Azure MAPPINGS

Azure is a widely used cloud computing platform. This project maps the security controls native to the Azure platform to MITRE ATT&CK®, providing resources to assess how to protect, detect, and respond to real-world threats as described in the ATT&CK knowledge base.

ATT&CK Versions: 8.2 ATT&CK Domain: Enterprise

Security Stack Mapping Methodology

Capability Groups

ID Capability Group Name Number of Mappings Number of Capabilities
azure_ad_identity_protection Azure AD Identity Protection 14 1
alerts_for_windows_machines Alerts for Windows Machines 70 1
azure_security_center_recommendations Azure Security Center Recommendations 45 1
azure_defender_for_storage Azure Defender for Storage 9 1
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration 32 1
azure_defender_for_resource_manager Azure Defender for Resource Manager 11 1
network_security_groups Network Security Groups 38 1
azure_sentinel Azure Sentinel 170 1
azure_ad_password_policy Azure AD Password Policy 4 1
microsoft_defender_for_identity Microsoft Defender for Identity 42 1
azure_defender_for_key_vault Azure Defender for Key Vault 2 1
azure_defender_for_kubernetes Azure Defender for Kubernetes 4 1
adaptive_application_controls Adaptive Application Controls 9 1
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication 6 1
azure_private_link Azure Private Link 14 1
azure_dedicated_hsm Azure Dedicated HSM 8 1
azure_automation_update_management Azure Automation Update Management 14 1
azure_dns_alias_records Azure DNS Alias Records 2 1
role_based_access_control Role Based Access Control 18 1
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB 3 1
file_integrity_monitoring File Integrity Monitoring 59 1
azure_backup Azure Backup 8 1
managed_identities_for_azure_resources Managed identities for Azure resources 2 1
azure_policy Azure Policy 37 1
azure_alerts_for_network_layer Azure Alerts for Network Layer 10 1
azure_ad_privileged_identity_management Azure AD Privileged Identity Management 9 1
azure_vpn_gateway Azure VPN Gateway 6 1
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database 8 1
azure_ddos_protection_standard Azure DDOS Protection Standard 7 1
azure_defender_for_app_service Azure Defender for App Service 73 1
conditional_access Conditional Access 13 1
cloud_app_security_policies Cloud App Security Policies 55 1
azure_defender_for_container_registries Azure Defender for Container Registries 4 1
azure_ad_identity_secure_score Azure AD Identity Secure Score 28 1
azure_active_directory_password_protection Azure Active Directory Password Protection 5 1
microsoft_antimalware_for_azure Microsoft Antimalware for Azure 13 1
azure_web_application_firewall Azure Web Application Firewall 11 1
azure_dns_analytics Azure DNS Analytics 10 1
just-in-time_vm_access Just-in-Time VM Access 6 1
sql_vulnerability_assessment SQL Vulnerability Assessment 7 1
passwordless_authentication Passwordless Authentication 5 1
azure_firewall Azure Firewall 20 1
alerts_for_dns Alerts for DNS 8 1
continuous_access_evaluation Continuous Access Evaluation 2 1
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys 7 1
azure_key_vault Azure Key Vault 4 1
azure_network_traffic_analytics Azure Network Traffic Analytics 37 1
docker_host_hardening Docker Host Hardening 9 1

All Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name
azure_ad_identity_protection Azure AD Identity Protection detect partial T1078 Valid Accounts
azure_ad_identity_protection Azure AD Identity Protection respond partial T1078 Valid Accounts
azure_ad_identity_protection Azure AD Identity Protection detect partial T1078.004 Cloud Accounts
azure_ad_identity_protection Azure AD Identity Protection respond significant T1078.004 Cloud Accounts
azure_ad_identity_protection Azure AD Identity Protection detect partial T1078.002 Domain Accounts
azure_ad_identity_protection Azure AD Identity Protection respond partial T1078.002 Domain Accounts
azure_ad_identity_protection Azure AD Identity Protection detect partial T1606 Forge Web Credentials
azure_ad_identity_protection Azure AD Identity Protection respond partial T1606 Forge Web Credentials
azure_ad_identity_protection Azure AD Identity Protection detect partial T1606.002 SAML Tokens
azure_ad_identity_protection Azure AD Identity Protection respond significant T1606.002 SAML Tokens
azure_ad_identity_protection Azure AD Identity Protection detect minimal T1110 Brute Force
azure_ad_identity_protection Azure AD Identity Protection respond minimal T1110 Brute Force
azure_ad_identity_protection Azure AD Identity Protection detect partial T1110.003 Password Spraying
azure_ad_identity_protection Azure AD Identity Protection respond significant T1110.003 Password Spraying
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078 Valid Accounts
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078.003 Local Accounts
alerts_for_windows_machines Alerts for Windows Machines detect partial T1078.001 Default Accounts
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1059 Command and Scripting Interpreter
alerts_for_windows_machines Alerts for Windows Machines detect significant T1059.001 PowerShell
alerts_for_windows_machines Alerts for Windows Machines detect significant T1059.003 Windows Command Shell
alerts_for_windows_machines Alerts for Windows Machines detect partial T1204 User Execution
alerts_for_windows_machines Alerts for Windows Machines detect partial T1204.002 Malicious File
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1547 Boot or Logon Autostart Execution
alerts_for_windows_machines Alerts for Windows Machines detect partial T1547.001 Registry Run Keys / Startup Folder
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1136 Create Account
alerts_for_windows_machines Alerts for Windows Machines detect partial T1136.001 Local Account
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1543 Create or Modify System Process
alerts_for_windows_machines Alerts for Windows Machines detect partial T1543.003 Windows Service
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1546 Event Triggered Execution
alerts_for_windows_machines Alerts for Windows Machines detect partial T1546.002 Screensaver
alerts_for_windows_machines Alerts for Windows Machines detect partial T1546.008 Accessibility Features
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1548 Abuse Elevation Control Mechanism
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1548.002 Bypass User Account Control
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055 Process Injection
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.001 Dynamic-link Library Injection
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.002 Portable Executable Injection
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.003 Thread Execution Hijacking
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.005 Thread Local Storage
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.004 Asynchronous Procedure Call
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.011 Extra Window Memory Injection
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.012 Process Hollowing
alerts_for_windows_machines Alerts for Windows Machines detect partial T1055.013 Process Doppelgänging
alerts_for_windows_machines Alerts for Windows Machines detect partial T1203 Exploitation for Client Execution
alerts_for_windows_machines Alerts for Windows Machines detect partial T1212 Exploitation for Credential Access
alerts_for_windows_machines Alerts for Windows Machines detect partial T1211 Exploitation for Defense Evasion
alerts_for_windows_machines Alerts for Windows Machines detect partial T1068 Exploitation for Privilege Escalation
alerts_for_windows_machines Alerts for Windows Machines detect partial T1210 Exploitation of Remote Services
alerts_for_windows_machines Alerts for Windows Machines detect partial T1190 Exploit Public-Facing Application
alerts_for_windows_machines Alerts for Windows Machines detect partial T1189 Drive-by Compromise
alerts_for_windows_machines Alerts for Windows Machines detect partial T1140 Deobfuscate/Decode Files or Information
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1222 File and Directory Permissions Modification
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1222.001 Windows File and Directory Permissions Modification
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1564 Hide Artifacts
alerts_for_windows_machines Alerts for Windows Machines detect partial T1564.003 Hidden Window
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1562 Impair Defenses
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.004 Disable or Modify System Firewall
alerts_for_windows_machines Alerts for Windows Machines detect partial T1562.001 Disable or Modify Tools
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1070 Indicator Removal on Host
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.004 File Deletion
alerts_for_windows_machines Alerts for Windows Machines detect partial T1070.001 Clear Windows Event Logs
alerts_for_windows_machines Alerts for Windows Machines detect partial T1112 Modify Registry
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1027 Obfuscated Files or Information
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1218 Signed Binary Proxy Execution
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.005 Mshta
alerts_for_windows_machines Alerts for Windows Machines detect partial T1218.011 Rundll32
alerts_for_windows_machines Alerts for Windows Machines detect partial T1110 Brute Force
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.003 Password Spraying
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.001 Password Guessing
alerts_for_windows_machines Alerts for Windows Machines detect significant T1110.004 Credential Stuffing
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1003 OS Credential Dumping
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1003.004 LSA Secrets
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1558 Steal or Forge Kerberos Tickets
alerts_for_windows_machines Alerts for Windows Machines detect partial T1558.001 Golden Ticket
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087 Account Discovery
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087.001 Local Account
alerts_for_windows_machines Alerts for Windows Machines detect partial T1087.002 Domain Account
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1082 System Information Discovery
alerts_for_windows_machines Alerts for Windows Machines detect partial T1563 Remote Service Session Hijacking
alerts_for_windows_machines Alerts for Windows Machines detect partial T1563.002 RDP Hijacking
alerts_for_windows_machines Alerts for Windows Machines detect partial T1105 Ingress Tool Transfer
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1048 Exfiltration Over Alternative Protocol
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1489 Service Stop
alerts_for_windows_machines Alerts for Windows Machines detect minimal T1202 Indirect Command Execution
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1040 Network Sniffing
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1190 Exploit Public-Facing Application
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1110 Brute Force
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1110.001 Password Guessing
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1110.003 Password Spraying
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1110.004 Credential Stuffing
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1542 Pre-OS Boot
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1542.001 System Firmware
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1542.003 Bootkit
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1499 Endpoint Denial of Service
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1499.001 OS Exhaustion Flood
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1525 Implant Container Image
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1068 Exploitation for Privilege Escalation
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1098 Account Manipulation
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1098.004 SSH Authorized Keys
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1554 Compromise Client Software Binary
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1136 Create Account
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1136.001 Local Account
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1543 Create or Modify System Process
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1543.002 Systemd Service
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1546 Event Triggered Execution
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1546.004 .bash_profile and .bashrc
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1505 Server Software Component
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1505.003 Web Shell
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1222 File and Directory Permissions Modification
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1222.002 Linux and Mac File and Directory Permissions Modification
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1564 Hide Artifacts
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1564.001 Hidden Files and Directories
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1564.005 Hidden File System
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1564.006 Run Virtual Instance
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1053 Scheduled Task/Job
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1053.003 Cron
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1053.006 Systemd Timers
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1556 Modify Authentication Process
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1556.003 Pluggable Authentication Modules
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1080 Taint Shared Content
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1074 Data Staged
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1074.001 Local Data Staging
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1485 Data Destruction
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1486 Data Encrypted for Impact
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1565 Data Manipulation
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1565.001 Stored Data Manipulation
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1078 Valid Accounts
azure_security_center_recommendations Azure Security Center Recommendations protect minimal T1078.004 Cloud Accounts
azure_security_center_recommendations Azure Security Center Recommendations protect partial T1133 External Remote Services
azure_defender_for_storage Azure Defender for Storage detect significant T1530 Data from Cloud Storage Object
azure_defender_for_storage Azure Defender for Storage detect minimal T1078 Valid Accounts
azure_defender_for_storage Azure Defender for Storage detect significant T1078.004 Cloud Accounts
azure_defender_for_storage Azure Defender for Storage detect partial T1105 Ingress Tool Transfer
azure_defender_for_storage Azure Defender for Storage respond partial T1105 Ingress Tool Transfer
azure_defender_for_storage Azure Defender for Storage detect partial T1080 Taint Shared Content
azure_defender_for_storage Azure Defender for Storage respond partial T1080 Taint Shared Content
azure_defender_for_storage Azure Defender for Storage detect partial T1537 Transfer Data to Cloud Account
azure_defender_for_storage Azure Defender for Storage detect minimal T1485 Data Destruction
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1059 Command and Scripting Interpreter
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1059.004 Unix Shell
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1068 Exploitation for Privilege Escalation
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1098 Account Manipulation
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1098.004 SSH Authorized Keys
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1547 Boot or Logon Autostart Execution
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1547.006 Kernel Modules and Extensions
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1136 Create Account
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1136.001 Local Account
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1505 Server Software Component
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1505.003 Web Shell
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1564 Hide Artifacts
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1564.001 Hidden Files and Directories
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1564.006 Run Virtual Instance
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1562 Impair Defenses
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1562.004 Disable or Modify System Firewall
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1562.006 Indicator Blocking
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1070 Indicator Removal on Host
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1070.002 Clear Linux or Mac System Logs
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1070.003 Clear Command History
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1027 Obfuscated Files or Information
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1027.004 Compile After Delivery
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1110 Brute Force
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1110.001 Password Guessing
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1110.003 Password Spraying
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1110.004 Credential Stuffing
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1003 OS Credential Dumping
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1003.008 /etc/passwd and /etc/shadow
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect minimal T1021 Remote Services
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1021.004 SSH
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1525 Implant Container Image
linux_auditd_alerts_and_log_analytics_agent_integration Linux auditd alerts and Log Analytics agent integration detect partial T1113 Screen Capture
azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1562 Impair Defenses
azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1562.001 Disable or Modify Tools
azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1580 Cloud Infrastructure Discovery
azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1538 Cloud Service Dashboard
azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1526 Cloud Service Discovery
azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1069 Permission Groups Discovery
azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1069.003 Cloud Groups
azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1087 Account Discovery
azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1087.004 Cloud Account
azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1555 Credentials from Password Stores
azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1068 Exploitation for Privilege Escalation
network_security_groups Network Security Groups protect partial T1199 Trusted Relationship
network_security_groups Network Security Groups protect partial T1557 Man-in-the-Middle
network_security_groups Network Security Groups protect partial T1602 Data from Configuration Repository
network_security_groups Network Security Groups protect partial T1602.002 Network Device Configuration Dump
network_security_groups Network Security Groups protect partial T1602.001 SNMP (MIB Dump)
network_security_groups Network Security Groups protect minimal T1542 Pre-OS Boot
network_security_groups Network Security Groups protect partial T1542.005 TFTP Boot
network_security_groups Network Security Groups protect significant T1048 Exfiltration Over Alternative Protocol
network_security_groups Network Security Groups protect significant T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
network_security_groups Network Security Groups protect significant T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
network_security_groups Network Security Groups protect significant T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
network_security_groups Network Security Groups protect partial T1210 Exploitation of Remote Services
network_security_groups Network Security Groups protect partial T1021 Remote Services
network_security_groups Network Security Groups protect partial T1021.006 Windows Remote Management
network_security_groups Network Security Groups protect partial T1021.005 VNC
network_security_groups Network Security Groups protect partial T1021.004 SSH
network_security_groups Network Security Groups protect partial T1021.003 Distributed Component Object Model
network_security_groups Network Security Groups protect partial T1021.002 SMB/Windows Admin Shares
network_security_groups Network Security Groups protect partial T1021.001 Remote Desktop Protocol
network_security_groups Network Security Groups protect partial T1072 Software Deployment Tools
network_security_groups Network Security Groups protect partial T1133 External Remote Services
network_security_groups Network Security Groups protect partial T1482 Domain Trust Discovery
network_security_groups Network Security Groups protect partial T1046 Network Service Scanning
network_security_groups Network Security Groups protect partial T1095 Non-Application Layer Protocol
network_security_groups Network Security Groups protect significant T1571 Non-Standard Port
network_security_groups Network Security Groups protect partial T1499 Endpoint Denial of Service
network_security_groups Network Security Groups protect partial T1499.003 Application Exhaustion Flood
network_security_groups Network Security Groups protect partial T1499.002 Service Exhaustion Flood
network_security_groups Network Security Groups protect partial T1499.001 OS Exhaustion Flood
network_security_groups Network Security Groups protect partial T1570 Lateral Tool Transfer
network_security_groups Network Security Groups protect partial T1498 Network Denial of Service
network_security_groups Network Security Groups protect partial T1090 Proxy
network_security_groups Network Security Groups protect partial T1090.003 Multi-hop Proxy
network_security_groups Network Security Groups protect partial T1090.002 External Proxy
network_security_groups Network Security Groups protect partial T1090.001 Internal Proxy
network_security_groups Network Security Groups protect partial T1219 Remote Access Software
network_security_groups Network Security Groups protect partial T1205 Traffic Signaling
network_security_groups Network Security Groups protect significant T1205.001 Port Knocking
azure_sentinel Azure Sentinel detect partial T1078 Valid Accounts
azure_sentinel Azure Sentinel detect minimal T1078.001 Default Accounts
azure_sentinel Azure Sentinel detect partial T1078.002 Domain Accounts
azure_sentinel Azure Sentinel detect partial T1078.003 Local Accounts
azure_sentinel Azure Sentinel detect partial T1078.004 Cloud Accounts
azure_sentinel Azure Sentinel detect minimal T1195 Supply Chain Compromise
azure_sentinel Azure Sentinel detect partial T1195.001 Compromise Software Dependencies and Development Tools
azure_sentinel Azure Sentinel detect partial T1110 Brute Force
azure_sentinel Azure Sentinel detect partial T1110.001 Password Guessing
azure_sentinel Azure Sentinel detect partial T1110.003 Password Spraying
azure_sentinel Azure Sentinel detect partial T1110.004 Credential Stuffing
azure_sentinel Azure Sentinel detect minimal T1098 Account Manipulation
azure_sentinel Azure Sentinel detect minimal T1098.001 Additional Cloud Credentials
azure_sentinel Azure Sentinel detect minimal T1071 Application Layer Protocol
azure_sentinel Azure Sentinel detect minimal T1071.001 Web Protocols
azure_sentinel Azure Sentinel detect partial T1071.004 DNS
azure_sentinel Azure Sentinel detect minimal T1567 Exfiltration Over Web Service
azure_sentinel Azure Sentinel detect minimal T1567.002 Exfiltration to Cloud Storage
azure_sentinel Azure Sentinel detect minimal T1567.001 Exfiltration to Code Repository
azure_sentinel Azure Sentinel detect minimal T1595 Active Scanning
azure_sentinel Azure Sentinel detect partial T1595.002 Vulnerability Scanning
azure_sentinel Azure Sentinel detect partial T1105 Ingress Tool Transfer
azure_sentinel Azure Sentinel detect minimal T1048 Exfiltration Over Alternative Protocol
azure_sentinel Azure Sentinel detect minimal T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
azure_sentinel Azure Sentinel detect partial T1496 Resource Hijacking
azure_sentinel Azure Sentinel detect minimal T1070 Indicator Removal on Host
azure_sentinel Azure Sentinel detect minimal T1070.001 Clear Windows Event Logs
azure_sentinel Azure Sentinel detect minimal T1070.006 Timestomp
azure_sentinel Azure Sentinel detect minimal T1059 Command and Scripting Interpreter
azure_sentinel Azure Sentinel detect minimal T1059.001 PowerShell
azure_sentinel Azure Sentinel detect minimal T1059.003 Windows Command Shell
azure_sentinel Azure Sentinel detect minimal T1059.004 Unix Shell
azure_sentinel Azure Sentinel detect minimal T1059.007 JavaScript/JScript
azure_sentinel Azure Sentinel detect minimal T1059.005 Visual Basic
azure_sentinel Azure Sentinel detect minimal T1059.006 Python
azure_sentinel Azure Sentinel detect minimal T1213 Data from Information Repositories
azure_sentinel Azure Sentinel detect partial T1213.002 Sharepoint
azure_sentinel Azure Sentinel detect minimal T1531 Account Access Removal
azure_sentinel Azure Sentinel detect minimal T1018 Remote System Discovery
azure_sentinel Azure Sentinel detect partial T1136 Create Account
azure_sentinel Azure Sentinel detect partial T1136.001 Local Account
azure_sentinel Azure Sentinel detect partial T1136.002 Domain Account
azure_sentinel Azure Sentinel detect partial T1136.003 Cloud Account
azure_sentinel Azure Sentinel detect minimal T1114 Email Collection
azure_sentinel Azure Sentinel detect minimal T1114.001 Local Email Collection
azure_sentinel Azure Sentinel detect minimal T1114.002 Remote Email Collection
azure_sentinel Azure Sentinel detect minimal T1114.003 Email Forwarding Rule
azure_sentinel Azure Sentinel detect minimal T1505 Server Software Component
azure_sentinel Azure Sentinel detect partial T1505.003 Web Shell
azure_sentinel Azure Sentinel detect minimal T1573 Encrypted Channel
azure_sentinel Azure Sentinel detect minimal T1573.002 Asymmetric Cryptography
azure_sentinel Azure Sentinel detect minimal T1090 Proxy
azure_sentinel Azure Sentinel detect minimal T1090.003 Multi-hop Proxy
azure_sentinel Azure Sentinel detect minimal T1562 Impair Defenses
azure_sentinel Azure Sentinel detect minimal T1562.001 Disable or Modify Tools
azure_sentinel Azure Sentinel detect minimal T1562.002 Disable Windows Event Logging
azure_sentinel Azure Sentinel detect minimal T1562.006 Indicator Blocking
azure_sentinel Azure Sentinel detect partial T1562.007 Disable or Modify Cloud Firewall
azure_sentinel Azure Sentinel detect minimal T1562.008 Disable Cloud Logs
azure_sentinel Azure Sentinel detect minimal T1119 Automated Collection
azure_sentinel Azure Sentinel detect minimal T1485 Data Destruction
azure_sentinel Azure Sentinel detect minimal T1568 Dynamic Resolution
azure_sentinel Azure Sentinel detect partial T1568.002 Domain Generation Algorithms
azure_sentinel Azure Sentinel detect minimal T1190 Exploit Public-Facing Application
azure_sentinel Azure Sentinel detect minimal T1137 Office Application Startup
azure_sentinel Azure Sentinel detect partial T1137.005 Outlook Rules
azure_sentinel Azure Sentinel detect minimal T1137.006 Add-ins
azure_sentinel Azure Sentinel detect minimal T1140 Deobfuscate/Decode Files or Information
azure_sentinel Azure Sentinel detect minimal T1558 Steal or Forge Kerberos Tickets
azure_sentinel Azure Sentinel detect partial T1558.003 Kerberoasting
azure_sentinel Azure Sentinel detect minimal T1558.001 Golden Ticket
azure_sentinel Azure Sentinel detect minimal T1558.002 Silver Ticket
azure_sentinel Azure Sentinel detect minimal T1047 Windows Management Instrumentation
azure_sentinel Azure Sentinel detect partial T1046 Network Service Scanning
azure_sentinel Azure Sentinel detect minimal T1021 Remote Services
azure_sentinel Azure Sentinel detect partial T1021.001 Remote Desktop Protocol
azure_sentinel Azure Sentinel detect minimal T1021.002 SMB/Windows Admin Shares
azure_sentinel Azure Sentinel detect minimal T1021.003 Distributed Component Object Model
azure_sentinel Azure Sentinel detect minimal T1021.004 SSH
azure_sentinel Azure Sentinel protect minimal T1552 Unsecured Credentials
azure_sentinel Azure Sentinel detect minimal T1552 Unsecured Credentials
azure_sentinel Azure Sentinel protect minimal T1552.001 Credentials In Files
azure_sentinel Azure Sentinel detect minimal T1552.001 Credentials In Files
azure_sentinel Azure Sentinel detect minimal T1552.004 Private Keys
azure_sentinel Azure Sentinel detect minimal T1590 Gather Victim Network Information
azure_sentinel Azure Sentinel detect minimal T1590.002 DNS
azure_sentinel Azure Sentinel detect minimal T1548 Abuse Elevation Control Mechanism
azure_sentinel Azure Sentinel detect minimal T1548.002 Bypass User Account Control
azure_sentinel Azure Sentinel detect minimal T1134 Access Token Manipulation
azure_sentinel Azure Sentinel detect minimal T1134.002 Create Process with Token
azure_sentinel Azure Sentinel detect minimal T1134.005 SID-History Injection
azure_sentinel Azure Sentinel detect minimal T1087 Account Discovery
azure_sentinel Azure Sentinel detect minimal T1087.002 Domain Account
azure_sentinel Azure Sentinel detect minimal T1087.001 Local Account
azure_sentinel Azure Sentinel detect minimal T1087.003 Email Account
azure_sentinel Azure Sentinel detect minimal T1560 Archive Collected Data
azure_sentinel Azure Sentinel detect minimal T1547 Boot or Logon Autostart Execution
azure_sentinel Azure Sentinel detect minimal T1547.005 Security Support Provider
azure_sentinel Azure Sentinel detect minimal T1547.009 Shortcut Modification
azure_sentinel Azure Sentinel detect minimal T1547.001 Registry Run Keys / Startup Folder
azure_sentinel Azure Sentinel detect minimal T1217 Browser Bookmark Discovery
azure_sentinel Azure Sentinel detect minimal T1115 Clipboard Data
azure_sentinel Azure Sentinel detect minimal T1543 Create or Modify System Process
azure_sentinel Azure Sentinel detect minimal T1543.003 Windows Service
azure_sentinel Azure Sentinel detect minimal T1555 Credentials from Password Stores
azure_sentinel Azure Sentinel detect minimal T1555.003 Credentials from Web Browsers
azure_sentinel Azure Sentinel detect partial T1484 Domain Policy Modification
azure_sentinel Azure Sentinel detect minimal T1484.001 Group Policy Modification
azure_sentinel Azure Sentinel detect partial T1484.002 Domain Trust Modification
azure_sentinel Azure Sentinel detect minimal T1482 Domain Trust Discovery
azure_sentinel Azure Sentinel detect minimal T1546 Event Triggered Execution
azure_sentinel Azure Sentinel detect minimal T1546.008 Accessibility Features
azure_sentinel Azure Sentinel detect minimal T1041 Exfiltration Over C2 Channel
azure_sentinel Azure Sentinel detect minimal T1068 Exploitation for Privilege Escalation
azure_sentinel Azure Sentinel detect minimal T1210 Exploitation of Remote Services
azure_sentinel Azure Sentinel detect minimal T1083 File and Directory Discovery
azure_sentinel Azure Sentinel detect minimal T1574 Hijack Execution Flow
azure_sentinel Azure Sentinel detect minimal T1574.001 DLL Search Order Hijacking
azure_sentinel Azure Sentinel detect minimal T1574.007 Path Interception by PATH Environment Variable
azure_sentinel Azure Sentinel detect minimal T1574.008 Path Interception by Search Order Hijacking
azure_sentinel Azure Sentinel detect minimal T1574.009 Path Interception by Unquoted Path
azure_sentinel Azure Sentinel detect minimal T1056 Input Capture
azure_sentinel Azure Sentinel detect minimal T1056.001 Keylogging
azure_sentinel Azure Sentinel detect minimal T1056.004 Credential API Hooking
azure_sentinel Azure Sentinel detect minimal T1557 Man-in-the-Middle
azure_sentinel Azure Sentinel detect minimal T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
azure_sentinel Azure Sentinel detect minimal T1106 Native API
azure_sentinel Azure Sentinel detect minimal T1135 Network Share Discovery
azure_sentinel Azure Sentinel detect minimal T1040 Network Sniffing
azure_sentinel Azure Sentinel detect minimal T1027 Obfuscated Files or Information
azure_sentinel Azure Sentinel detect minimal T1003 OS Credential Dumping
azure_sentinel Azure Sentinel detect minimal T1003.001 LSASS Memory
azure_sentinel Azure Sentinel detect minimal T1057 Process Discovery
azure_sentinel Azure Sentinel detect minimal T1055 Process Injection
azure_sentinel Azure Sentinel detect minimal T1053 Scheduled Task/Job
azure_sentinel Azure Sentinel detect partial T1053.003 Cron
azure_sentinel Azure Sentinel detect minimal T1053.005 Scheduled Task
azure_sentinel Azure Sentinel detect minimal T1113 Screen Capture
azure_sentinel Azure Sentinel detect minimal T1518 Software Discovery
azure_sentinel Azure Sentinel detect minimal T1518.001 Security Software Discovery
azure_sentinel Azure Sentinel detect minimal T1082 System Information Discovery
azure_sentinel Azure Sentinel detect minimal T1016 System Network Configuration Discovery
azure_sentinel Azure Sentinel detect minimal T1049 System Network Connections Discovery
azure_sentinel Azure Sentinel detect minimal T1569 System Services
azure_sentinel Azure Sentinel detect minimal T1569.002 Service Execution
azure_sentinel Azure Sentinel detect minimal T1127 Trusted Developer Utilities Proxy Execution
azure_sentinel Azure Sentinel detect minimal T1127.001 MSBuild
azure_sentinel Azure Sentinel detect minimal T1550 Use Alternate Authentication Material
azure_sentinel Azure Sentinel detect minimal T1550.001 Application Access Token
azure_sentinel Azure Sentinel detect minimal T1550.002 Pass the Hash
azure_sentinel Azure Sentinel detect minimal T1125 Video Capture
azure_sentinel Azure Sentinel detect minimal T1102 Web Service
azure_sentinel Azure Sentinel detect minimal T1102.002 Bidirectional Communication
azure_sentinel Azure Sentinel detect minimal T1556 Modify Authentication Process
azure_sentinel Azure Sentinel detect minimal T1080 Taint Shared Content
azure_sentinel Azure Sentinel detect minimal T1074 Data Staged
azure_sentinel Azure Sentinel detect minimal T1074.001 Local Data Staging
azure_sentinel Azure Sentinel detect minimal T1490 Inhibit System Recovery
azure_sentinel Azure Sentinel detect minimal T1486 Data Encrypted for Impact
azure_sentinel Azure Sentinel detect minimal T1535 Unused/Unsupported Cloud Regions
azure_sentinel Azure Sentinel detect minimal T1530 Data from Cloud Storage Object
azure_sentinel Azure Sentinel detect minimal T1036 Masquerading
azure_sentinel Azure Sentinel detect minimal T1036.004 Masquerade Task or Service
azure_sentinel Azure Sentinel detect partial T1036.005 Match Legitimate Name or Location
azure_sentinel Azure Sentinel detect minimal T1578 Modify Cloud Compute Infrastructure
azure_sentinel Azure Sentinel detect minimal T1580 Cloud Infrastructure Discovery
azure_sentinel Azure Sentinel detect minimal T1528 Steal Application Access Token
azure_sentinel Azure Sentinel detect minimal T1069 Permission Groups Discovery
azure_sentinel Azure Sentinel detect minimal T1069.002 Domain Groups
azure_sentinel Azure Sentinel detect minimal T1069.001 Local Groups
azure_ad_password_policy Azure AD Password Policy protect partial T1110 Brute Force
azure_ad_password_policy Azure AD Password Policy protect significant T1110.001 Password Guessing
azure_ad_password_policy Azure AD Password Policy protect partial T1110.002 Password Cracking
azure_ad_password_policy Azure AD Password Policy protect partial T1110.004 Credential Stuffing
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1087 Account Discovery
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1087.002 Domain Account
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1482 Domain Trust Discovery
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1201 Password Policy Discovery
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1069 Permission Groups Discovery
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1069.002 Domain Groups
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1210 Exploitation of Remote Services
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550 Use Alternate Authentication Material
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550.002 Pass the Hash
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550.003 Pass the Ticket
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1557 Man-in-the-Middle
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1110 Brute Force
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1110.003 Password Spraying
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1110.001 Password Guessing
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558 Steal or Forge Kerberos Tickets
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.003 Kerberoasting
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.004 AS-REP Roasting
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.001 Golden Ticket
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1133 External Remote Services
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1555 Credentials from Password Stores
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1555.003 Credentials from Web Browsers
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1047 Windows Management Instrumentation
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1059 Command and Scripting Interpreter
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1059.001 PowerShell
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1021 Remote Services
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1021.002 SMB/Windows Admin Shares
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1569 System Services
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1569.002 Service Execution
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1207 Rogue Domain Controller
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1003 OS Credential Dumping
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1003.006 DCSync
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1003.003 NTDS
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1556 Modify Authentication Process
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1556.001 Domain Controller Authentication
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1098 Account Manipulation
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1543 Create or Modify System Process
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1543.003 Windows Service
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1071 Application Layer Protocol
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1071.004 DNS
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1048 Exfiltration Over Alternative Protocol
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
azure_defender_for_key_vault Azure Defender for Key Vault detect minimal T1580 Cloud Infrastructure Discovery
azure_defender_for_key_vault Azure Defender for Key Vault detect partial T1555 Credentials from Password Stores
azure_defender_for_kubernetes Azure Defender for Kubernetes detect partial T1525 Implant Container Image
azure_defender_for_kubernetes Azure Defender for Kubernetes protect partial T1190 Exploit Public-Facing Application
azure_defender_for_kubernetes Azure Defender for Kubernetes detect partial T1068 Exploitation for Privilege Escalation
azure_defender_for_kubernetes Azure Defender for Kubernetes detect partial T1070 Indicator Removal on Host
adaptive_application_controls Adaptive Application Controls detect partial T1204 User Execution
adaptive_application_controls Adaptive Application Controls detect partial T1204.002 Malicious File
adaptive_application_controls Adaptive Application Controls detect partial T1036 Masquerading
adaptive_application_controls Adaptive Application Controls detect partial T1036.005 Match Legitimate Name or Location
adaptive_application_controls Adaptive Application Controls detect partial T1036.006 Space after Filename
adaptive_application_controls Adaptive Application Controls detect partial T1036.001 Invalid Code Signature
adaptive_application_controls Adaptive Application Controls detect minimal T1553 Subvert Trust Controls
adaptive_application_controls Adaptive Application Controls detect partial T1553.002 Code Signing
adaptive_application_controls Adaptive Application Controls detect partial T1554 Compromise Client Software Binary
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication protect significant T1110 Brute Force
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication protect significant T1110.001 Password Guessing
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication protect significant T1110.003 Password Spraying
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication protect significant T1110.004 Credential Stuffing
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication protect minimal T1078 Valid Accounts
azure_ad_multi-factor_authentication Azure AD Multi-Factor Authentication protect partial T1078.004 Cloud Accounts
azure_private_link Azure Private Link protect partial T1557 Man-in-the-Middle
azure_private_link Azure Private Link protect partial T1557.002 ARP Cache Poisoning
azure_private_link Azure Private Link protect partial T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
azure_private_link Azure Private Link protect minimal T1565 Data Manipulation
azure_private_link Azure Private Link protect partial T1565.002 Transmitted Data Manipulation
azure_private_link Azure Private Link protect partial T1499 Endpoint Denial of Service
azure_private_link Azure Private Link protect partial T1499.004 Application or System Exploitation
azure_private_link Azure Private Link protect partial T1499.003 Application Exhaustion Flood
azure_private_link Azure Private Link protect partial T1499.002 Service Exhaustion Flood
azure_private_link Azure Private Link protect partial T1499.001 OS Exhaustion Flood
azure_private_link Azure Private Link protect partial T1498 Network Denial of Service
azure_private_link Azure Private Link protect partial T1498.002 Reflection Amplification
azure_private_link Azure Private Link protect partial T1498.001 Direct Network Flood
azure_private_link Azure Private Link protect partial T1040 Network Sniffing
azure_dedicated_hsm Azure Dedicated HSM protect minimal T1552 Unsecured Credentials
azure_dedicated_hsm Azure Dedicated HSM protect significant T1552.004 Private Keys
azure_dedicated_hsm Azure Dedicated HSM protect partial T1588 Obtain Capabilities
azure_dedicated_hsm Azure Dedicated HSM protect partial T1588.004 Digital Certificates
azure_dedicated_hsm Azure Dedicated HSM protect partial T1588.003 Code Signing Certificates
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553 Subvert Trust Controls
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553.004 Install Root Certificate
azure_dedicated_hsm Azure Dedicated HSM protect partial T1553.002 Code Signing
azure_automation_update_management Azure Automation Update Management protect partial T1195 Supply Chain Compromise
azure_automation_update_management Azure Automation Update Management protect partial T1195.002 Compromise Software Supply Chain
azure_automation_update_management Azure Automation Update Management protect partial T1195.001 Compromise Software Dependencies and Development Tools
azure_automation_update_management Azure Automation Update Management protect partial T1072 Software Deployment Tools
azure_automation_update_management Azure Automation Update Management protect significant T1210 Exploitation of Remote Services
azure_automation_update_management Azure Automation Update Management protect significant T1211 Exploitation for Defense Evasion
azure_automation_update_management Azure Automation Update Management protect significant T1068 Exploitation for Privilege Escalation
azure_automation_update_management Azure Automation Update Management protect partial T1190 Exploit Public-Facing Application
azure_automation_update_management Azure Automation Update Management protect significant T1212 Exploitation for Credential Access
azure_automation_update_management Azure Automation Update Management protect significant T1203 Exploitation for Client Execution
azure_automation_update_management Azure Automation Update Management protect partial T1499 Endpoint Denial of Service
azure_automation_update_management Azure Automation Update Management protect significant T1499.004 Application or System Exploitation
azure_automation_update_management Azure Automation Update Management protect partial T1554 Compromise Client Software Binary
azure_automation_update_management Azure Automation Update Management protect partial T1189 Drive-by Compromise
azure_dns_alias_records Azure DNS Alias Records protect minimal T1584 Compromise Infrastructure
azure_dns_alias_records Azure DNS Alias Records protect partial T1584.001 Domains
role_based_access_control Role Based Access Control protect minimal T1087 Account Discovery
role_based_access_control Role Based Access Control protect partial T1087.004 Cloud Account
role_based_access_control Role Based Access Control protect minimal T1078 Valid Accounts
role_based_access_control Role Based Access Control protect partial T1078.004 Cloud Accounts
role_based_access_control Role Based Access Control protect minimal T1136 Create Account
role_based_access_control Role Based Access Control protect partial T1136.003 Cloud Account
role_based_access_control Role Based Access Control protect partial T1098 Account Manipulation
role_based_access_control Role Based Access Control protect partial T1098.001 Additional Cloud Credentials
role_based_access_control Role Based Access Control protect partial T1098.003 Add Office 365 Global Administrator Role
role_based_access_control Role Based Access Control protect partial T1578 Modify Cloud Compute Infrastructure
role_based_access_control Role Based Access Control protect partial T1578.001 Create Snapshot
role_based_access_control Role Based Access Control protect partial T1578.002 Create Cloud Instance
role_based_access_control Role Based Access Control protect partial T1578.003 Delete Cloud Instance
role_based_access_control Role Based Access Control protect partial T1578.004 Revert Cloud Instance
role_based_access_control Role Based Access Control protect partial T1580 Cloud Infrastructure Discovery
role_based_access_control Role Based Access Control protect partial T1538 Cloud Service Dashboard
role_based_access_control Role Based Access Control protect partial T1530 Data from Cloud Storage Object
role_based_access_control Role Based Access Control protect partial T1528 Steal Application Access Token
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1078 Valid Accounts
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1078.004 Cloud Accounts
alerts_for_azure_cosmos_db Alerts for Azure Cosmos DB detect minimal T1213 Data from Information Repositories
file_integrity_monitoring File Integrity Monitoring detect significant T1053 Scheduled Task/Job
file_integrity_monitoring File Integrity Monitoring detect partial T1053.001 At (Linux)
file_integrity_monitoring File Integrity Monitoring detect partial T1053.002 At (Windows)
file_integrity_monitoring File Integrity Monitoring detect partial T1053.003 Cron
file_integrity_monitoring File Integrity Monitoring detect partial T1053.005 Scheduled Task
file_integrity_monitoring File Integrity Monitoring detect partial T1053.006 Systemd Timers
file_integrity_monitoring File Integrity Monitoring detect minimal T1098 Account Manipulation
file_integrity_monitoring File Integrity Monitoring detect partial T1098.004 SSH Authorized Keys
file_integrity_monitoring File Integrity Monitoring detect partial T1547 Boot or Logon Autostart Execution
file_integrity_monitoring File Integrity Monitoring detect partial T1547.001 Registry Run Keys / Startup Folder
file_integrity_monitoring File Integrity Monitoring detect partial T1547.002 Authentication Package
file_integrity_monitoring File Integrity Monitoring detect partial T1547.003 Time Providers
file_integrity_monitoring File Integrity Monitoring detect partial T1547.004 Winlogon Helper DLL
file_integrity_monitoring File Integrity Monitoring detect partial T1547.005 Security Support Provider
file_integrity_monitoring File Integrity Monitoring detect partial T1547.006 Kernel Modules and Extensions
file_integrity_monitoring File Integrity Monitoring detect partial T1547.008 LSASS Driver
file_integrity_monitoring File Integrity Monitoring detect partial T1547.009 Shortcut Modification
file_integrity_monitoring File Integrity Monitoring detect partial T1547.010 Port Monitors
file_integrity_monitoring File Integrity Monitoring detect partial T1547.012 Print Processors
file_integrity_monitoring File Integrity Monitoring detect partial T1037 Boot or Logon Initialization Scripts
file_integrity_monitoring File Integrity Monitoring detect partial T1037.001 Logon Script (Windows)
file_integrity_monitoring File Integrity Monitoring detect partial T1037.003 Network Logon Script
file_integrity_monitoring File Integrity Monitoring detect partial T1543 Create or Modify System Process
file_integrity_monitoring File Integrity Monitoring detect partial T1543.002 Systemd Service
file_integrity_monitoring File Integrity Monitoring detect partial T1543.003 Windows Service
file_integrity_monitoring File Integrity Monitoring detect partial T1546 Event Triggered Execution
file_integrity_monitoring File Integrity Monitoring detect partial T1546.001 Change Default File Association
file_integrity_monitoring File Integrity Monitoring detect partial T1546.002 Screensaver
file_integrity_monitoring File Integrity Monitoring detect partial T1546.004 .bash_profile and .bashrc
file_integrity_monitoring File Integrity Monitoring detect partial T1546.007 Netsh Helper DLL
file_integrity_monitoring File Integrity Monitoring detect partial T1546.008 Accessibility Features
file_integrity_monitoring File Integrity Monitoring detect partial T1546.009 AppCert DLLs
file_integrity_monitoring File Integrity Monitoring detect partial T1546.011 Application Shimming
file_integrity_monitoring File Integrity Monitoring detect partial T1546.012 Image File Execution Options Injection
file_integrity_monitoring File Integrity Monitoring detect partial T1546.013 PowerShell Profile
file_integrity_monitoring File Integrity Monitoring detect minimal T1546.010 AppInit DLLs
file_integrity_monitoring File Integrity Monitoring detect minimal T1546.015 Component Object Model Hijacking
file_integrity_monitoring File Integrity Monitoring detect minimal T1574 Hijack Execution Flow
file_integrity_monitoring File Integrity Monitoring detect partial T1574.006 LD_PRELOAD
file_integrity_monitoring File Integrity Monitoring detect minimal T1137 Office Application Startup
file_integrity_monitoring File Integrity Monitoring detect partial T1137.002 Office Test
file_integrity_monitoring File Integrity Monitoring detect minimal T1548 Abuse Elevation Control Mechanism
file_integrity_monitoring File Integrity Monitoring detect minimal T1548.002 Bypass User Account Control
file_integrity_monitoring File Integrity Monitoring detect partial T1548.003 Sudo and Sudo Caching
file_integrity_monitoring File Integrity Monitoring detect partial T1556 Modify Authentication Process
file_integrity_monitoring File Integrity Monitoring detect partial T1556.002 Password Filter DLL
file_integrity_monitoring File Integrity Monitoring detect partial T1556.003 Pluggable Authentication Modules
file_integrity_monitoring File Integrity Monitoring detect minimal T1003 OS Credential Dumping
file_integrity_monitoring File Integrity Monitoring detect partial T1003.001 LSASS Memory
file_integrity_monitoring File Integrity Monitoring detect partial T1222 File and Directory Permissions Modification
file_integrity_monitoring File Integrity Monitoring detect partial T1222.001 Windows File and Directory Permissions Modification
file_integrity_monitoring File Integrity Monitoring detect partial T1222.002 Linux and Mac File and Directory Permissions Modification
file_integrity_monitoring File Integrity Monitoring detect minimal T1562 Impair Defenses
file_integrity_monitoring File Integrity Monitoring detect minimal T1562.001 Disable or Modify Tools
file_integrity_monitoring File Integrity Monitoring detect minimal T1562.004 Disable or Modify System Firewall
file_integrity_monitoring File Integrity Monitoring detect minimal T1562.006 Indicator Blocking
file_integrity_monitoring File Integrity Monitoring detect partial T1553 Subvert Trust Controls
file_integrity_monitoring File Integrity Monitoring detect partial T1553.003 SIP and Trust Provider Hijacking
file_integrity_monitoring File Integrity Monitoring detect partial T1553.004 Install Root Certificate
azure_backup Azure Backup respond significant T1485 Data Destruction
azure_backup Azure Backup respond significant T1486 Data Encrypted for Impact
azure_backup Azure Backup respond significant T1491 Defacement
azure_backup Azure Backup respond significant T1491.002 External Defacement
azure_backup Azure Backup respond significant T1491.001 Internal Defacement
azure_backup Azure Backup respond significant T1561 Disk Wipe
azure_backup Azure Backup respond significant T1561.001 Disk Content Wipe
azure_backup Azure Backup respond partial T1561.002 Disk Structure Wipe
managed_identities_for_azure_resources Managed identities for Azure resources protect minimal T1552 Unsecured Credentials
managed_identities_for_azure_resources Managed identities for Azure resources protect partial T1552.001 Credentials In Files
azure_policy Azure Policy protect partial T1190 Exploit Public-Facing Application
azure_policy Azure Policy protect partial T1133 External Remote Services
azure_policy Azure Policy protect partial T1590 Gather Victim Network Information
azure_policy Azure Policy protect partial T1590.002 DNS
azure_policy Azure Policy protect partial T1590.004 Network Topology
azure_policy Azure Policy protect partial T1590.005 IP Addresses
azure_policy Azure Policy protect partial T1590.006 Network Security Appliances
azure_policy Azure Policy protect minimal T1078 Valid Accounts
azure_policy Azure Policy protect minimal T1078.004 Cloud Accounts
azure_policy Azure Policy protect minimal T1098 Account Manipulation
azure_policy Azure Policy protect minimal T1098.001 Additional Cloud Credentials
azure_policy Azure Policy detect minimal T1525 Implant Container Image
azure_policy Azure Policy protect partial T1535 Unused/Unsupported Cloud Regions
azure_policy Azure Policy protect minimal T1505 Server Software Component
azure_policy Azure Policy protect minimal T1505.001 SQL Stored Procedures
azure_policy Azure Policy protect minimal T1068 Exploitation for Privilege Escalation
azure_policy Azure Policy protect minimal T1211 Exploitation for Defense Evasion
azure_policy Azure Policy protect minimal T1212 Exploitation for Credential Access
azure_policy Azure Policy protect minimal T1203 Exploitation for Client Execution
azure_policy Azure Policy protect partial T1110 Brute Force
azure_policy Azure Policy protect partial T1110.003 Password Spraying
azure_policy Azure Policy protect partial T1110.001 Password Guessing
azure_policy Azure Policy protect partial T1110.004 Credential Stuffing
azure_policy Azure Policy protect partial T1555 Credentials from Password Stores
azure_policy Azure Policy protect partial T1040 Network Sniffing
azure_policy Azure Policy protect partial T1580 Cloud Infrastructure Discovery
azure_policy Azure Policy protect partial T1538 Cloud Service Dashboard
azure_policy Azure Policy protect partial T1526 Cloud Service Discovery
azure_policy Azure Policy protect minimal T1210 Exploitation of Remote Services
azure_policy Azure Policy protect minimal T1021 Remote Services
azure_policy Azure Policy protect minimal T1021.001 Remote Desktop Protocol
azure_policy Azure Policy protect minimal T1021.004 SSH
azure_policy Azure Policy protect partial T1530 Data from Cloud Storage Object
azure_policy Azure Policy protect minimal T1071 Application Layer Protocol
azure_policy Azure Policy protect minimal T1071.004 DNS
azure_policy Azure Policy protect minimal T1537 Transfer Data to Cloud Account
azure_policy Azure Policy protect minimal T1485 Data Destruction
azure_alerts_for_network_layer Azure Alerts for Network Layer detect significant T1110 Brute Force
azure_alerts_for_network_layer Azure Alerts for Network Layer detect significant T1110.003 Password Spraying
azure_alerts_for_network_layer Azure Alerts for Network Layer detect significant T1110.001 Password Guessing
azure_alerts_for_network_layer Azure Alerts for Network Layer detect significant T1110.004 Credential Stuffing
azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071 Application Layer Protocol
azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071.004 DNS
azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071.003 Mail Protocols
azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071.002 File Transfer Protocols
azure_alerts_for_network_layer Azure Alerts for Network Layer detect minimal T1071.001 Web Protocols
azure_alerts_for_network_layer Azure Alerts for Network Layer detect partial T1133 External Remote Services
azure_ad_privileged_identity_management Azure AD Privileged Identity Management protect minimal T1078 Valid Accounts
azure_ad_privileged_identity_management Azure AD Privileged Identity Management protect partial T1078.004 Cloud Accounts
azure_ad_privileged_identity_management Azure AD Privileged Identity Management protect partial T1098 Account Manipulation
azure_ad_privileged_identity_management Azure AD Privileged Identity Management detect minimal T1098 Account Manipulation
azure_ad_privileged_identity_management Azure AD Privileged Identity Management protect significant T1098.003 Add Office 365 Global Administrator Role
azure_ad_privileged_identity_management Azure AD Privileged Identity Management detect significant T1098.003 Add Office 365 Global Administrator Role
azure_ad_privileged_identity_management Azure AD Privileged Identity Management protect significant T1098.001 Additional Cloud Credentials
azure_ad_privileged_identity_management Azure AD Privileged Identity Management protect minimal T1136 Create Account
azure_ad_privileged_identity_management Azure AD Privileged Identity Management protect significant T1136.003 Cloud Account
azure_vpn_gateway Azure VPN Gateway protect significant T1040 Network Sniffing
azure_vpn_gateway Azure VPN Gateway protect significant T1557 Man-in-the-Middle
azure_vpn_gateway Azure VPN Gateway protect significant T1557.002 ARP Cache Poisoning
azure_vpn_gateway Azure VPN Gateway protect significant T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
azure_vpn_gateway Azure VPN Gateway protect partial T1565 Data Manipulation
azure_vpn_gateway Azure VPN Gateway protect significant T1565.002 Transmitted Data Manipulation
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1078 Valid Accounts
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect partial T1078.004 Cloud Accounts
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1213 Data from Information Repositories
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110 Brute Force
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.001 Password Guessing
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.003 Password Spraying
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1110.004 Credential Stuffing
advanced_threat_protection_for_azure_sql_database Advanced Threat Protection for Azure SQL Database detect minimal T1190 Exploit Public-Facing Application
azure_ddos_protection_standard Azure DDOS Protection Standard protect significant T1498 Network Denial of Service
azure_ddos_protection_standard Azure DDOS Protection Standard protect significant T1498.002 Reflection Amplification
azure_ddos_protection_standard Azure DDOS Protection Standard protect significant T1498.001 Direct Network Flood
azure_ddos_protection_standard Azure DDOS Protection Standard protect significant T1499 Endpoint Denial of Service
azure_ddos_protection_standard Azure DDOS Protection Standard protect significant T1499.003 Application Exhaustion Flood
azure_ddos_protection_standard Azure DDOS Protection Standard protect significant T1499.002 Service Exhaustion Flood
azure_ddos_protection_standard Azure DDOS Protection Standard protect significant T1499.001 OS Exhaustion Flood
azure_defender_for_app_service Azure Defender for App Service protect minimal T1584 Compromise Infrastructure
azure_defender_for_app_service Azure Defender for App Service protect significant T1584.001 Domains
azure_defender_for_app_service Azure Defender for App Service detect partial T1496 Resource Hijacking
azure_defender_for_app_service Azure Defender for App Service detect minimal T1204 User Execution
azure_defender_for_app_service Azure Defender for App Service detect minimal T1204.001 Malicious Link
azure_defender_for_app_service Azure Defender for App Service detect partial T1140 Deobfuscate/Decode Files or Information
azure_defender_for_app_service Azure Defender for App Service protect minimal T1566 Phishing
azure_defender_for_app_service Azure Defender for App Service protect minimal T1566.002 Spearphishing Link
azure_defender_for_app_service Azure Defender for App Service detect minimal T1059 Command and Scripting Interpreter
azure_defender_for_app_service Azure Defender for App Service detect minimal T1059.004 Unix Shell
azure_defender_for_app_service Azure Defender for App Service detect minimal T1059.001 PowerShell
azure_defender_for_app_service Azure Defender for App Service detect partial T1105 Ingress Tool Transfer
azure_defender_for_app_service Azure Defender for App Service detect minimal T1595 Active Scanning
azure_defender_for_app_service Azure Defender for App Service detect partial T1595.002 Vulnerability Scanning
azure_defender_for_app_service Azure Defender for App Service detect partial T1594 Search Victim-Owned Websites
azure_defender_for_app_service Azure Defender for App Service detect partial T1055 Process Injection
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.001 Dynamic-link Library Injection
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.002 Portable Executable Injection
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.003 Thread Execution Hijacking
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.004 Asynchronous Procedure Call
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.005 Thread Local Storage
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.011 Extra Window Memory Injection
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.012 Process Hollowing
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.013 Process Doppelgänging
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.008 Ptrace System Calls
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.009 Proc Memory
azure_defender_for_app_service Azure Defender for App Service detect partial T1055.014 VDSO Hijacking
azure_defender_for_app_service Azure Defender for App Service detect partial T1203 Exploitation for Client Execution
azure_defender_for_app_service Azure Defender for App Service detect partial T1211 Exploitation for Defense Evasion
azure_defender_for_app_service Azure Defender for App Service detect partial T1068 Exploitation for Privilege Escalation
azure_defender_for_app_service Azure Defender for App Service detect partial T1212 Exploitation for Credential Access
azure_defender_for_app_service Azure Defender for App Service detect partial T1189 Drive-by Compromise
azure_defender_for_app_service Azure Defender for App Service detect partial T1190 Exploit Public-Facing Application
azure_defender_for_app_service Azure Defender for App Service detect partial T1210 Exploitation of Remote Services
azure_defender_for_app_service Azure Defender for App Service detect partial T1559 Inter-Process Communication
azure_defender_for_app_service Azure Defender for App Service detect partial T1559.001 Component Object Model
azure_defender_for_app_service Azure Defender for App Service detect partial T1559.002 Dynamic Data Exchange
azure_defender_for_app_service Azure Defender for App Service detect minimal T1036 Masquerading
azure_defender_for_app_service Azure Defender for App Service detect partial T1036.005 Match Legitimate Name or Location
azure_defender_for_app_service Azure Defender for App Service detect minimal T1134 Access Token Manipulation
azure_defender_for_app_service Azure Defender for App Service detect minimal T1087 Account Discovery
azure_defender_for_app_service Azure Defender for App Service detect minimal T1087.001 Local Account
azure_defender_for_app_service Azure Defender for App Service detect minimal T1123 Audio Capture
azure_defender_for_app_service Azure Defender for App Service detect minimal T1547 Boot or Logon Autostart Execution
azure_defender_for_app_service Azure Defender for App Service detect minimal T1547.005 Security Support Provider
azure_defender_for_app_service Azure Defender for App Service detect minimal T1547.001 Registry Run Keys / Startup Folder
azure_defender_for_app_service Azure Defender for App Service detect minimal T1543 Create or Modify System Process
azure_defender_for_app_service Azure Defender for App Service detect minimal T1543.003 Windows Service
azure_defender_for_app_service Azure Defender for App Service detect minimal T1555 Credentials from Password Stores
azure_defender_for_app_service Azure Defender for App Service detect minimal T1005 Data from Local System
azure_defender_for_app_service Azure Defender for App Service detect minimal T1482 Domain Trust Discovery
azure_defender_for_app_service Azure Defender for App Service detect minimal T1574 Hijack Execution Flow
azure_defender_for_app_service Azure Defender for App Service detect minimal T1574.001 DLL Search Order Hijacking
azure_defender_for_app_service Azure Defender for App Service detect minimal T1574.007 Path Interception by PATH Environment Variable
azure_defender_for_app_service Azure Defender for App Service detect minimal T1574.008 Path Interception by Search Order Hijacking
azure_defender_for_app_service Azure Defender for App Service detect minimal T1574.009 Path Interception by Unquoted Path
azure_defender_for_app_service Azure Defender for App Service detect minimal T1056 Input Capture
azure_defender_for_app_service Azure Defender for App Service detect minimal T1056.001 Keylogging
azure_defender_for_app_service Azure Defender for App Service detect minimal T1027 Obfuscated Files or Information
azure_defender_for_app_service Azure Defender for App Service detect minimal T1027.005 Indicator Removal from Tools
azure_defender_for_app_service Azure Defender for App Service detect minimal T1003 OS Credential Dumping
azure_defender_for_app_service Azure Defender for App Service detect minimal T1003.001 LSASS Memory
azure_defender_for_app_service Azure Defender for App Service detect minimal T1057 Process Discovery
azure_defender_for_app_service Azure Defender for App Service detect minimal T1012 Query Registry
azure_defender_for_app_service Azure Defender for App Service detect minimal T1053 Scheduled Task/Job
azure_defender_for_app_service Azure Defender for App Service detect minimal T1053.005 Scheduled Task
azure_defender_for_app_service Azure Defender for App Service detect minimal T1113 Screen Capture
azure_defender_for_app_service Azure Defender for App Service detect minimal T1558 Steal or Forge Kerberos Tickets
azure_defender_for_app_service Azure Defender for App Service detect minimal T1558.003 Kerberoasting
azure_defender_for_app_service Azure Defender for App Service detect minimal T1552 Unsecured Credentials
azure_defender_for_app_service Azure Defender for App Service detect minimal T1552.002 Credentials in Registry
azure_defender_for_app_service Azure Defender for App Service detect minimal T1552.006 Group Policy Preferences
azure_defender_for_app_service Azure Defender for App Service detect minimal T1047 Windows Management Instrumentation
conditional_access Conditional Access protect significant T1110 Brute Force
conditional_access Conditional Access protect significant T1110.001 Password Guessing
conditional_access Conditional Access protect significant T1110.002 Password Cracking
conditional_access Conditional Access protect significant T1110.003 Password Spraying
conditional_access Conditional Access protect significant T1110.004 Credential Stuffing
conditional_access Conditional Access protect minimal T1078 Valid Accounts
conditional_access Conditional Access protect significant T1078.004 Cloud Accounts
conditional_access Conditional Access protect minimal T1074 Data Staged
conditional_access Conditional Access protect minimal T1074.002 Remote Data Staging
conditional_access Conditional Access protect minimal T1074.001 Local Data Staging
conditional_access Conditional Access protect minimal T1530 Data from Cloud Storage Object
conditional_access Conditional Access protect minimal T1213 Data from Information Repositories
conditional_access Conditional Access protect partial T1213.002 Sharepoint
cloud_app_security_policies Cloud App Security Policies detect partial T1078 Valid Accounts
cloud_app_security_policies Cloud App Security Policies detect partial T1078.004 Cloud Accounts
cloud_app_security_policies Cloud App Security Policies detect partial T1078.002 Domain Accounts
cloud_app_security_policies Cloud App Security Policies detect partial T1078.001 Default Accounts
cloud_app_security_policies Cloud App Security Policies protect partial T1567 Exfiltration Over Web Service
cloud_app_security_policies Cloud App Security Policies detect partial T1567 Exfiltration Over Web Service
cloud_app_security_policies Cloud App Security Policies protect partial T1567.002 Exfiltration to Cloud Storage
cloud_app_security_policies Cloud App Security Policies detect partial T1567.002 Exfiltration to Cloud Storage
cloud_app_security_policies Cloud App Security Policies protect partial T1567.001 Exfiltration to Code Repository
cloud_app_security_policies Cloud App Security Policies detect partial T1567.001 Exfiltration to Code Repository
cloud_app_security_policies Cloud App Security Policies detect partial T1189 Drive-by Compromise
cloud_app_security_policies Cloud App Security Policies detect partial T1535 Unused/Unsupported Cloud Regions
cloud_app_security_policies Cloud App Security Policies protect significant T1187 Forced Authentication
cloud_app_security_policies Cloud App Security Policies detect significant T1187 Forced Authentication
cloud_app_security_policies Cloud App Security Policies detect partial T1530 Data from Cloud Storage Object
cloud_app_security_policies Cloud App Security Policies protect partial T1528 Steal Application Access Token
cloud_app_security_policies Cloud App Security Policies detect partial T1528 Steal Application Access Token
cloud_app_security_policies Cloud App Security Policies detect partial T1526 Cloud Service Discovery
cloud_app_security_policies Cloud App Security Policies protect minimal T1213 Data from Information Repositories
cloud_app_security_policies Cloud App Security Policies detect minimal T1213 Data from Information Repositories
cloud_app_security_policies Cloud App Security Policies protect partial T1213.002 Sharepoint
cloud_app_security_policies Cloud App Security Policies detect partial T1213.002 Sharepoint
cloud_app_security_policies Cloud App Security Policies protect partial T1213.001 Confluence
cloud_app_security_policies Cloud App Security Policies detect partial T1213.001 Confluence
cloud_app_security_policies Cloud App Security Policies protect partial T1119 Automated Collection
cloud_app_security_policies Cloud App Security Policies detect partial T1119 Automated Collection
cloud_app_security_policies Cloud App Security Policies protect partial T1565 Data Manipulation
cloud_app_security_policies Cloud App Security Policies protect partial T1565.001 Stored Data Manipulation
cloud_app_security_policies Cloud App Security Policies protect partial T1133 External Remote Services
cloud_app_security_policies Cloud App Security Policies detect partial T1133 External Remote Services
cloud_app_security_policies Cloud App Security Policies protect significant T1219 Remote Access Software
cloud_app_security_policies Cloud App Security Policies detect partial T1219 Remote Access Software
cloud_app_security_policies Cloud App Security Policies detect minimal T1484 Domain Policy Modification
cloud_app_security_policies Cloud App Security Policies detect minimal T1484.002 Domain Trust Modification
cloud_app_security_policies Cloud App Security Policies detect minimal T1484.001 Group Policy Modification
cloud_app_security_policies Cloud App Security Policies detect minimal T1098 Account Manipulation
cloud_app_security_policies Cloud App Security Policies detect minimal T1098.003 Add Office 365 Global Administrator Role
cloud_app_security_policies Cloud App Security Policies detect minimal T1098.001 Additional Cloud Credentials
cloud_app_security_policies Cloud App Security Policies detect minimal T1098.002 Exchange Email Delegate Permissions
cloud_app_security_policies Cloud App Security Policies detect minimal T1578 Modify Cloud Compute Infrastructure
cloud_app_security_policies Cloud App Security Policies detect minimal T1578.004 Revert Cloud Instance
cloud_app_security_policies Cloud App Security Policies detect minimal T1578.003 Delete Cloud Instance
cloud_app_security_policies Cloud App Security Policies detect minimal T1578.001 Create Snapshot
cloud_app_security_policies Cloud App Security Policies detect minimal T1578.002 Create Cloud Instance
cloud_app_security_policies Cloud App Security Policies detect minimal T1531 Account Access Removal
cloud_app_security_policies Cloud App Security Policies detect partial T1496 Resource Hijacking
cloud_app_security_policies Cloud App Security Policies detect partial T1485 Data Destruction
cloud_app_security_policies Cloud App Security Policies detect partial T1486 Data Encrypted for Impact
cloud_app_security_policies Cloud App Security Policies detect minimal T1071 Application Layer Protocol
cloud_app_security_policies Cloud App Security Policies detect partial T1071.003 Mail Protocols
cloud_app_security_policies Cloud App Security Policies detect partial T1110 Brute Force
cloud_app_security_policies Cloud App Security Policies detect partial T1110.004 Credential Stuffing
cloud_app_security_policies Cloud App Security Policies detect partial T1110.003 Password Spraying
cloud_app_security_policies Cloud App Security Policies detect partial T1110.001 Password Guessing
cloud_app_security_policies Cloud App Security Policies detect minimal T1534 Internal Spearphishing
azure_defender_for_container_registries Azure Defender for Container Registries protect minimal T1190 Exploit Public-Facing Application
azure_defender_for_container_registries Azure Defender for Container Registries protect minimal T1068 Exploitation for Privilege Escalation
azure_defender_for_container_registries Azure Defender for Container Registries protect partial T1525 Implant Container Image
azure_defender_for_container_registries Azure Defender for Container Registries detect partial T1525 Implant Container Image
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110 Brute Force
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110.001 Password Guessing
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110.002 Password Cracking
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110.003 Password Spraying
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1110.004 Credential Stuffing
azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1078 Valid Accounts
azure_ad_identity_secure_score Azure AD Identity Secure Score detect minimal T1078 Valid Accounts
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1078.004 Cloud Accounts
azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1078.004 Cloud Accounts
azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1078.002 Domain Accounts
azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1078.003 Local Accounts
azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1078.001 Default Accounts
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1531 Account Access Removal
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1528 Steal Application Access Token
azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1606 Forge Web Credentials
azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1606.002 SAML Tokens
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1558 Steal or Forge Kerberos Tickets
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1558.004 AS-REP Roasting
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1558.001 Golden Ticket
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1558.003 Kerberoasting
azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1552 Unsecured Credentials
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1550 Use Alternate Authentication Material
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1550.003 Pass the Ticket
azure_ad_identity_secure_score Azure AD Identity Secure Score protect partial T1550.002 Pass the Hash
azure_ad_identity_secure_score Azure AD Identity Secure Score protect minimal T1040 Network Sniffing
azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1133 External Remote Services
azure_ad_identity_secure_score Azure AD Identity Secure Score detect minimal T1134 Access Token Manipulation
azure_ad_identity_secure_score Azure AD Identity Secure Score detect partial T1134.005 SID-History Injection
azure_active_directory_password_protection Azure Active Directory Password Protection protect partial T1110 Brute Force
azure_active_directory_password_protection Azure Active Directory Password Protection protect partial T1110.001 Password Guessing
azure_active_directory_password_protection Azure Active Directory Password Protection protect partial T1110.002 Password Cracking
azure_active_directory_password_protection Azure Active Directory Password Protection protect partial T1110.003 Password Spraying
azure_active_directory_password_protection Azure Active Directory Password Protection protect partial T1110.004 Credential Stuffing
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1566 Phishing
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1566 Phishing
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1566.001 Spearphishing Attachment
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect partial T1566.001 Spearphishing Attachment
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1204 User Execution
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1204.002 Malicious File
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1204.002 Malicious File
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1105 Ingress Tool Transfer
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1105 Ingress Tool Transfer
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1027 Obfuscated Files or Information
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1027 Obfuscated Files or Information
microsoft_antimalware_for_azure Microsoft Antimalware for Azure protect minimal T1027.002 Software Packing
microsoft_antimalware_for_azure Microsoft Antimalware for Azure detect minimal T1027.002 Software Packing
azure_web_application_firewall Azure Web Application Firewall protect partial T1595 Active Scanning
azure_web_application_firewall Azure Web Application Firewall protect partial T1595.002 Vulnerability Scanning
azure_web_application_firewall Azure Web Application Firewall detect partial T1595.002 Vulnerability Scanning
azure_web_application_firewall Azure Web Application Firewall protect significant T1190 Exploit Public-Facing Application
azure_web_application_firewall Azure Web Application Firewall detect significant T1190 Exploit Public-Facing Application
azure_web_application_firewall Azure Web Application Firewall protect partial T1046 Network Service Scanning
azure_web_application_firewall Azure Web Application Firewall detect partial T1046 Network Service Scanning
azure_web_application_firewall Azure Web Application Firewall protect minimal T1071 Application Layer Protocol
azure_web_application_firewall Azure Web Application Firewall detect minimal T1071 Application Layer Protocol
azure_web_application_firewall Azure Web Application Firewall protect partial T1071.001 Web Protocols
azure_web_application_firewall Azure Web Application Firewall detect partial T1071.001 Web Protocols
azure_dns_analytics Azure DNS Analytics detect minimal T1071 Application Layer Protocol
azure_dns_analytics Azure DNS Analytics detect minimal T1071.004 DNS
azure_dns_analytics Azure DNS Analytics detect minimal T1568 Dynamic Resolution
azure_dns_analytics Azure DNS Analytics detect minimal T1568.001 Fast Flux DNS
azure_dns_analytics Azure DNS Analytics detect minimal T1568.002 Domain Generation Algorithms
azure_dns_analytics Azure DNS Analytics detect minimal T1048 Exfiltration Over Alternative Protocol
azure_dns_analytics Azure DNS Analytics detect minimal T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
azure_dns_analytics Azure DNS Analytics detect minimal T1041 Exfiltration Over C2 Channel
azure_dns_analytics Azure DNS Analytics detect minimal T1566 Phishing
azure_dns_analytics Azure DNS Analytics detect minimal T1566.002 Spearphishing Link
just-in-time_vm_access Just-in-Time VM Access protect minimal T1190 Exploit Public-Facing Application
just-in-time_vm_access Just-in-Time VM Access protect significant T1133 External Remote Services
just-in-time_vm_access Just-in-Time VM Access protect significant T1110 Brute Force
just-in-time_vm_access Just-in-Time VM Access protect significant T1110.003 Password Spraying
just-in-time_vm_access Just-in-Time VM Access protect significant T1110.001 Password Guessing
just-in-time_vm_access Just-in-Time VM Access protect significant T1110.004 Credential Stuffing
sql_vulnerability_assessment SQL Vulnerability Assessment protect minimal T1190 Exploit Public-Facing Application
sql_vulnerability_assessment SQL Vulnerability Assessment protect minimal T1078 Valid Accounts
sql_vulnerability_assessment SQL Vulnerability Assessment protect partial T1078.001 Default Accounts
sql_vulnerability_assessment SQL Vulnerability Assessment protect minimal T1505 Server Software Component
sql_vulnerability_assessment SQL Vulnerability Assessment protect partial T1505.001 SQL Stored Procedures
sql_vulnerability_assessment SQL Vulnerability Assessment protect partial T1068 Exploitation for Privilege Escalation
sql_vulnerability_assessment SQL Vulnerability Assessment protect minimal T1112 Modify Registry
passwordless_authentication Passwordless Authentication protect significant T1110 Brute Force
passwordless_authentication Passwordless Authentication protect significant T1110.004 Credential Stuffing
passwordless_authentication Passwordless Authentication protect significant T1110.001 Password Guessing
passwordless_authentication Passwordless Authentication protect significant T1110.003 Password Spraying
passwordless_authentication Passwordless Authentication protect significant T1110.002 Password Cracking
azure_firewall Azure Firewall protect partial T1590 Gather Victim Network Information
azure_firewall Azure Firewall protect partial T1590.004 Network Topology
azure_firewall Azure Firewall protect partial T1590.005 IP Addresses
azure_firewall Azure Firewall protect partial T1590.006 Network Security Appliances
azure_firewall Azure Firewall protect partial T1595 Active Scanning
azure_firewall Azure Firewall protect partial T1595.001 Scanning IP Blocks
azure_firewall Azure Firewall protect partial T1595.002 Vulnerability Scanning
azure_firewall Azure Firewall protect partial T1133 External Remote Services
azure_firewall Azure Firewall protect partial T1205 Traffic Signaling
azure_firewall Azure Firewall protect partial T1205.001 Port Knocking
azure_firewall Azure Firewall protect partial T1046 Network Service Scanning
azure_firewall Azure Firewall protect partial T1018 Remote System Discovery
azure_firewall Azure Firewall protect partial T1008 Fallback Channels
azure_firewall Azure Firewall protect partial T1095 Non-Application Layer Protocol
azure_firewall Azure Firewall protect significant T1571 Non-Standard Port
azure_firewall Azure Firewall protect partial T1219 Remote Access Software
azure_firewall Azure Firewall protect partial T1048 Exfiltration Over Alternative Protocol
azure_firewall Azure Firewall protect partial T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
azure_firewall Azure Firewall protect partial T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
azure_firewall Azure Firewall protect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
alerts_for_dns Alerts for DNS detect partial T1568 Dynamic Resolution
alerts_for_dns Alerts for DNS detect partial T1568.001 Fast Flux DNS
alerts_for_dns Alerts for DNS detect partial T1568.002 Domain Generation Algorithms
alerts_for_dns Alerts for DNS detect minimal T1071 Application Layer Protocol
alerts_for_dns Alerts for DNS detect significant T1071.004 DNS
alerts_for_dns Alerts for DNS detect minimal T1572 Protocol Tunneling
alerts_for_dns Alerts for DNS detect minimal T1090 Proxy
alerts_for_dns Alerts for DNS detect minimal T1048 Exfiltration Over Alternative Protocol
continuous_access_evaluation Continuous Access Evaluation respond minimal T1078 Valid Accounts
continuous_access_evaluation Continuous Access Evaluation respond partial T1078.004 Cloud Accounts
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys protect partial T1189 Drive-by Compromise
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys protect partial T1190 Exploit Public-Facing Application
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys protect partial T1203 Exploitation for Client Execution
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys protect partial T1068 Exploitation for Privilege Escalation
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys protect partial T1211 Exploitation for Defense Evasion
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys protect partial T1212 Exploitation for Credential Access
integrated_vulnerability_scanner_powered_by_qualys Integrated Vulnerability Scanner Powered by Qualys protect partial T1210 Exploitation of Remote Services
azure_key_vault Azure Key Vault protect partial T1528 Steal Application Access Token
azure_key_vault Azure Key Vault protect partial T1555 Credentials from Password Stores
azure_key_vault Azure Key Vault protect partial T1552 Unsecured Credentials
azure_key_vault Azure Key Vault protect minimal T1040 Network Sniffing
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1199 Trusted Relationship
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1602 Data from Configuration Repository
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1602.001 SNMP (MIB Dump)
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1602.002 Network Device Configuration Dump
azure_network_traffic_analytics Azure Network Traffic Analytics detect minimal T1542 Pre-OS Boot
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1542.005 TFTP Boot
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1563 Remote Service Session Hijacking
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1563.002 RDP Hijacking
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1563.001 SSH Hijacking
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1048 Exfiltration Over Alternative Protocol
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1190 Exploit Public-Facing Application
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1021 Remote Services
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1021.006 Windows Remote Management
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1021.005 VNC
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1021.004 SSH
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1021.002 SMB/Windows Admin Shares
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1021.001 Remote Desktop Protocol
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1021.003 Distributed Component Object Model
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1072 Software Deployment Tools
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1133 External Remote Services
azure_network_traffic_analytics Azure Network Traffic Analytics detect significant T1046 Network Service Scanning
azure_network_traffic_analytics Azure Network Traffic Analytics detect significant T1571 Non-Standard Port
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1071 Application Layer Protocol
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1071.004 DNS
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1071.003 Mail Protocols
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1071.002 File Transfer Protocols
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1499 Endpoint Denial of Service
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1499.003 Application Exhaustion Flood
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1499.002 Service Exhaustion Flood
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1499.001 OS Exhaustion Flood
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1090 Proxy
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1090.003 Multi-hop Proxy
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1090.002 External Proxy
azure_network_traffic_analytics Azure Network Traffic Analytics detect partial T1090.001 Internal Proxy
docker_host_hardening Docker Host Hardening detect minimal T1525 Implant Container Image
docker_host_hardening Docker Host Hardening protect minimal T1548 Abuse Elevation Control Mechanism
docker_host_hardening Docker Host Hardening protect minimal T1548.001 Setuid and Setgid
docker_host_hardening Docker Host Hardening protect minimal T1068 Exploitation for Privilege Escalation
docker_host_hardening Docker Host Hardening protect minimal T1040 Network Sniffing
docker_host_hardening Docker Host Hardening protect minimal T1083 File and Directory Discovery
docker_host_hardening Docker Host Hardening protect minimal T1021 Remote Services
docker_host_hardening Docker Host Hardening protect minimal T1021.004 SSH
docker_host_hardening Docker Host Hardening protect minimal T1005 Data from Local System