAM-E5\n\u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022EID-PIM-E5\n\u2022EID-MFA-E3\n\u2022EID-PWLA-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\"."}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., additional cloud permissions, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Entra ID Protection helps organizations detect, investigate, and remediate identity-based risks. These identity-based risks can be further fed into tools like Conditional Access to make access decisions or fed back to a security information and event management (SIEM) tool for further investigation and correlation. Identity Protection requires users be a Security Reader, Security Operator, Security Administrator, Global Reader, or Global Administrator in order to access the dashboard. \n\nRisk-based Conditional Access policies can be enabled to require access controls such as providing a strong authentication method, perform multi-factor authentication, or perform a secure password reset based on the detected risk level. If the user successfully completes the access control, the risk is automatically remediated.\n\nLicense Requirements: \nMicrosoft Entra ID P2"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Additional Cloud Credential attacks due to Incident Response monitoring for persistence and privilege escalation alerts which monitors for unexpected changes to cloud user accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "PUR-PAM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft Purview Privileged Access Management allows granular access control over privileged admin tasks in Office 365. It can help protect your organization from breaches that use existing privileged admin accounts with standing access to sensitive data or access to critical configuration settings. Privileged access management requires users to request just-in-time access to complete elevated and privileged tasks through a highly scoped and time-bounded approval workflow. This configuration gives users just-enough-access to perform the task at hand, without risking exposure of sensitive data or critical configuration settings.  Microsoft 365 configuration settings. When used with Microsoft Entra Privileged Identity Management, these two features provide access control with just-in-time access at different scopes. (e.g., Encryption, RBAC, Conditional Access, JIT, Just Enough Access (with Approval). \n\nLicense requirements: M365 E5 customers."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts with the ability to add additional cloud credentials.  This receives a score of Partial for its ability to minimize known accounts with the ability to add credentials.\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making credential modifications, administrator changes, account manipulation, changes to permissions, etc."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Privileged roles such as the Application Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique.  In addition these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The PIM control can enforce on-activation requirements for privileged roles, such as the Application Administrator. Configuration can include an MFA requirement, which can provide additional protection against Additional Cloud Credentials. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1098.002", "score": 3, "comment": " Related to: \n \u2022DEF-IR-E5\n\u2022EID-MFA-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include \"Unusual administrative activity (by user)\" and \"Unusual addition of credentials to an OAuth app\"."}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Additional Email Delegate Permission attacks due to Incident Response monitoring for default alert policies which provides built-in alert policies that help identify Exchange admin permissions abuse and account permissions changes.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Requiring the use of MFA along with conditional access policies may reduce the likelihood of adversaries making modifications, such as changes to email delegate permissions. "}]}, {"techniqueID": "T1119", "score": 2, "comment": " Related to: \n \u2022PUR-INPR-E5\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's Information protection policies can detect and encrypt sensitive information at rest on supported platforms, which can inhibit automated data collection activities."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect sensitive information at rest, which may be indicative of data collection activities."}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Automated Collection attacks due to it encrypting files containing personally identifying information and other sensitive data that is shared in a cloud app and applying sensitivity labels to limit access only to employees in your company.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1213.004", "score": 2, "comment": " Related to: \n \u2022EID-RBAC-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1649", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can protect authentication certificates by\u00a0allowing you to create access and session policies that leverage device tags and valid client certificates"}]}, {"techniqueID": "T1189", "score": 8, "comment": " Related to: \n \u2022DEF-SIMT-E5\n\u2022DEF-AIR-E5\n\u2022DEF-THEX-E5\n\u2022DEF-PSP-E3\n\u2022DEF-CAPP-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-TPSR-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect outdated client browser software, which is a common target of exploitation in drive-by compromises."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Drive-by-Compromise attacks due to the UrlClickEvents table in the advanced hunting schema which contains information about Safe Links clicks from email messages, Microsoft Teams, and Office 365 apps which can inspect URLs for potentially known-bad domains or parameters.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-PSP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Drive-by-Compromise attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-THEX-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Drive-by-Compromise attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden. With an organization blocking URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-TPSR-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Drive-by-Compromise attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies. With an organization filtering URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}]}, {"techniqueID": "T1213.001", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence."}]}, {"techniqueID": "T1219", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can limit potential C2 via unapproved remote access software."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify potential malicious activity associated with the use or attempted use of unapproved remote access software."}]}, {"techniqueID": "T1484.002", "score": 2, "comment": " Related to: \n \u2022EID-RBAC-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can detect admin activity from risky IP addresses."}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit accounts with the access to domain trusts. This scores Partial for its ability to minimize the overall accounts with these privileges.  \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1485", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify deletion activity which could be potential malicious data destruction. Relevant Alerts include \"Multiple storage deletion activities\", \"Multiple VM deletion activity\", \"Unusual file deletion activity (by user), \"Suspicous email deletion activiy\", and \"Ransomware activity\".\n"}]}, {"techniqueID": "T1486", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect a range of ransomware-related activities including encryption. Relevant alert include \"Ransomware activities\" and \"Unusual file deletion activity (by user)\"."}]}, {"techniqueID": "T1496", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\"."}]}, {"techniqueID": "T1496.002", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\"."}]}, {"techniqueID": "T1496.003", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include \"Multiple VM Creation activities\" and \"Suspicious creation activity for cloud region\"."}]}, {"techniqueID": "T1526", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect anomalous user activity that may be associated with cloud service discovery. Relevant alert is \"Unusual file share activty (by user)\"."}]}, {"techniqueID": "T1534", "score": 12, "comment": " Related to: \n \u2022DEF-AIR-E5\n\u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022EOP-ASP-E3\n\u2022DEF-SLNK-E3\n\u2022DEF-ATH-E5\n\u2022DEF-PSP-E3\n\u2022DEF-AAPH-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-TPSR-E3\n\u2022DEF-ASP-E3\n\u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify anomalous user impersonation activity, which can be an element of internal spearphishing. Relevant alert is \"Unusual impersonated activity (by user)\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Internal Spearphishing attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors network data for uncommon data flows\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-PSP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Internal Spearphishing attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-TPSR-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Internal Spearphishing attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-SLNK-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects Internal Spearphishing attacks due to Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes features that can be used to Respond to unusual communication patterns that may indicate Internal Spearphishing. AAP for Defender for O365 supports impersonation protection, which provides multiple options in reaction to a detected impersonation attempt. For example, the ability to redirect the email to specified recipients, add new recipients as Bcc, send it to the Junk Email folder, place the message in quarantine, or even automatically delete it. This scores Partial in the Respond category for its ability to potentially contain the impact of or alert others to the need to remediate internal spearphishing attempts.\n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes features that can be used to detect and warn users against unusual communication patterns that may indicate Internal Spearphishing. The first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don\u2019t get messages from that sender may alert users to suspicious communications from legitimate, but unexpected users in their organization. This scores Partial in the Detect category for its near real-time processing and indication of unexpected email communications. Detection of suspicious communication will not be equally accurate, depending on the accounts in question. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "EOP-ASP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3"}, {"divider": true}, {"name": "control", "value": "DEF-ASP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's anti-spoofing technology detects Internal Spearphishing attacks due to spoof detections report, where users can view information about phishing attempts \n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}]}, {"techniqueID": "T1535", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect unusual region and activity for cloud resources (preview feature as of this writing).  Relevant alert is \"Suspicious creation activity for cloud region\"."}]}, {"techniqueID": "T1558.005", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender for Cloud Apps provides endpoint detection and response (EDR) capabilities. This can potentially block attempts to steal ccache files."}]}, {"techniqueID": "T1565", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect and encrypt sensitive information at rest on supported platforms and restrict access."}]}, {"techniqueID": "T1565.001", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can detect and encrypt sensitive information at rest on supported platforms."}]}, {"techniqueID": "T1567", "score": 5, "comment": " Related to: \n \u2022DEF-AIR-E5\n\u2022DEF-CAPP-E5\n\u2022PUR-INPR-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can limit user methods to send data over web services."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is \"Unusual file download (by user)\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Web Service attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitors for newly constructed network connections.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Exfiltration Over Web Service attacks due to it preventing users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1567.001", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify large volume potential exfiltration activity."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is \"Unusual file download (by user)\"."}]}, {"techniqueID": "T1567.002", "score": 2, "comment": " Related to: \n \u2022DEF-CAPP-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify large volume potential exfiltration activity."}, {"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is \"Unusual file download (by user)\"."}, {"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}]}, {"techniqueID": "T1574.013", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control offers behavior prevention capabilities for cloud environments that can be configured to block some types of behaviors related to process injection/memory tampering."}]}, {"techniqueID": "T1578", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify anomalous admin activity.\nRelevant alerts include \"Multiple storage deletion activities\", \"Multiple VM creation activities\", and \"Suspicious creation activity for cloud region\". "}]}, {"techniqueID": "T1578.001", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify anomalous admin activity."}]}, {"techniqueID": "T1578.002", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify anomalous admin activity."}]}, {"techniqueID": "T1578.003", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify anomalous admin activity."}]}, {"techniqueID": "T1578.004", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control can identify anomalous admin activity."}]}, {"techniqueID": "T1053.007", "score": 1, "comment": " Related to: \n \u2022DEF-CAPP-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-CAPP-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Microsoft 365 Defender for Cloud Apps can scan images and containers for threats and vulnerabilities, as well as identify misconfigurations for remediation."}]}, {"techniqueID": "T1072", "score": 1, "comment": " Related to: \n \u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}]}, {"techniqueID": "T1080", "score": 4, "comment": " Related to: \n \u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022EOP-AMW-E3\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}]}, {"techniqueID": "T1136", "score": 4, "comment": " Related to: \n \u2022DEF-IR-E5\n\u2022EID-PIM-E5\n\u2022EID-RBAC-E3\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Create Account attacks due to Incident Response monitoring for newly executed processes associated with account creations.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The RBAC control can generally be used to implement the principle of least privilege to protect against account creation. For the given product space, this control helps protect against only against Cloud Account creation, and none of this technique\u2019s other sub-techniques or procedures. Due to overall Minimal coverage, it receives an overall score of Minimal. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides protection for one of this technique's sub-techniques while not providing any detection for the remaining and therefore its coverage score is Minimal, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The PIM control provides significant protection against Create Account: Cloud Account, but not against the technique's other sub-techniques. An overall score of Partial is provided, although overall coverage for the across the sub-techniques is minimal. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1136.003", "score": 6, "comment": " Related to: \n \u2022EID-RBAC-E3\n\u2022DEF-IR-E5\n\u2022EID-PIM-E5\n\u2022EID-MFA-E3\n\u2022EID-PWLA-E3\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EID-PWLA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft recommended the use of Passwordless authentication. This method provides the most secure MFA sign-in process by replacing the password with something you have, plus something you are or something you know.(e.g., Biometric, FIDO2 security keys, Microsoft\u2019s Authenticator app). \n\nWhen combined with Conditional Access policies, Passwordless Authentication can significantly protect against the likelihood of adversary activity (e.g., account creation, etc.). \n\nLicense Requirements: \nAll Microsoft Entra ID licenses"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Cloud Account attacks due to Incident Response monitoring for newly constructed user accounts through the collection of usage logs from cloud user and administrator accounts to identify unusual activity in the creation of new accounts.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for account management in order to limit the number of accounts that can create new accounts. This receives a score of Partial for its ability to minimize known accounts with the ability to create new accounts. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "MFA can significantly reduce the impact from adversaries creating accounts by requiring an additional authentication method for verification (e.g., Microsoft Authenticator, Authenticator Lite (in Outlook), Windows Hello for Business, FIDO2 security key, OATH hardware token (preview), OATH software token, SMS, Voice call, etc.)"}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Privileged roles such as the User Administrator role can be configured to require MFA on activation to provide additional protection against the execution of this technique.  In addition, these privileged roles can be assigned as eligible rather than permanently active roles to further reduce the attack surface."}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The PIM control can enforce on-activation requirements for privileged roles, such as the User Administrator. Configuration can include an MFA requirement, which can provide additional protection against Cloud Account creation. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. Due to these features, a score of Significant is assigned. \n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1137", "score": 2, "comment": " Related to: \n \u2022DEF-AIR-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}]}, {"techniqueID": "T1204", "score": 9, "comment": " Related to: \n \u2022DEF-AACI-E3\n\u2022DEF-SIMT-E5\n\u2022EOP-AMW-E3\n\u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022DEF-SLNK-E3\n\u2022DEF-PSP-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-SATT-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score."}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-PSP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects User Execution attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checking the URL's before opening the websites. You can add entries to the existing policies or configure different lists in different Safe Links policies to determine if certain websites are necessary for business operations. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-SLNK-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects User Execution attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been determined to be malicious, a malicious website warning page opens.\n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR\n"}]}, {"techniqueID": "T1204.001", "score": 7, "comment": " Related to: \n \u2022DEF-SIMT-E5\n\u2022DEF-AIR-E5\n\u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022DEF-SLNK-E3\n\u2022DEF-PSP-E3\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-PSP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Malicious Link attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-SLNK-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for O365 Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Teams, and supported Office 365 apps. \n\nSafe Links Detects Malicious Links attacks due to Safe Links immediately checking the URL's before opening the websites. If the URL points to a website that has been determined to be malicious, a malicious website warning page opens.\n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}]}, {"techniqueID": "T1204.002", "score": 8, "comment": " Related to: \n \u2022DEF-AACI-E3\n\u2022DEF-SIMT-E5\n\u2022DEF-AIR-E5\n\u2022EOP-AMW-E3\n\u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-SATT-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial."}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}]}, {"techniqueID": "T1211", "score": 1, "comment": " Related to: \n \u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}]}, {"techniqueID": "T1550.001", "score": 2, "comment": " Related to: \n \u2022DEF-IR-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to application access token attacks due to Incident Response monitoring for the use of application access tokens to interact with resources or services that do not fit the organization baseline.\n\nLicense Requirements:\nMicrosoft Defender XDR"}]}, {"techniqueID": "T1566.001", "score": 15, "comment": " Related to: \n \u2022DEF-SIMT-E5\n\u2022DEF-AIR-E5\n\u2022EOP-AMW-E3\n\u2022DEF-THEX-E5\n\u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022EOP-APH-E3\n\u2022EOP-ASP-E3\n\u2022DEF-PSP-E3\n\u2022DEF-AAPH-E5\n\u2022EID-MFA-E3\n\u2022DEF-SSCO-E3\n\u2022DEF-TPSR-E3\n\u2022DEF-THTR-E5\n\u2022DEF-SATT-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "EOP-APH-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": " Entra MFA can provide partial security protection against phishing tactics. It is a security measure that adds an extra layer of protection against phishing attacks by requiring users to verify their identity through more than one method. "}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-PSP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Spearphishing Attachment attacks due to the Built-in protection preset security policy providing Safe Attachments protection to all recipients. Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).\n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-THEX-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Spearphishing Attachment attacks by using Threat Explorer's System Override feature. The File extension blocked by org policy value, enables An organization's security team to block a file name extension through the anti-malware policy settings. These values will now be displayed in email details to help with investigations. Secops teams can also use the rich-filtering capability to filter on blocked file extensions.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-TPSR-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Spearphishing Attachment attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails targeting users with Spearphishing Attachments. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected.  Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Partial for the Respond category for its ability to contain, possibly quarantine and limit user interaction with flagged emails. Note the response will be insufficient in the event a user interacts with and executes the malicious Spearphishing attachment.\n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Attachments. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don\u2019t get messages from that sender. This scores Significant for the Detect category, for its high coverage against email coming emails, near real-time processing of new emails, and fairly accurate detection rates. Note that AAP is focused on detecting malicious emails, not the processing and analysis of attachments.  \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect users by filtering out and even blocking suspicious emails, and reduce the likelihood of the user falling victim to malicious emails with Spearphishing Attachments. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Partial in the Protect category for its ability to minimize, filter, and flag potentially malicious emails end users receive. However, it should be noted that the AAP control on its own may not further protect against a user proceeding to interact with malicious attachments in a flagged email, depending on how an organization configures follow up Actions and how a user may interact with the message. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "EOP-ASP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3"}, {"divider": true}, {"name": "control", "value": "DEF-THTR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The Threat Tracker control includes noteworthy trackers, which highlights newly detected malicious files found with Safe Attachments, that may alert on malicious Spearphishing Attachments. Specifically, noteworthy trackers will highlight malicious files that were not previously found by Microsoft in your email flow or in other customers\u2019 emails. This scores Partial for Detection,  for the ability to highlight potential new threats , although it is the Safe Attachments control that denotes and analyzes email attachments to begin with. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}]}, {"techniqueID": "T1567.004", "score": 3, "comment": " Related to: \n \u2022PUR-INPR-E5\n\u2022DEF-ATH-E5\n\u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Exfiltration Over Webhook attacks due to the DeviceNetworkEvents table in the advanced hunting schema which contains information about network connections and related events which monitor network data for uncommon data flows.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Exfiltration Over Webhook attacks due to it preventing users from uploading unprotected data to the cloud, by using the Defender for Cloud Apps session controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}, {"techniqueID": "T1656", "score": 11, "comment": " Related to: \n \u2022DEF-AIR-E5\n\u2022DEF-THEX-E5\n\u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022EOP-APH-E3\n\u2022EOP-ASP-E3\n\u2022DEF-PSP-E3\n\u2022DEF-AAPH-E5\n\u2022DEF-SSCO-E3\n\u2022DEF-TPSR-E3\n\u2022DEF-ASP-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "EOP-APH-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Policies to configure anti-phishing protection settings are available in Microsoft 365 organizations with Exchange Online mailboxes, standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, and Microsoft Defender for Office 365 organizations. The features provided with Anti-phishing policies in Defender for Office 365 are: Automatically creating default policies, creating custom policies, common policy settings, spoof settings, first contact safety tips, impersonation settings, and advanced phishing thresholds.\n\nMicrosoft 365's Anti-Phishing protection protects from Phishing attacks due to it's custom policy feature where users can create policies to determine if certain websites used for phishing are necessary for business operations and can block access if activity cannot be monitored well or if it poses a significant risk.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}, {"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Microsoft Defender for Office 365 includes powerful automated investigation and response (AIR) capabilities that can save your security operations team time and effort. As alerts are triggered, it's up to your security operations team to review, prioritize, and respond to those alerts. Keeping up with the volume of incoming alerts can be overwhelming. Automating some of those tasks can help.\nAIR enables your security operations team to operate more efficiently and effectively. AIR capabilities include automated investigation processes in response to well-known threats that exist today. Appropriate remediation actions await approval, enabling your security operations team to respond effectively to detected threats. With AIR, your security operations team can focus on higher-priority tasks without losing sight of important alerts that are triggered. Examples include: Soft delete email messages or clusters, Block URL (time-of-click), Turn off external mail forwarding, Turn off delegation, etc.\n\nRequired licenses\nE5 or Microsoft Defender for Office 365 Plan 2 licenses. "}, {"divider": true}, {"name": "control", "value": "DEF-PSP-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365 Preset security policies allow you to apply protection features to users based on Microsoft's recommended settings. Unlike custom policies that are infinitely configurable, virtually all of the settings in preset security policies aren't configurable, and are based on observations in Microsoft's datacenters. The settings in preset security policies provide a balance between keeping harmful content away from users while avoiding unnecessary disruptions. \n\nPreset Security Policies Detects Impersonation attacks due to all recipients in the organization receiving Safe Links and Safe Attachments with the Built-in protection profile by default. Safe Links immediately checks the URL's before opening the websites. If the URL points to a website that has been identified as a phishing attack, a Phishing attempt warning page will open. \n\nLicense Requirements:\nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-THEX-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat Explorer helps your security operations team investigate and respond to threats efficiently. With these tools, you can: See malware detected by Microsoft 365 security features, View phishing URL and click verdict data, Start an automated investigation and response process from a view in Explorer, Investigate malicious email, and more. \n\nThreat Explorer Detects Impersonation attacks by their dashboard capturing and enabling the user to view phishing attempts, including a list of URLs that were allowed, blocked, and overridden. With an organization blocking URL's for users, it mitigates users visiting a website that is used to host the adversary controlled content.\n\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-TPSR-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Threat protection status report is a single view that brings together information about malicious content and malicious email detected and blocked by Exchange Online Protection (EOP) and Defender for Office 365. The report provides the count of email messages with malicious content. For example: Files or website addresses (URLs) that were blocked by the anti-malware engine, Files or messages affected by zero-hour auto purge (ZAP), Files or messages that were blocked by Defender for Office 365 features: Safe Links, Safe Attachments, and impersonation protection features in anti-phishing policies.\n\nThreat Protection Status Report Detects Impersonation attacks by the report capturing and displaying files or messages that were blocked by Safe Links, Safe Attachments, and impersonation protection features in phishing policies.\n\nLicense Requirements: \nExchange Online Protection, Microsoft Defender for Office 365 plan 1 and plan 2, Microsoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes several mechanisms that can be used to respond to malicious emails detected that may be part of Impersonation using email communications. Responses include the ability to automatically move suspicious messages to the Junk Email, but additional settings also exist that allow a message to be quarantined or rejected.  Spoof settings also allow for different quarantine policies, which define how users can interact with these messages. This scores Minimal for the Respond category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures.\n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes several mechanisms that can detect and warn a user against suspicious emails and reduce the likelihood of the user falling victim to suspicious email communications resulting from Impersonation. Detections include implicit email authentication, which include unauthenticated sender indicators that warn the user of potential email spoofing based on SPF or DMARC checks, and first contact safety tip, which will report the first time a user gets a message from a sender, or if they often don\u2019t get messages from that sender. This scores Minimal for the Detect category, due to relatively low or no coverage against the scope of the Impersonation technique and its example procedures. However, against specific email-based implementations, coverage will be near real-time and high for the criteria covered. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "The Advanced Anti-phishing control includes configurable policies that control anti-phishing protection settings that can help protect in the event of business email compromise and email fraud campaigns, which may help protect against some methods of Impersonation. These protection policies are configurable across different user groups, and can be tied to Actions designed to help organizations Respond to the suspicious messages. This scores Minimal in the Protect category given the ability to flag potentially malicious emails provides relatively low or no coverage against the scope of the Impersonation technique and its example procedures. \n\nLicense Requirements:\nMicrosoft 365 Enterprise E5 (includes Defender for Office 365 Plan 2)"}, {"divider": true}, {"name": "control", "value": "EOP-ASP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against spam (junk email) by EOP.\n\nTo help reduce junk email, EOP includes junk email protection that uses proprietary spam filtering (also known as content filtering) technologies to identify and separate junk email from legitimate email. EOP spam filtering learns from known spam and phishing threats and user feedback from our consumer platform.\n\nLicense requirements: M365 E3"}, {"divider": true}, {"name": "control", "value": "DEF-ASP-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The anti-spoofing technology in Microsoft O365 specifically examines forgery of the From header in the message body, because that header value is the message sender that's shown in email clients. When EOP has high confidence that the From header is forged, the message is identified as spoofed. The following anti-spoofing technologies are available in Microsoft O365: email authentication, spoof intelligence insight, allow or block spoofed senders in the tenant allow/block List, anti-phishing policies, and spoof detections report\n\nMicrosoft O365's anti-spoofing technology protects from Impersonation attacks due to impersonation protection provided with anti-phishing policies.\n\nLicense Requirements: \nMicrosoft Exchange Online Protection, Defender for Office 365 plan 1 and plan 2, Microsoft XDR"}]}, {"techniqueID": "T1657", "score": 1, "comment": " Related to: \n \u2022DEF-SSCO-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SSCO-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken. It can be found at Microsoft Secure Score in the Microsoft Defender portal.\n\nFollowing the Secure Score recommendations can protect your organization from threats. From a centralized dashboard in the Microsoft Defender portal, organizations can monitor and work on the security of their Microsoft 365 identities, apps, and devices. Your score is updated in real time to reflect the information presented in the visualizations and recommended action pages. Secure Score also syncs daily to receive system data about your achieved points for each action.\n\nTo help you find the information you need more quickly, Microsoft recommended actions are organized into groups:\n\nIdentity (Microsoft Entra accounts & roles)\nDevice (Microsoft Defender for Endpoint, known as Microsoft Secure Score for Devices)\nApps (email and cloud apps, including Office 365 and Microsoft Defender for Cloud Apps)\nData (through Microsoft Information Protection)"}]}, {"techniqueID": "T1021.008", "score": 1, "comment": " Related to: \n \u2022EID-IDPR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "As this technique involves the use of Valid Accounts, Defender's behavioral analytics and Conditional Access can also lead to the detection of Direct Cloud VM Connections."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "As this technique involves the use of Valid Accounts, Entra ID Protection's partial detection of the use of Valid Accounts for malicious purposes can also lead to the detection of Direct Cloud VM Connections."}]}, {"techniqueID": "T1606.002", "score": 4, "comment": " Related to: \n \u2022DEF-IR-E5\n\u2022DEF-APGV-E5\n\u2022EID-IDPR-E5\n\u2022EID-IDSS-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control supports detecting risky sign-ins and users that involve federated users and therefore can potentially alert on this activity.  Not all alert types for this control support federated accounts therefore the detection coverage for this technique is partial."}, {"divider": true}, {"name": "control", "value": "EID-IDPR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Response Type:  Eradication\nSupports blocking and resetting the user's credentials based on the detection of a risky user/sign-in manually and also supports automation via its user and sign-in risk policies."}, {"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control's \"Turn on sign-in risk policy\" and \"Turn on user risk policy\" recommendations recommend enabling Azure AD Identity Protection which can detect the malicious usage of SAML Tokens.  This is a recommendation and therefore the score is capped at Partial."}, {"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to SAML Token attacks due to Incident Response monitoring for credential access alert policies which monitors for anomalous authentication activity.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects SAML Token attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}]}, {"techniqueID": "T1027", "score": 3, "comment": " Related to: \n \u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022EOP-AMW-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}]}, {"techniqueID": "T1036", "score": 4, "comment": " Related to: \n \u2022DEF-AACI-E3\n\u2022DEF-QUAR-E3\n\u2022DEF-ZHAP-E3\n\u2022EOP-AMW-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial."}]}, {"techniqueID": "T1036.007", "score": 1, "comment": " Related to: \n \u2022EOP-AMW-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "M365's Antimalware capability can be used to block specified file types from executing. This can be configured to only block nonessential file types (such as .exe files), which could prevent files with double extensions from being opened. However, this does not combat the technique as a whole."}]}, {"techniqueID": "T1036.010", "score": 2, "comment": " Related to: \n \u2022DEF-AAPH-E5\n\u2022EOP-AMW-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-AAPH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Anti-Phishing measures in Microsoft 365 Defender include settings explicitly designed to protect against fake accounts masquerading as legitimate accounts, such as if the names or email addresses are too close to the real one."}]}, {"techniqueID": "T1059.006", "score": 2, "comment": " Related to: \n \u2022DEF-ZHAP-E3\n\u2022EOP-AMW-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Microsoft 365 organizations with mailboxes in Exchange Online or standalone Exchange Online Protection (EOP) organizations without Exchange Online mailboxes, email messages are automatically protected against malware by EOP. Some of the major categories of malware are:\n\nViruses that infect other programs and data, and spread through your computer or network looking for programs to infect.\nSpyware that gathers your personal information, such as sign-in information and personal data, and sends it back to its author.\nRansomware that encrypts your data and demands payment to decrypt it. Anti-malware software doesn't help you decrypt encrypted files, but it can detect the malware payload that's associated with the ransomware.\nEOP offers multi-layered malware protection that's designed to catch all known malware in Windows, Linux, and Mac that travels into or out of your organization. The following options help provide anti-malware protection:\n\nLayered defenses against malware: Multiple anti-malware scan engines help protect against both known and unknown threats. These engines include powerful heuristic detection to provide protection even during the early stages of a malware outbreak. This multi-engine approach has been shown to provide significantly more protection than using just one anti-malware engine.\nReal-time threat response: During some outbreaks, the anti-malware team might have enough information about a virus or other form of malware to write sophisticated policy rules that detect the threat, even before a definition is available from any of the scan engines used by the service. These rules are published to the global network every 2 hours to provide your organization with an extra layer of protection against attacks.\nFast anti-malware definition deployment: The anti-malware team maintains close relationships with partners who develop anti-malware engines. As a result, the service can receive and integrate malware definitions and patches before they're publicly released. Our connection with these partners often allows us to develop our own remedies as well. The service checks for updated definitions for all anti-malware engines every hour.\n\nLicense Requirements: M365 E3 or Microsoft Defender for Office plan 1. "}, {"divider": true}, {"name": "control", "value": "DEF-ZHAP-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Zero-hour auto purge (ZAP) is a protection feature in Exchange Online Protection (EOP) that retroactively detects and neutralizes malicious phishing, spam, or malware messages that have already been delivered to Exchange Online mailboxes. With the E5 licensing or Office Plan 2, ZAP is also able to retroactively detect existing malicious chat messages in Microsoft Teams that are identified as malware or high confidence phishing.\n\nLicense Requirements: ZAP for Defender O365 is included with M365's E3 and requires E5 when leveraging ZAP for Teams security."}]}, {"techniqueID": "T1204.003", "score": 2, "comment": " Related to: \n \u2022DEF-QUAR-E3\n\u2022DEF-SLNK-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SLNK-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}]}, {"techniqueID": "T1213.005", "score": 1, "comment": " Related to: \n \u2022DEF-QUAR-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-QUAR-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "In Exchange Online Protection (EOP) and Microsoft Defender for Office 365, quarantine policies allow admins to define the user experience for quarantined messages.\n   \nTraditionally, users have been allowed or denied levels of interactivity with quarantine messages based on why the message was quarantined. For example, users can view and release messages that were quarantined as spam or bulk, but they can't view or release messages that were quarantined as high confidence phishing or malware.\n\nThe following M365 features are supported by quarantine policies, \u201cResponse\u201d to Anti-malware and Anti-Phishing tagged items. Files that are quarantined as malware by Safe Attachments for SharePoint, OneDrive, and Microsoft Teams. \n\nLicense requirements: M365 E3 (or Defender for Office plan 1)"}]}, {"techniqueID": "T1027.011", "score": 1, "comment": " Related to: \n \u2022EOP-AMW-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "This control can protect against fileless storage attacks."}]}, {"techniqueID": "T1027.012", "score": 1, "comment": " Related to: \n \u2022EOP-AMW-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EOP-AMW-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "This control can protect against LNK icon smuggling."}]}, {"techniqueID": "T1027.013", "score": 1, "comment": " Related to: \n \u2022EOP-APH-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EOP-APH-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Exchange Online Protection's anti-phishing methods can protect against encrypted malicious files by scanning attachments and potentially quarantining them. Due to this being only one avenue, the rating is judged to be partial."}]}, {"techniqueID": "T1036.001", "score": 1, "comment": " Related to: \n \u2022DEF-AACI-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial."}]}, {"techniqueID": "T1036.005", "score": 1, "comment": " Related to: \n \u2022DEF-AACI-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial."}]}, {"techniqueID": "T1036.006", "score": 1, "comment": " Related to: \n \u2022DEF-AACI-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial."}]}, {"techniqueID": "T1553", "score": 1, "comment": " Related to: \n \u2022DEF-AACI-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides detection for some of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control only provides detection for some of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score."}]}, {"techniqueID": "T1553.002", "score": 1, "comment": " Related to: \n \u2022DEF-AACI-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial."}, {"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial."}]}, {"techniqueID": "T1553.005", "score": 1, "comment": " Related to: \n \u2022DEF-AACI-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Events are calculated once every twelve hours, so its temporal score is Partial."}]}, {"techniqueID": "T1554", "score": 1, "comment": " Related to: \n \u2022DEF-AACI-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-AACI-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While name and publisher-based allow lists may fail to detect malicious modifications to executable client binaries, hash-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial."}]}, {"techniqueID": "T1036.008", "score": 1, "comment": " Related to: \n \u2022DEF-SATT-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Safe Attachment scanning can detect if an email attachment is potentially malicious, including if its filetype is being obfuscated."}]}, {"techniqueID": "T1598", "score": 2, "comment": " Related to: \n \u2022DEF-SIMT-E5\n\u2022DEF-SATT-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}]}, {"techniqueID": "T1598.002", "score": 2, "comment": " Related to: \n \u2022DEF-SIMT-E5\n\u2022DEF-SATT-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SATT-E3"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "M365's Safe Attachments is a feature that provides advanced email security by scanning attachments for malicious content and using a virtual environment to check for malicious actions in a process known as detonation. Safe Attachments for SharePoint, OneDrive, and Microsoft Teams operates in real-time to detect against emerging threats. If a suspicious file is identified, this file can be quarantined or blocked access to prevent potential harm. \n\nLicense requirements:\nMirosoft 365 E5, Defender for Office Plan 1,  Microsoft 365 E3 with ATP add-on"}, {"divider": true}, {"name": "control", "value": "DEF-SIMT-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "M365's Defender Attack Simulation Training allows organizations to automate the simulation of benign real-world cyberattacks. These simulation automations feature social engineering techniques, payloads, and can start on an automated schedule.  This detection focused security control partially improves organizations security posture by continuously conduct attack simulations that fine tune analytics, and provide hands-on training for users and cyber professionals to improve response capabilities. \n\nThe following social engineering techniques are available:\n\nCredential Harvest: Attempts to collect credentials by taking users to a well-known looking website with input boxes to submit a username and password.\nMalware Attachment: Adds a malicious attachment to a message. When the user opens the attachment, arbitrary code is run that helps the attacker compromise the target's device.\nLink in Attachment: A type of credential harvest hybrid. An attacker inserts a URL into an email attachment. The URL within the attachment follows the same technique as credential harvest.\nLink to Malware: Runs some arbitrary code from a file hosted on a well-known file sharing service. The message sent to the user contains a link to this malicious file, opening the file and helping the attacker compromise the target's device.\nDrive-by URL: The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user's device.\nOAuth Consent Grant: The malicious URL asks users to grant permissions to data for a malicious Azure Application.\n\nLicense Requirements: \nMicrosoft 365 E5 or Microsoft Defender for Office 365 Plan 2."}]}, {"techniqueID": "T1040", "score": 1, "comment": " Related to: \n \u2022EID-IDSS-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Stop clear text credentials exposure\" provides a recommendation to run the \"Entities exposing credentials in clear text\" assessment that monitors your traffic for any entities exposing credentials in clear text (via LDAP simple-bind).  This assessment seems specific to LDAP simple-binds and coupled with the fact that it is a recommendation and is not enforced, results in a Minimal score.\n"}]}, {"techniqueID": "T1078.003", "score": 1, "comment": " Related to: \n \u2022EID-IDSS-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Protect and manage local admin passwords with Microsoft LAPS\"  recommendation recommends periodically running and reviewing the Microsoft LAPS usage report that identifies all Windows based devices not protected by Microsoft LAPS.  This can help reduce the compromise of local administrator accounts.\nBecause this is a recommendations and not actually enforced coupled with being limited to sensitive accounts, the assessed score is Minimal. "}]}, {"techniqueID": "T1552.007", "score": 1, "comment": " Related to: \n \u2022EID-IDSS-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-IDSS-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "This control's \"Resolve unsecure account attributes\" provides recommendations that can lead to strengthening how accounts are stored."}]}, {"techniqueID": "T1055.015", "score": 1, "comment": " Related to: \n \u2022DEF-AIR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-AIR-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender's automated investigation and response can potentially detect a ListPlanting attack using endpoint scanning capabilities."}]}, {"techniqueID": "T1538", "score": 4, "comment": " Related to: \n \u2022DEF-IR-E5\n\u2022DEF-APGV-E5\n\u2022DEF-ATH-E5\n\u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to Cloud Service Dashboard attacks due to Incident Response monitoring for newly constructed logon behavior across cloud service management consoles and the aggregated alerts allowing admins to correlate security systems with login information, such as user accounts, IP addresses, and login names.\n\nLicense Requirements:\nMicrosoft Defender XDR"}, {"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege, limiting dashboard visibility to necessary accounts. This receives a score of Partial for its ability to minimize the discovery value a dashboard may have in the event of a compromised account. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Cloud Service Dashboard attacks due to the IdentityInfo and IdentityLogonEvents tables in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps and information about user accounts obtained from various services, including Microsoft Entra ID.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Cloud Service Dashboard attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}]}, {"techniqueID": "T1550.004", "score": 1, "comment": " Related to: \n \u2022DEF-IR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to web session cookie attacks due to Incident Response monitoring for third-party application logging, messaging, other service artifacts that provide context of user authentication to web applications, and/or anomalous access of websites/cloud-based applications.\n\nLicense Requirements:\nMicrosoft Defender XDR"}]}, {"techniqueID": "T1598.003", "score": 1, "comment": " Related to: \n \u2022DEF-IR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack.  Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to spearphishing link attacks due to its phishing Incident Response playbook which monitors for messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.\n\nLicense Requirements:\nMicrosoft Defender XDR"}]}, {"techniqueID": "T1598.004", "score": 1, "comment": " Related to: \n \u2022DEF-IR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-IR-E5"}, {"name": "category", "value": "respond"}, {"name": "value", "value": "minimal"}, {"name": "comment", "value": "An incident in Microsoft Defender XDR is a collection of correlated alerts and associated data that make up the story of an attack. Microsoft 365 services and apps create alerts when they detect a suspicious or malicious event or activity. Individual alerts provide valuable clues about a completed or ongoing attack. Attacks typically employ various techniques against different types of entities, such as devices, users, and mailboxes. The result of this is multiple alerts for multiple entities in your tenant. Piecing the individual alerts together to gain insight into an attack can be challenging and time-consuming, Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. A typical Incident Response workflow in Microsoft Defender XDR begins with a triage action, next is the investigate action, and finally is the response action.\n\nMicrosoft 365 Defender Incident Response responds to spearphishing voice attacks due to its phishing Incident Response playbook which monitors call logs from corporate devices to identify patterns of potential voice phishing.\n\nLicense Requirements:\nMicrosoft Defender XDR"}]}, {"techniqueID": "T1127.002", "score": 1, "comment": " Related to: \n \u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Incorporating Role-Based Access Control can help to ensure that only those who need to use ClickOnce applications may do so, protecting against the threat of misuse."}]}, {"techniqueID": "T1199", "score": 3, "comment": " Related to: \n \u2022DEF-ATH-E5\n\u2022DEF-APGV-E5\n\u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to properly manage accounts and permissions of parties in trusted relationships. This scores Partial for its ability to minimize the the potential abuse by the party and if it is comprised by an adversary. \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. Advanced hunting in Microsoft Defender XDR allows you to proactively hunt for threats across: Devices managed by Microsoft Defender for Endpoint, Emails processed by Microsoft 365, Cloud app activities, authentication events, and domain controller activities. With this level of visibility, you can quickly hunt for threats that traverse sections of your network, including sophisticated intrusions that arrive on email or the web, elevate local privileges, acquire privileged domain credentials, and move laterally to across your devices. Advanced hunting supports two modes, guided and advanced. Users use advanced mode if they are comfortable using Kusto Query Language (KQL) to create queries from scratch.\n\nAdvanced Threat Hunting Detects Trusted Relationship attacks due to the IdentityLogonEvents table in the advanced hunting schema which contains information about all authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps which monitors for newly constructed logon behavior.\n\nLicense Requirements: \nMicrosoft Defender XDR, Microsoft Defender for Cloud Apps,  Microsoft Defender for Office 365 plan 2"}, {"divider": true}, {"name": "control", "value": "DEF-APGV-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "App governance in Defender for Cloud Apps is a set of security and policy management capabilities designed for OAuth-enabled apps registered on Microsoft Entra ID, Google, and Salesforce. App governance delivers visibility, remediation, and governance into how these apps and their users access, use, and share sensitive data in Microsoft 365 and other cloud platforms through actionable insights and automated policy alerts and actions. App governance also enables you to see which user-installed OAuth applications have access to data on Microsoft 365, Google Workspace, and Salesforce. It tells you what permissions the apps have and which users have granted access to their accounts. App governance insights enable you to make informed decisions around blocking or restricting apps that present significant risk to your organization\n\nApp Governance Detects Trusted Relationship attacks due to App Governance monitoring aggregated sign-in activity for each app and tracking all risky sign-in's.\n\nLicense Requirements: \nMicrosoft Defender for Cloud Apps"}]}, {"techniqueID": "T1213.003", "score": 1, "comment": " Related to: \n \u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1216.002", "score": 1, "comment": " Related to: \n \u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege for access to SharePoint repositories to only those required for an account. This scores Partial for its ability to minimize the attack surface of accounts with access to potentially valuable information.   \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1556.007", "score": 2, "comment": " Related to: \n \u2022EID-PIM-E5\n\u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit Global Administrator accounts, and ensure these accounts are cloud-only. This scores Partial for its ability to minimize hybrid accounts with administrative privileges.  \n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "The PIM control can enforce on-activation requirements for privileged roles, such as the Global Administrator, which may be used for modifying the hybrid identity authentication process from the cloud. Ideally, ensure these accounts are dedicated cloud-only rather than hybrid accounts. MFA can be required both when assigning Global Administrator, and/or when a user activates the role. PIM can also be used to assigned privileged roles as \"eligible\" rather than \"active\" to further, requiring activation of the assigned role before use. This scores Significant for its limitation of the overall accounts with these privileges, and the conditions for use. \n\n\nLicense Requirements:\nMicrosoft Entra ID P2 or Microsoft Entra ID Governance"}]}, {"techniqueID": "T1648", "score": 1, "comment": " Related to: \n \u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit accounts with permissions for serverless services to those required. This scores Partial for its ability to minimize the overall accounts with this ability. \n\n\nLicense Requirements: \nME-ID Built-in Roles (Free) "}]}, {"techniqueID": "T1480.002", "score": 1, "comment": " Related to: \n \u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Implementing Role-Based Access Control will help prevent access to sensitive resources, ensuring only those with the proper authorization can use them."}]}, {"techniqueID": "T1546.016", "score": 1, "comment": " Related to: \n \u2022EID-RBAC-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-RBAC-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "The RBAC control can be used to implement the principle of least privilege to limit the ability of accounts to utilize installer packages, reserving the ability to install software to those with higher privileges."}]}, {"techniqueID": "T1059.010", "score": 1, "comment": " Related to: \n \u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender's Advanced Threat Hunting can potentially detect if AutoHotKey and AutoIT are being misused or behaving in a way that is unexpected, alerting administrators to an issue and allowing for remediation/preventing extensive damage."}]}, {"techniqueID": "T1059.011", "score": 1, "comment": " Related to: \n \u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender's Advanced Threat Hunting can protect against various types of malware, including those that exploit Lua scripts, by analyzing the behavioral characteristics of the program."}]}, {"techniqueID": "T1027.014", "score": 1, "comment": " Related to: \n \u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender's advanced threat hunting capabilities can potentially detect suspicious or changing behaviors in programs, which can be indicative of polymorphic code."}, {"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Defender's Advanced Threat Hunting can use Machine Learning models to identify malicious behavior, even if the code is polymorphic and attempts to disguise itself."}]}, {"techniqueID": "T1036.009", "score": 1, "comment": " Related to: \n \u2022DEF-ATH-E5", "metadata": [{"divider": true}, {"name": "control", "value": "DEF-ATH-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Behavior-based machine learning techniques may be able to detect the presence of malware, even if the parent-child process tree is broken, by analyzing the program's behavior."}]}, {"techniqueID": "T1098.005", "score": 1, "comment": " Related to: \n \u2022EID-MFA-E3", "metadata": [{"divider": true}, {"name": "control", "value": "EID-MFA-E3"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Requiring the use of MFA to register devices in Entra ID along with conditional access policies can reduce the likelihood of successfu use of this technique."}]}, {"techniqueID": "T1098.007", "score": 1, "comment": " Related to: \n \u2022EID-PIM-E5", "metadata": [{"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "detect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}, {"divider": true}, {"name": "control", "value": "EID-PIM-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Entra ID's continuous access evaluation is a security control implemented by enabling services to subscribe to critical Microsoft Entra events. Those events can then be evaluated and enforced near real time. This process enables tenant users lose access to organizational SharePoint Online files, email, calendar, or tasks, and Teams from Microsoft 365 client apps within minutes after a critical event is detected. The following events are currently evaluated:\n\nUser Account is deleted or disabled\nPassword for a user is changed or reset\nMultifactor authentication is enabled for the user\nAdministrator explicitly revokes all refresh tokens for a user\nHigh user risk detected by Microsoft Entra ID Protection\n\nLicense Requirements:\nContinuous access evaluation will be included in all versions of Microsoft 365. \n"}]}, {"techniqueID": "T1564.012", "score": 1, "comment": " Related to: \n \u2022PUR-INPR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "partial"}, {"name": "comment", "value": "Purview's Information Protection capabilities allow for several restrictions to be placed on files. External users or users with insufficient privileges can have read-only mode enforced, ensuring that nothing gets written to excluded locations in the file system."}]}, {"techniqueID": "T1020", "score": 1, "comment": " Related to: \n \u2022PUR-INPR-E5", "metadata": [{"divider": true}, {"name": "control", "value": "PUR-INPR-E5"}, {"name": "category", "value": "protect"}, {"name": "value", "value": "significant"}, {"name": "comment", "value": "Defender for Cloud Apps file policies allow you to enforce a wide range of automated processes. Policies can be set to provide Information Protection, including continuous compliance scans, legal eDiscovery tasks, and DLP for sensitive content shared publicly. \n\nInformation Protection Protects from Automated Exfiltration attacks due to Information Protection preventing company data from being exfiltrated by external users, by blocking file downloads in real time, using the Defender for Cloud Apps session controls.\n\nLicense Requirements: \nMicrosoft Defender for Office 365 plan 1 and plan 2"}]}], "gradient": {"colors": ["#ffe766", "#ffaf66"], "minValue": 1, "maxValue": 21}}