| azure_ad_identity_protection |
Azure AD Identity Protection |
detect |
partial |
T1078 |
Valid Accounts |
| azure_ad_identity_protection |
Azure AD Identity Protection |
respond |
partial |
T1078 |
Valid Accounts |
| azure_ad_identity_protection |
Azure AD Identity Protection |
detect |
partial |
T1078.004 |
Cloud Accounts |
| azure_ad_identity_protection |
Azure AD Identity Protection |
respond |
significant |
T1078.004 |
Cloud Accounts |
| azure_ad_identity_protection |
Azure AD Identity Protection |
detect |
partial |
T1078.002 |
Domain Accounts |
| azure_ad_identity_protection |
Azure AD Identity Protection |
respond |
partial |
T1078.002 |
Domain Accounts |
| azure_ad_identity_protection |
Azure AD Identity Protection |
detect |
partial |
T1606 |
Forge Web Credentials |
| azure_ad_identity_protection |
Azure AD Identity Protection |
respond |
partial |
T1606 |
Forge Web Credentials |
| azure_ad_identity_protection |
Azure AD Identity Protection |
detect |
partial |
T1606.002 |
SAML Tokens |
| azure_ad_identity_protection |
Azure AD Identity Protection |
respond |
significant |
T1606.002 |
SAML Tokens |
| azure_ad_identity_protection |
Azure AD Identity Protection |
detect |
minimal |
T1110 |
Brute Force |
| azure_ad_identity_protection |
Azure AD Identity Protection |
respond |
minimal |
T1110 |
Brute Force |
| azure_ad_identity_protection |
Azure AD Identity Protection |
detect |
partial |
T1110.003 |
Password Spraying |
| azure_ad_identity_protection |
Azure AD Identity Protection |
respond |
significant |
T1110.003 |
Password Spraying |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1078 |
Valid Accounts |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1078.003 |
Local Accounts |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1078.001 |
Default Accounts |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1059 |
Command and Scripting Interpreter |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
significant |
T1059.001 |
PowerShell |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
significant |
T1059.003 |
Windows Command Shell |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1204 |
User Execution |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1204.002 |
Malicious File |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1547 |
Boot or Logon Autostart Execution |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1547.001 |
Registry Run Keys / Startup Folder |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1136 |
Create Account |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1136.001 |
Local Account |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1543 |
Create or Modify System Process |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1543.003 |
Windows Service |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1546 |
Event Triggered Execution |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1546.002 |
Screensaver |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1546.008 |
Accessibility Features |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1548 |
Abuse Elevation Control Mechanism |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1548.002 |
Bypass User Account Control |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055 |
Process Injection |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055.001 |
Dynamic-link Library Injection |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055.002 |
Portable Executable Injection |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055.003 |
Thread Execution Hijacking |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055.005 |
Thread Local Storage |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055.004 |
Asynchronous Procedure Call |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055.011 |
Extra Window Memory Injection |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055.012 |
Process Hollowing |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1055.013 |
Process Doppelgänging |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1203 |
Exploitation for Client Execution |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1212 |
Exploitation for Credential Access |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1211 |
Exploitation for Defense Evasion |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1068 |
Exploitation for Privilege Escalation |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1210 |
Exploitation of Remote Services |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1190 |
Exploit Public-Facing Application |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1189 |
Drive-by Compromise |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1140 |
Deobfuscate/Decode Files or Information |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1222 |
File and Directory Permissions Modification |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1222.001 |
Windows File and Directory Permissions Modification |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1564 |
Hide Artifacts |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1564.003 |
Hidden Window |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1562 |
Impair Defenses |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1562.004 |
Disable or Modify System Firewall |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1562.001 |
Disable or Modify Tools |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1070 |
Indicator Removal on Host |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1070.004 |
File Deletion |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1070.001 |
Clear Windows Event Logs |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1112 |
Modify Registry |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1027 |
Obfuscated Files or Information |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1218 |
Signed Binary Proxy Execution |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1218.005 |
Mshta |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1218.011 |
Rundll32 |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1110 |
Brute Force |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
significant |
T1110.003 |
Password Spraying |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
significant |
T1110.001 |
Password Guessing |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
significant |
T1110.004 |
Credential Stuffing |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1003 |
OS Credential Dumping |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1003.004 |
LSA Secrets |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1558 |
Steal or Forge Kerberos Tickets |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1558.001 |
Golden Ticket |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1087 |
Account Discovery |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1087.001 |
Local Account |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1087.002 |
Domain Account |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1082 |
System Information Discovery |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1563 |
Remote Service Session Hijacking |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1563.002 |
RDP Hijacking |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
partial |
T1105 |
Ingress Tool Transfer |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1048 |
Exfiltration Over Alternative Protocol |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1489 |
Service Stop |
| alerts_for_windows_machines |
Alerts for Windows Machines |
detect |
minimal |
T1202 |
Indirect Command Execution |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1040 |
Network Sniffing |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1190 |
Exploit Public-Facing Application |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1110 |
Brute Force |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1110.001 |
Password Guessing |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1110.003 |
Password Spraying |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1110.004 |
Credential Stuffing |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1542 |
Pre-OS Boot |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1542.001 |
System Firmware |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1542.003 |
Bootkit |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1499 |
Endpoint Denial of Service |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1499.001 |
OS Exhaustion Flood |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1525 |
Implant Container Image |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1068 |
Exploitation for Privilege Escalation |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1098 |
Account Manipulation |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1098.004 |
SSH Authorized Keys |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1554 |
Compromise Client Software Binary |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1136 |
Create Account |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1136.001 |
Local Account |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1543 |
Create or Modify System Process |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1543.002 |
Systemd Service |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1546 |
Event Triggered Execution |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1546.004 |
.bash_profile and .bashrc |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1505 |
Server Software Component |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1505.003 |
Web Shell |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1222 |
File and Directory Permissions Modification |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1564 |
Hide Artifacts |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1564.001 |
Hidden Files and Directories |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1564.005 |
Hidden File System |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1564.006 |
Run Virtual Instance |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1053 |
Scheduled Task/Job |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1053.003 |
Cron |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1053.006 |
Systemd Timers |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1556 |
Modify Authentication Process |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1556.003 |
Pluggable Authentication Modules |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1080 |
Taint Shared Content |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1074 |
Data Staged |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1074.001 |
Local Data Staging |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1485 |
Data Destruction |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1486 |
Data Encrypted for Impact |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1565 |
Data Manipulation |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1565.001 |
Stored Data Manipulation |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1078 |
Valid Accounts |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
minimal |
T1078.004 |
Cloud Accounts |
| azure_security_center_recommendations |
Azure Security Center Recommendations |
protect |
partial |
T1133 |
External Remote Services |
| azure_defender_for_storage |
Azure Defender for Storage |
detect |
significant |
T1530 |
Data from Cloud Storage Object |
| azure_defender_for_storage |
Azure Defender for Storage |
detect |
minimal |
T1078 |
Valid Accounts |
| azure_defender_for_storage |
Azure Defender for Storage |
detect |
significant |
T1078.004 |
Cloud Accounts |
| azure_defender_for_storage |
Azure Defender for Storage |
detect |
partial |
T1105 |
Ingress Tool Transfer |
| azure_defender_for_storage |
Azure Defender for Storage |
respond |
partial |
T1105 |
Ingress Tool Transfer |
| azure_defender_for_storage |
Azure Defender for Storage |
detect |
partial |
T1080 |
Taint Shared Content |
| azure_defender_for_storage |
Azure Defender for Storage |
respond |
partial |
T1080 |
Taint Shared Content |
| azure_defender_for_storage |
Azure Defender for Storage |
detect |
partial |
T1537 |
Transfer Data to Cloud Account |
| azure_defender_for_storage |
Azure Defender for Storage |
detect |
minimal |
T1485 |
Data Destruction |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1059 |
Command and Scripting Interpreter |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1059.004 |
Unix Shell |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1068 |
Exploitation for Privilege Escalation |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1098 |
Account Manipulation |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1098.004 |
SSH Authorized Keys |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1547 |
Boot or Logon Autostart Execution |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1547.006 |
Kernel Modules and Extensions |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1136 |
Create Account |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1136.001 |
Local Account |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1505 |
Server Software Component |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1505.003 |
Web Shell |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1564 |
Hide Artifacts |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1564.001 |
Hidden Files and Directories |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1564.006 |
Run Virtual Instance |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1562 |
Impair Defenses |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1562.004 |
Disable or Modify System Firewall |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1562.006 |
Indicator Blocking |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1070 |
Indicator Removal on Host |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1070.002 |
Clear Linux or Mac System Logs |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1070.003 |
Clear Command History |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1027 |
Obfuscated Files or Information |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1027.004 |
Compile After Delivery |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1110 |
Brute Force |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1110.001 |
Password Guessing |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1110.003 |
Password Spraying |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1110.004 |
Credential Stuffing |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1003 |
OS Credential Dumping |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1003.008 |
/etc/passwd and /etc/shadow |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
minimal |
T1021 |
Remote Services |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1021.004 |
SSH |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1525 |
Implant Container Image |
| linux_auditd_alerts_and_log_analytics_agent_integration |
Linux auditd alerts and Log Analytics agent integration |
detect |
partial |
T1113 |
Screen Capture |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
minimal |
T1562 |
Impair Defenses |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
partial |
T1562.001 |
Disable or Modify Tools |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
partial |
T1580 |
Cloud Infrastructure Discovery |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
partial |
T1538 |
Cloud Service Dashboard |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
partial |
T1526 |
Cloud Service Discovery |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
minimal |
T1069 |
Permission Groups Discovery |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
partial |
T1069.003 |
Cloud Groups |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
minimal |
T1087 |
Account Discovery |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
partial |
T1087.004 |
Cloud Account |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
minimal |
T1555 |
Credentials from Password Stores |
| azure_defender_for_resource_manager |
Azure Defender for Resource Manager |
detect |
minimal |
T1068 |
Exploitation for Privilege Escalation |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1199 |
Trusted Relationship |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1557 |
Man-in-the-Middle |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1602 |
Data from Configuration Repository |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1602.002 |
Network Device Configuration Dump |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1602.001 |
SNMP (MIB Dump) |
| network_security_groups |
Network Security Groups |
protect |
minimal |
T1542 |
Pre-OS Boot |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1542.005 |
TFTP Boot |
| network_security_groups |
Network Security Groups |
protect |
significant |
T1048 |
Exfiltration Over Alternative Protocol |
| network_security_groups |
Network Security Groups |
protect |
significant |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| network_security_groups |
Network Security Groups |
protect |
significant |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| network_security_groups |
Network Security Groups |
protect |
significant |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1210 |
Exploitation of Remote Services |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1021 |
Remote Services |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1021.006 |
Windows Remote Management |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1021.005 |
VNC |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1021.004 |
SSH |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1021.003 |
Distributed Component Object Model |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1021.002 |
SMB/Windows Admin Shares |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1021.001 |
Remote Desktop Protocol |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1072 |
Software Deployment Tools |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1133 |
External Remote Services |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1482 |
Domain Trust Discovery |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1046 |
Network Service Scanning |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1095 |
Non-Application Layer Protocol |
| network_security_groups |
Network Security Groups |
protect |
significant |
T1571 |
Non-Standard Port |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1499 |
Endpoint Denial of Service |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1499.003 |
Application Exhaustion Flood |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1499.002 |
Service Exhaustion Flood |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1499.001 |
OS Exhaustion Flood |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1570 |
Lateral Tool Transfer |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1498 |
Network Denial of Service |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1090 |
Proxy |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1090.003 |
Multi-hop Proxy |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1090.002 |
External Proxy |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1090.001 |
Internal Proxy |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1219 |
Remote Access Software |
| network_security_groups |
Network Security Groups |
protect |
partial |
T1205 |
Traffic Signaling |
| network_security_groups |
Network Security Groups |
protect |
significant |
T1205.001 |
Port Knocking |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1078 |
Valid Accounts |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1078.001 |
Default Accounts |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1078.002 |
Domain Accounts |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1078.003 |
Local Accounts |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1078.004 |
Cloud Accounts |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1195 |
Supply Chain Compromise |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1110 |
Brute Force |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1110.001 |
Password Guessing |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1110.003 |
Password Spraying |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1110.004 |
Credential Stuffing |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1098 |
Account Manipulation |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1098.001 |
Additional Cloud Credentials |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1071 |
Application Layer Protocol |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1071.001 |
Web Protocols |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1071.004 |
DNS |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1567 |
Exfiltration Over Web Service |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1567.002 |
Exfiltration to Cloud Storage |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1567.001 |
Exfiltration to Code Repository |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1595 |
Active Scanning |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1595.002 |
Vulnerability Scanning |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1105 |
Ingress Tool Transfer |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1048 |
Exfiltration Over Alternative Protocol |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1496 |
Resource Hijacking |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1070 |
Indicator Removal on Host |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1070.001 |
Clear Windows Event Logs |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1070.006 |
Timestomp |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1059 |
Command and Scripting Interpreter |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1059.001 |
PowerShell |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1059.003 |
Windows Command Shell |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1059.004 |
Unix Shell |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1059.007 |
JavaScript/JScript |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1059.005 |
Visual Basic |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1059.006 |
Python |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1213 |
Data from Information Repositories |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1213.002 |
Sharepoint |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1531 |
Account Access Removal |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1018 |
Remote System Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1136 |
Create Account |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1136.001 |
Local Account |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1136.002 |
Domain Account |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1136.003 |
Cloud Account |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1114 |
Email Collection |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1114.001 |
Local Email Collection |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1114.002 |
Remote Email Collection |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1114.003 |
Email Forwarding Rule |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1505 |
Server Software Component |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1505.003 |
Web Shell |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1573 |
Encrypted Channel |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1573.002 |
Asymmetric Cryptography |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1090 |
Proxy |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1090.003 |
Multi-hop Proxy |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1562 |
Impair Defenses |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1562.001 |
Disable or Modify Tools |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1562.002 |
Disable Windows Event Logging |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1562.006 |
Indicator Blocking |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1562.007 |
Disable or Modify Cloud Firewall |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1562.008 |
Disable Cloud Logs |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1119 |
Automated Collection |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1485 |
Data Destruction |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1568 |
Dynamic Resolution |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1568.002 |
Domain Generation Algorithms |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1190 |
Exploit Public-Facing Application |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1137 |
Office Application Startup |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1137.005 |
Outlook Rules |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1137.006 |
Add-ins |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1140 |
Deobfuscate/Decode Files or Information |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1558 |
Steal or Forge Kerberos Tickets |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1558.003 |
Kerberoasting |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1558.001 |
Golden Ticket |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1558.002 |
Silver Ticket |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1047 |
Windows Management Instrumentation |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1046 |
Network Service Scanning |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1021 |
Remote Services |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1021.001 |
Remote Desktop Protocol |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1021.002 |
SMB/Windows Admin Shares |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1021.003 |
Distributed Component Object Model |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1021.004 |
SSH |
| azure_sentinel |
Azure Sentinel |
protect |
minimal |
T1552 |
Unsecured Credentials |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1552 |
Unsecured Credentials |
| azure_sentinel |
Azure Sentinel |
protect |
minimal |
T1552.001 |
Credentials In Files |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1552.001 |
Credentials In Files |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1552.004 |
Private Keys |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1590 |
Gather Victim Network Information |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1590.002 |
DNS |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1548 |
Abuse Elevation Control Mechanism |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1548.002 |
Bypass User Account Control |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1134 |
Access Token Manipulation |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1134.002 |
Create Process with Token |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1134.005 |
SID-History Injection |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1087 |
Account Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1087.002 |
Domain Account |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1087.001 |
Local Account |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1087.003 |
Email Account |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1560 |
Archive Collected Data |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1547 |
Boot or Logon Autostart Execution |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1547.005 |
Security Support Provider |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1547.009 |
Shortcut Modification |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1547.001 |
Registry Run Keys / Startup Folder |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1217 |
Browser Bookmark Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1115 |
Clipboard Data |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1543 |
Create or Modify System Process |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1543.003 |
Windows Service |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1555 |
Credentials from Password Stores |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1555.003 |
Credentials from Web Browsers |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1484 |
Domain Policy Modification |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1484.001 |
Group Policy Modification |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1484.002 |
Domain Trust Modification |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1482 |
Domain Trust Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1546 |
Event Triggered Execution |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1546.008 |
Accessibility Features |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1041 |
Exfiltration Over C2 Channel |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1068 |
Exploitation for Privilege Escalation |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1210 |
Exploitation of Remote Services |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1083 |
File and Directory Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1574 |
Hijack Execution Flow |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1574.001 |
DLL Search Order Hijacking |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1574.007 |
Path Interception by PATH Environment Variable |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1574.008 |
Path Interception by Search Order Hijacking |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1574.009 |
Path Interception by Unquoted Path |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1056 |
Input Capture |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1056.001 |
Keylogging |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1056.004 |
Credential API Hooking |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1557 |
Man-in-the-Middle |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1106 |
Native API |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1135 |
Network Share Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1040 |
Network Sniffing |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1027 |
Obfuscated Files or Information |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1003 |
OS Credential Dumping |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1003.001 |
LSASS Memory |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1057 |
Process Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1055 |
Process Injection |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1053 |
Scheduled Task/Job |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1053.003 |
Cron |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1053.005 |
Scheduled Task |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1113 |
Screen Capture |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1518 |
Software Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1518.001 |
Security Software Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1082 |
System Information Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1016 |
System Network Configuration Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1049 |
System Network Connections Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1569 |
System Services |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1569.002 |
Service Execution |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1127 |
Trusted Developer Utilities Proxy Execution |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1127.001 |
MSBuild |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1550 |
Use Alternate Authentication Material |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1550.001 |
Application Access Token |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1550.002 |
Pass the Hash |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1125 |
Video Capture |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1102 |
Web Service |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1102.002 |
Bidirectional Communication |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1556 |
Modify Authentication Process |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1080 |
Taint Shared Content |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1074 |
Data Staged |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1074.001 |
Local Data Staging |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1490 |
Inhibit System Recovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1486 |
Data Encrypted for Impact |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1535 |
Unused/Unsupported Cloud Regions |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1530 |
Data from Cloud Storage Object |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1036 |
Masquerading |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1036.004 |
Masquerade Task or Service |
| azure_sentinel |
Azure Sentinel |
detect |
partial |
T1036.005 |
Match Legitimate Name or Location |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1578 |
Modify Cloud Compute Infrastructure |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1580 |
Cloud Infrastructure Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1528 |
Steal Application Access Token |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1069 |
Permission Groups Discovery |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1069.002 |
Domain Groups |
| azure_sentinel |
Azure Sentinel |
detect |
minimal |
T1069.001 |
Local Groups |
| azure_ad_password_policy |
Azure AD Password Policy |
protect |
partial |
T1110 |
Brute Force |
| azure_ad_password_policy |
Azure AD Password Policy |
protect |
significant |
T1110.001 |
Password Guessing |
| azure_ad_password_policy |
Azure AD Password Policy |
protect |
partial |
T1110.002 |
Password Cracking |
| azure_ad_password_policy |
Azure AD Password Policy |
protect |
partial |
T1110.004 |
Credential Stuffing |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1087 |
Account Discovery |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1087.002 |
Domain Account |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1482 |
Domain Trust Discovery |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1201 |
Password Policy Discovery |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1069 |
Permission Groups Discovery |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1069.002 |
Domain Groups |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1210 |
Exploitation of Remote Services |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1550 |
Use Alternate Authentication Material |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1550.002 |
Pass the Hash |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1550.003 |
Pass the Ticket |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1557 |
Man-in-the-Middle |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1110 |
Brute Force |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1110.003 |
Password Spraying |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1110.001 |
Password Guessing |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1558 |
Steal or Forge Kerberos Tickets |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1558.003 |
Kerberoasting |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1558.004 |
AS-REP Roasting |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1558.001 |
Golden Ticket |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1133 |
External Remote Services |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1555 |
Credentials from Password Stores |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1555.003 |
Credentials from Web Browsers |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1047 |
Windows Management Instrumentation |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1059 |
Command and Scripting Interpreter |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1059.001 |
PowerShell |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1021 |
Remote Services |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1021.002 |
SMB/Windows Admin Shares |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1569 |
System Services |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1569.002 |
Service Execution |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1207 |
Rogue Domain Controller |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1003 |
OS Credential Dumping |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
significant |
T1003.006 |
DCSync |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1003.003 |
NTDS |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1556 |
Modify Authentication Process |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1556.001 |
Domain Controller Authentication |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1098 |
Account Manipulation |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1543 |
Create or Modify System Process |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1543.003 |
Windows Service |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1071 |
Application Layer Protocol |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1071.004 |
DNS |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
minimal |
T1048 |
Exfiltration Over Alternative Protocol |
| microsoft_defender_for_identity |
Microsoft Defender for Identity |
detect |
partial |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| azure_defender_for_key_vault |
Azure Defender for Key Vault |
detect |
minimal |
T1580 |
Cloud Infrastructure Discovery |
| azure_defender_for_key_vault |
Azure Defender for Key Vault |
detect |
partial |
T1555 |
Credentials from Password Stores |
| azure_defender_for_kubernetes |
Azure Defender for Kubernetes |
detect |
partial |
T1525 |
Implant Container Image |
| azure_defender_for_kubernetes |
Azure Defender for Kubernetes |
protect |
partial |
T1190 |
Exploit Public-Facing Application |
| azure_defender_for_kubernetes |
Azure Defender for Kubernetes |
detect |
partial |
T1068 |
Exploitation for Privilege Escalation |
| azure_defender_for_kubernetes |
Azure Defender for Kubernetes |
detect |
partial |
T1070 |
Indicator Removal on Host |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
partial |
T1204 |
User Execution |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
partial |
T1204.002 |
Malicious File |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
partial |
T1036 |
Masquerading |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
partial |
T1036.005 |
Match Legitimate Name or Location |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
partial |
T1036.006 |
Space after Filename |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
partial |
T1036.001 |
Invalid Code Signature |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
minimal |
T1553 |
Subvert Trust Controls |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
partial |
T1553.002 |
Code Signing |
| adaptive_application_controls |
Adaptive Application Controls |
detect |
partial |
T1554 |
Compromise Client Software Binary |
| azure_ad_multi-factor_authentication |
Azure AD Multi-Factor Authentication |
protect |
significant |
T1110 |
Brute Force |
| azure_ad_multi-factor_authentication |
Azure AD Multi-Factor Authentication |
protect |
significant |
T1110.001 |
Password Guessing |
| azure_ad_multi-factor_authentication |
Azure AD Multi-Factor Authentication |
protect |
significant |
T1110.003 |
Password Spraying |
| azure_ad_multi-factor_authentication |
Azure AD Multi-Factor Authentication |
protect |
significant |
T1110.004 |
Credential Stuffing |
| azure_ad_multi-factor_authentication |
Azure AD Multi-Factor Authentication |
protect |
minimal |
T1078 |
Valid Accounts |
| azure_ad_multi-factor_authentication |
Azure AD Multi-Factor Authentication |
protect |
partial |
T1078.004 |
Cloud Accounts |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1557 |
Man-in-the-Middle |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1557.002 |
ARP Cache Poisoning |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| azure_private_link |
Azure Private Link |
protect |
minimal |
T1565 |
Data Manipulation |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1565.002 |
Transmitted Data Manipulation |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1499 |
Endpoint Denial of Service |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1499.004 |
Application or System Exploitation |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1499.003 |
Application Exhaustion Flood |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1499.002 |
Service Exhaustion Flood |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1499.001 |
OS Exhaustion Flood |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1498 |
Network Denial of Service |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1498.002 |
Reflection Amplification |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1498.001 |
Direct Network Flood |
| azure_private_link |
Azure Private Link |
protect |
partial |
T1040 |
Network Sniffing |
| azure_dedicated_hsm |
Azure Dedicated HSM |
protect |
minimal |
T1552 |
Unsecured Credentials |
| azure_dedicated_hsm |
Azure Dedicated HSM |
protect |
significant |
T1552.004 |
Private Keys |
| azure_dedicated_hsm |
Azure Dedicated HSM |
protect |
partial |
T1588 |
Obtain Capabilities |
| azure_dedicated_hsm |
Azure Dedicated HSM |
protect |
partial |
T1588.004 |
Digital Certificates |
| azure_dedicated_hsm |
Azure Dedicated HSM |
protect |
partial |
T1588.003 |
Code Signing Certificates |
| azure_dedicated_hsm |
Azure Dedicated HSM |
protect |
partial |
T1553 |
Subvert Trust Controls |
| azure_dedicated_hsm |
Azure Dedicated HSM |
protect |
partial |
T1553.004 |
Install Root Certificate |
| azure_dedicated_hsm |
Azure Dedicated HSM |
protect |
partial |
T1553.002 |
Code Signing |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
partial |
T1195 |
Supply Chain Compromise |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
partial |
T1195.002 |
Compromise Software Supply Chain |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
partial |
T1195.001 |
Compromise Software Dependencies and Development Tools |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
partial |
T1072 |
Software Deployment Tools |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
significant |
T1210 |
Exploitation of Remote Services |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
significant |
T1211 |
Exploitation for Defense Evasion |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
significant |
T1068 |
Exploitation for Privilege Escalation |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
partial |
T1190 |
Exploit Public-Facing Application |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
significant |
T1212 |
Exploitation for Credential Access |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
significant |
T1203 |
Exploitation for Client Execution |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
partial |
T1499 |
Endpoint Denial of Service |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
significant |
T1499.004 |
Application or System Exploitation |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
partial |
T1554 |
Compromise Client Software Binary |
| azure_automation_update_management |
Azure Automation Update Management |
protect |
partial |
T1189 |
Drive-by Compromise |
| azure_dns_alias_records |
Azure DNS Alias Records |
protect |
minimal |
T1584 |
Compromise Infrastructure |
| azure_dns_alias_records |
Azure DNS Alias Records |
protect |
partial |
T1584.001 |
Domains |
| role_based_access_control |
Role Based Access Control |
protect |
minimal |
T1087 |
Account Discovery |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1087.004 |
Cloud Account |
| role_based_access_control |
Role Based Access Control |
protect |
minimal |
T1078 |
Valid Accounts |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1078.004 |
Cloud Accounts |
| role_based_access_control |
Role Based Access Control |
protect |
minimal |
T1136 |
Create Account |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1136.003 |
Cloud Account |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1098 |
Account Manipulation |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1098.001 |
Additional Cloud Credentials |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1098.003 |
Add Office 365 Global Administrator Role |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1578 |
Modify Cloud Compute Infrastructure |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1578.001 |
Create Snapshot |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1578.002 |
Create Cloud Instance |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1578.003 |
Delete Cloud Instance |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1578.004 |
Revert Cloud Instance |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1580 |
Cloud Infrastructure Discovery |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1538 |
Cloud Service Dashboard |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1530 |
Data from Cloud Storage Object |
| role_based_access_control |
Role Based Access Control |
protect |
partial |
T1528 |
Steal Application Access Token |
| alerts_for_azure_cosmos_db |
Alerts for Azure Cosmos DB |
detect |
minimal |
T1078 |
Valid Accounts |
| alerts_for_azure_cosmos_db |
Alerts for Azure Cosmos DB |
detect |
minimal |
T1078.004 |
Cloud Accounts |
| alerts_for_azure_cosmos_db |
Alerts for Azure Cosmos DB |
detect |
minimal |
T1213 |
Data from Information Repositories |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
significant |
T1053 |
Scheduled Task/Job |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1053.001 |
At (Linux) |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1053.002 |
At (Windows) |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1053.003 |
Cron |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1053.005 |
Scheduled Task |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1053.006 |
Systemd Timers |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1098 |
Account Manipulation |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1098.004 |
SSH Authorized Keys |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547 |
Boot or Logon Autostart Execution |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.001 |
Registry Run Keys / Startup Folder |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.002 |
Authentication Package |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.003 |
Time Providers |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.004 |
Winlogon Helper DLL |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.005 |
Security Support Provider |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.006 |
Kernel Modules and Extensions |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.008 |
LSASS Driver |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.009 |
Shortcut Modification |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.010 |
Port Monitors |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1547.012 |
Print Processors |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1037 |
Boot or Logon Initialization Scripts |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1037.001 |
Logon Script (Windows) |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1037.003 |
Network Logon Script |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1543 |
Create or Modify System Process |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1543.002 |
Systemd Service |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1543.003 |
Windows Service |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546 |
Event Triggered Execution |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.001 |
Change Default File Association |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.002 |
Screensaver |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.004 |
.bash_profile and .bashrc |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.007 |
Netsh Helper DLL |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.008 |
Accessibility Features |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.009 |
AppCert DLLs |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.011 |
Application Shimming |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.012 |
Image File Execution Options Injection |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1546.013 |
PowerShell Profile |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1546.010 |
AppInit DLLs |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1546.015 |
Component Object Model Hijacking |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1574 |
Hijack Execution Flow |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1574.006 |
LD_PRELOAD |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1137 |
Office Application Startup |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1137.002 |
Office Test |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1548 |
Abuse Elevation Control Mechanism |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1548.002 |
Bypass User Account Control |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1548.003 |
Sudo and Sudo Caching |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1556 |
Modify Authentication Process |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1556.002 |
Password Filter DLL |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1556.003 |
Pluggable Authentication Modules |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1003 |
OS Credential Dumping |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1003.001 |
LSASS Memory |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1222 |
File and Directory Permissions Modification |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1222.001 |
Windows File and Directory Permissions Modification |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1222.002 |
Linux and Mac File and Directory Permissions Modification |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1562 |
Impair Defenses |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1562.001 |
Disable or Modify Tools |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1562.004 |
Disable or Modify System Firewall |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
minimal |
T1562.006 |
Indicator Blocking |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1553 |
Subvert Trust Controls |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1553.003 |
SIP and Trust Provider Hijacking |
| file_integrity_monitoring |
File Integrity Monitoring |
detect |
partial |
T1553.004 |
Install Root Certificate |
| azure_backup |
Azure Backup |
respond |
significant |
T1485 |
Data Destruction |
| azure_backup |
Azure Backup |
respond |
significant |
T1486 |
Data Encrypted for Impact |
| azure_backup |
Azure Backup |
respond |
significant |
T1491 |
Defacement |
| azure_backup |
Azure Backup |
respond |
significant |
T1491.002 |
External Defacement |
| azure_backup |
Azure Backup |
respond |
significant |
T1491.001 |
Internal Defacement |
| azure_backup |
Azure Backup |
respond |
significant |
T1561 |
Disk Wipe |
| azure_backup |
Azure Backup |
respond |
significant |
T1561.001 |
Disk Content Wipe |
| azure_backup |
Azure Backup |
respond |
partial |
T1561.002 |
Disk Structure Wipe |
| managed_identities_for_azure_resources |
Managed identities for Azure resources |
protect |
minimal |
T1552 |
Unsecured Credentials |
| managed_identities_for_azure_resources |
Managed identities for Azure resources |
protect |
partial |
T1552.001 |
Credentials In Files |
| azure_policy |
Azure Policy |
protect |
partial |
T1190 |
Exploit Public-Facing Application |
| azure_policy |
Azure Policy |
protect |
partial |
T1133 |
External Remote Services |
| azure_policy |
Azure Policy |
protect |
partial |
T1590 |
Gather Victim Network Information |
| azure_policy |
Azure Policy |
protect |
partial |
T1590.002 |
DNS |
| azure_policy |
Azure Policy |
protect |
partial |
T1590.004 |
Network Topology |
| azure_policy |
Azure Policy |
protect |
partial |
T1590.005 |
IP Addresses |
| azure_policy |
Azure Policy |
protect |
partial |
T1590.006 |
Network Security Appliances |
| azure_policy |
Azure Policy |
protect |
minimal |
T1078 |
Valid Accounts |
| azure_policy |
Azure Policy |
protect |
minimal |
T1078.004 |
Cloud Accounts |
| azure_policy |
Azure Policy |
protect |
minimal |
T1098 |
Account Manipulation |
| azure_policy |
Azure Policy |
protect |
minimal |
T1098.001 |
Additional Cloud Credentials |
| azure_policy |
Azure Policy |
detect |
minimal |
T1525 |
Implant Container Image |
| azure_policy |
Azure Policy |
protect |
partial |
T1535 |
Unused/Unsupported Cloud Regions |
| azure_policy |
Azure Policy |
protect |
minimal |
T1505 |
Server Software Component |
| azure_policy |
Azure Policy |
protect |
minimal |
T1505.001 |
SQL Stored Procedures |
| azure_policy |
Azure Policy |
protect |
minimal |
T1068 |
Exploitation for Privilege Escalation |
| azure_policy |
Azure Policy |
protect |
minimal |
T1211 |
Exploitation for Defense Evasion |
| azure_policy |
Azure Policy |
protect |
minimal |
T1212 |
Exploitation for Credential Access |
| azure_policy |
Azure Policy |
protect |
minimal |
T1203 |
Exploitation for Client Execution |
| azure_policy |
Azure Policy |
protect |
partial |
T1110 |
Brute Force |
| azure_policy |
Azure Policy |
protect |
partial |
T1110.003 |
Password Spraying |
| azure_policy |
Azure Policy |
protect |
partial |
T1110.001 |
Password Guessing |
| azure_policy |
Azure Policy |
protect |
partial |
T1110.004 |
Credential Stuffing |
| azure_policy |
Azure Policy |
protect |
partial |
T1555 |
Credentials from Password Stores |
| azure_policy |
Azure Policy |
protect |
partial |
T1040 |
Network Sniffing |
| azure_policy |
Azure Policy |
protect |
partial |
T1580 |
Cloud Infrastructure Discovery |
| azure_policy |
Azure Policy |
protect |
partial |
T1538 |
Cloud Service Dashboard |
| azure_policy |
Azure Policy |
protect |
partial |
T1526 |
Cloud Service Discovery |
| azure_policy |
Azure Policy |
protect |
minimal |
T1210 |
Exploitation of Remote Services |
| azure_policy |
Azure Policy |
protect |
minimal |
T1021 |
Remote Services |
| azure_policy |
Azure Policy |
protect |
minimal |
T1021.001 |
Remote Desktop Protocol |
| azure_policy |
Azure Policy |
protect |
minimal |
T1021.004 |
SSH |
| azure_policy |
Azure Policy |
protect |
partial |
T1530 |
Data from Cloud Storage Object |
| azure_policy |
Azure Policy |
protect |
minimal |
T1071 |
Application Layer Protocol |
| azure_policy |
Azure Policy |
protect |
minimal |
T1071.004 |
DNS |
| azure_policy |
Azure Policy |
protect |
minimal |
T1537 |
Transfer Data to Cloud Account |
| azure_policy |
Azure Policy |
protect |
minimal |
T1485 |
Data Destruction |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
significant |
T1110 |
Brute Force |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
significant |
T1110.003 |
Password Spraying |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
significant |
T1110.001 |
Password Guessing |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
significant |
T1110.004 |
Credential Stuffing |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
minimal |
T1071 |
Application Layer Protocol |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
minimal |
T1071.004 |
DNS |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
minimal |
T1071.003 |
Mail Protocols |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
minimal |
T1071.002 |
File Transfer Protocols |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
minimal |
T1071.001 |
Web Protocols |
| azure_alerts_for_network_layer |
Azure Alerts for Network Layer |
detect |
partial |
T1133 |
External Remote Services |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
protect |
minimal |
T1078 |
Valid Accounts |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
protect |
partial |
T1078.004 |
Cloud Accounts |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
protect |
partial |
T1098 |
Account Manipulation |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
detect |
minimal |
T1098 |
Account Manipulation |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
protect |
significant |
T1098.003 |
Add Office 365 Global Administrator Role |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
detect |
significant |
T1098.003 |
Add Office 365 Global Administrator Role |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
protect |
significant |
T1098.001 |
Additional Cloud Credentials |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
protect |
minimal |
T1136 |
Create Account |
| azure_ad_privileged_identity_management |
Azure AD Privileged Identity Management |
protect |
significant |
T1136.003 |
Cloud Account |
| azure_vpn_gateway |
Azure VPN Gateway |
protect |
significant |
T1040 |
Network Sniffing |
| azure_vpn_gateway |
Azure VPN Gateway |
protect |
significant |
T1557 |
Man-in-the-Middle |
| azure_vpn_gateway |
Azure VPN Gateway |
protect |
significant |
T1557.002 |
ARP Cache Poisoning |
| azure_vpn_gateway |
Azure VPN Gateway |
protect |
significant |
T1557.001 |
LLMNR/NBT-NS Poisoning and SMB Relay |
| azure_vpn_gateway |
Azure VPN Gateway |
protect |
partial |
T1565 |
Data Manipulation |
| azure_vpn_gateway |
Azure VPN Gateway |
protect |
significant |
T1565.002 |
Transmitted Data Manipulation |
| advanced_threat_protection_for_azure_sql_database |
Advanced Threat Protection for Azure SQL Database |
detect |
minimal |
T1078 |
Valid Accounts |
| advanced_threat_protection_for_azure_sql_database |
Advanced Threat Protection for Azure SQL Database |
detect |
partial |
T1078.004 |
Cloud Accounts |
| advanced_threat_protection_for_azure_sql_database |
Advanced Threat Protection for Azure SQL Database |
detect |
minimal |
T1213 |
Data from Information Repositories |
| advanced_threat_protection_for_azure_sql_database |
Advanced Threat Protection for Azure SQL Database |
detect |
minimal |
T1110 |
Brute Force |
| advanced_threat_protection_for_azure_sql_database |
Advanced Threat Protection for Azure SQL Database |
detect |
minimal |
T1110.001 |
Password Guessing |
| advanced_threat_protection_for_azure_sql_database |
Advanced Threat Protection for Azure SQL Database |
detect |
minimal |
T1110.003 |
Password Spraying |
| advanced_threat_protection_for_azure_sql_database |
Advanced Threat Protection for Azure SQL Database |
detect |
minimal |
T1110.004 |
Credential Stuffing |
| advanced_threat_protection_for_azure_sql_database |
Advanced Threat Protection for Azure SQL Database |
detect |
minimal |
T1190 |
Exploit Public-Facing Application |
| azure_ddos_protection_standard |
Azure DDOS Protection Standard |
protect |
significant |
T1498 |
Network Denial of Service |
| azure_ddos_protection_standard |
Azure DDOS Protection Standard |
protect |
significant |
T1498.002 |
Reflection Amplification |
| azure_ddos_protection_standard |
Azure DDOS Protection Standard |
protect |
significant |
T1498.001 |
Direct Network Flood |
| azure_ddos_protection_standard |
Azure DDOS Protection Standard |
protect |
significant |
T1499 |
Endpoint Denial of Service |
| azure_ddos_protection_standard |
Azure DDOS Protection Standard |
protect |
significant |
T1499.003 |
Application Exhaustion Flood |
| azure_ddos_protection_standard |
Azure DDOS Protection Standard |
protect |
significant |
T1499.002 |
Service Exhaustion Flood |
| azure_ddos_protection_standard |
Azure DDOS Protection Standard |
protect |
significant |
T1499.001 |
OS Exhaustion Flood |
| azure_defender_for_app_service |
Azure Defender for App Service |
protect |
minimal |
T1584 |
Compromise Infrastructure |
| azure_defender_for_app_service |
Azure Defender for App Service |
protect |
significant |
T1584.001 |
Domains |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1496 |
Resource Hijacking |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1204 |
User Execution |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1204.001 |
Malicious Link |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1140 |
Deobfuscate/Decode Files or Information |
| azure_defender_for_app_service |
Azure Defender for App Service |
protect |
minimal |
T1566 |
Phishing |
| azure_defender_for_app_service |
Azure Defender for App Service |
protect |
minimal |
T1566.002 |
Spearphishing Link |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1059 |
Command and Scripting Interpreter |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1059.004 |
Unix Shell |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1059.001 |
PowerShell |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1105 |
Ingress Tool Transfer |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1595 |
Active Scanning |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1595.002 |
Vulnerability Scanning |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1594 |
Search Victim-Owned Websites |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055 |
Process Injection |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.001 |
Dynamic-link Library Injection |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.002 |
Portable Executable Injection |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.003 |
Thread Execution Hijacking |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.004 |
Asynchronous Procedure Call |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.005 |
Thread Local Storage |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.011 |
Extra Window Memory Injection |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.012 |
Process Hollowing |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.013 |
Process Doppelgänging |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.008 |
Ptrace System Calls |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.009 |
Proc Memory |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1055.014 |
VDSO Hijacking |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1203 |
Exploitation for Client Execution |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1211 |
Exploitation for Defense Evasion |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1068 |
Exploitation for Privilege Escalation |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1212 |
Exploitation for Credential Access |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1189 |
Drive-by Compromise |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1190 |
Exploit Public-Facing Application |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1210 |
Exploitation of Remote Services |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1559 |
Inter-Process Communication |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1559.001 |
Component Object Model |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1559.002 |
Dynamic Data Exchange |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1036 |
Masquerading |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
partial |
T1036.005 |
Match Legitimate Name or Location |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1134 |
Access Token Manipulation |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1087 |
Account Discovery |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1087.001 |
Local Account |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1123 |
Audio Capture |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1547 |
Boot or Logon Autostart Execution |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1547.005 |
Security Support Provider |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1547.001 |
Registry Run Keys / Startup Folder |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1543 |
Create or Modify System Process |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1543.003 |
Windows Service |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1555 |
Credentials from Password Stores |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1005 |
Data from Local System |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1482 |
Domain Trust Discovery |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1574 |
Hijack Execution Flow |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1574.001 |
DLL Search Order Hijacking |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1574.007 |
Path Interception by PATH Environment Variable |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1574.008 |
Path Interception by Search Order Hijacking |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1574.009 |
Path Interception by Unquoted Path |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1056 |
Input Capture |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1056.001 |
Keylogging |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1027 |
Obfuscated Files or Information |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1027.005 |
Indicator Removal from Tools |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1003 |
OS Credential Dumping |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1003.001 |
LSASS Memory |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1057 |
Process Discovery |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1012 |
Query Registry |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1053 |
Scheduled Task/Job |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1053.005 |
Scheduled Task |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1113 |
Screen Capture |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1558 |
Steal or Forge Kerberos Tickets |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1558.003 |
Kerberoasting |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1552 |
Unsecured Credentials |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1552.002 |
Credentials in Registry |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1552.006 |
Group Policy Preferences |
| azure_defender_for_app_service |
Azure Defender for App Service |
detect |
minimal |
T1047 |
Windows Management Instrumentation |
| conditional_access |
Conditional Access |
protect |
significant |
T1110 |
Brute Force |
| conditional_access |
Conditional Access |
protect |
significant |
T1110.001 |
Password Guessing |
| conditional_access |
Conditional Access |
protect |
significant |
T1110.002 |
Password Cracking |
| conditional_access |
Conditional Access |
protect |
significant |
T1110.003 |
Password Spraying |
| conditional_access |
Conditional Access |
protect |
significant |
T1110.004 |
Credential Stuffing |
| conditional_access |
Conditional Access |
protect |
minimal |
T1078 |
Valid Accounts |
| conditional_access |
Conditional Access |
protect |
significant |
T1078.004 |
Cloud Accounts |
| conditional_access |
Conditional Access |
protect |
minimal |
T1074 |
Data Staged |
| conditional_access |
Conditional Access |
protect |
minimal |
T1074.002 |
Remote Data Staging |
| conditional_access |
Conditional Access |
protect |
minimal |
T1074.001 |
Local Data Staging |
| conditional_access |
Conditional Access |
protect |
minimal |
T1530 |
Data from Cloud Storage Object |
| conditional_access |
Conditional Access |
protect |
minimal |
T1213 |
Data from Information Repositories |
| conditional_access |
Conditional Access |
protect |
partial |
T1213.002 |
Sharepoint |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1078 |
Valid Accounts |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1078.004 |
Cloud Accounts |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1078.002 |
Domain Accounts |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1078.001 |
Default Accounts |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1567 |
Exfiltration Over Web Service |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1567 |
Exfiltration Over Web Service |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1567.002 |
Exfiltration to Cloud Storage |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1567.002 |
Exfiltration to Cloud Storage |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1567.001 |
Exfiltration to Code Repository |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1567.001 |
Exfiltration to Code Repository |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1189 |
Drive-by Compromise |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1535 |
Unused/Unsupported Cloud Regions |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
significant |
T1187 |
Forced Authentication |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
significant |
T1187 |
Forced Authentication |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1530 |
Data from Cloud Storage Object |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1528 |
Steal Application Access Token |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1528 |
Steal Application Access Token |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1526 |
Cloud Service Discovery |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
minimal |
T1213 |
Data from Information Repositories |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1213 |
Data from Information Repositories |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1213.002 |
Sharepoint |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1213.002 |
Sharepoint |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1213.001 |
Confluence |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1213.001 |
Confluence |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1119 |
Automated Collection |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1119 |
Automated Collection |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1565 |
Data Manipulation |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1565.001 |
Stored Data Manipulation |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
partial |
T1133 |
External Remote Services |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1133 |
External Remote Services |
| cloud_app_security_policies |
Cloud App Security Policies |
protect |
significant |
T1219 |
Remote Access Software |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1219 |
Remote Access Software |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1484 |
Domain Policy Modification |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1484.002 |
Domain Trust Modification |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1484.001 |
Group Policy Modification |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1098 |
Account Manipulation |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1098.003 |
Add Office 365 Global Administrator Role |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1098.001 |
Additional Cloud Credentials |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1098.002 |
Exchange Email Delegate Permissions |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1578 |
Modify Cloud Compute Infrastructure |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1578.004 |
Revert Cloud Instance |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1578.003 |
Delete Cloud Instance |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1578.001 |
Create Snapshot |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1578.002 |
Create Cloud Instance |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1531 |
Account Access Removal |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1496 |
Resource Hijacking |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1485 |
Data Destruction |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1486 |
Data Encrypted for Impact |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1071 |
Application Layer Protocol |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1071.003 |
Mail Protocols |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1110 |
Brute Force |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1110.004 |
Credential Stuffing |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1110.003 |
Password Spraying |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
partial |
T1110.001 |
Password Guessing |
| cloud_app_security_policies |
Cloud App Security Policies |
detect |
minimal |
T1534 |
Internal Spearphishing |
| azure_defender_for_container_registries |
Azure Defender for Container Registries |
protect |
minimal |
T1190 |
Exploit Public-Facing Application |
| azure_defender_for_container_registries |
Azure Defender for Container Registries |
protect |
minimal |
T1068 |
Exploitation for Privilege Escalation |
| azure_defender_for_container_registries |
Azure Defender for Container Registries |
protect |
partial |
T1525 |
Implant Container Image |
| azure_defender_for_container_registries |
Azure Defender for Container Registries |
detect |
partial |
T1525 |
Implant Container Image |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1110 |
Brute Force |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1110.001 |
Password Guessing |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1110.002 |
Password Cracking |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1110.003 |
Password Spraying |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1110.004 |
Credential Stuffing |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
minimal |
T1078 |
Valid Accounts |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
detect |
minimal |
T1078 |
Valid Accounts |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1078.004 |
Cloud Accounts |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
detect |
partial |
T1078.004 |
Cloud Accounts |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
minimal |
T1078.002 |
Domain Accounts |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
minimal |
T1078.003 |
Local Accounts |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
minimal |
T1078.001 |
Default Accounts |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1531 |
Account Access Removal |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1528 |
Steal Application Access Token |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
detect |
partial |
T1606 |
Forge Web Credentials |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
detect |
partial |
T1606.002 |
SAML Tokens |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1558 |
Steal or Forge Kerberos Tickets |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1558.004 |
AS-REP Roasting |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1558.001 |
Golden Ticket |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1558.003 |
Kerberoasting |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
minimal |
T1552 |
Unsecured Credentials |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1550 |
Use Alternate Authentication Material |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1550.003 |
Pass the Ticket |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
partial |
T1550.002 |
Pass the Hash |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
protect |
minimal |
T1040 |
Network Sniffing |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
detect |
partial |
T1133 |
External Remote Services |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
detect |
minimal |
T1134 |
Access Token Manipulation |
| azure_ad_identity_secure_score |
Azure AD Identity Secure Score |
detect |
partial |
T1134.005 |
SID-History Injection |
| azure_active_directory_password_protection |
Azure Active Directory Password Protection |
protect |
partial |
T1110 |
Brute Force |
| azure_active_directory_password_protection |
Azure Active Directory Password Protection |
protect |
partial |
T1110.001 |
Password Guessing |
| azure_active_directory_password_protection |
Azure Active Directory Password Protection |
protect |
partial |
T1110.002 |
Password Cracking |
| azure_active_directory_password_protection |
Azure Active Directory Password Protection |
protect |
partial |
T1110.003 |
Password Spraying |
| azure_active_directory_password_protection |
Azure Active Directory Password Protection |
protect |
partial |
T1110.004 |
Credential Stuffing |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
protect |
minimal |
T1566 |
Phishing |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
detect |
minimal |
T1566 |
Phishing |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
protect |
minimal |
T1566.001 |
Spearphishing Attachment |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
detect |
partial |
T1566.001 |
Spearphishing Attachment |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
protect |
minimal |
T1204 |
User Execution |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
protect |
minimal |
T1204.002 |
Malicious File |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
detect |
minimal |
T1204.002 |
Malicious File |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
protect |
minimal |
T1105 |
Ingress Tool Transfer |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
detect |
minimal |
T1105 |
Ingress Tool Transfer |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
protect |
minimal |
T1027 |
Obfuscated Files or Information |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
detect |
minimal |
T1027 |
Obfuscated Files or Information |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
protect |
minimal |
T1027.002 |
Software Packing |
| microsoft_antimalware_for_azure |
Microsoft Antimalware for Azure |
detect |
minimal |
T1027.002 |
Software Packing |
| azure_web_application_firewall |
Azure Web Application Firewall |
protect |
partial |
T1595 |
Active Scanning |
| azure_web_application_firewall |
Azure Web Application Firewall |
protect |
partial |
T1595.002 |
Vulnerability Scanning |
| azure_web_application_firewall |
Azure Web Application Firewall |
detect |
partial |
T1595.002 |
Vulnerability Scanning |
| azure_web_application_firewall |
Azure Web Application Firewall |
protect |
significant |
T1190 |
Exploit Public-Facing Application |
| azure_web_application_firewall |
Azure Web Application Firewall |
detect |
significant |
T1190 |
Exploit Public-Facing Application |
| azure_web_application_firewall |
Azure Web Application Firewall |
protect |
partial |
T1046 |
Network Service Scanning |
| azure_web_application_firewall |
Azure Web Application Firewall |
detect |
partial |
T1046 |
Network Service Scanning |
| azure_web_application_firewall |
Azure Web Application Firewall |
protect |
minimal |
T1071 |
Application Layer Protocol |
| azure_web_application_firewall |
Azure Web Application Firewall |
detect |
minimal |
T1071 |
Application Layer Protocol |
| azure_web_application_firewall |
Azure Web Application Firewall |
protect |
partial |
T1071.001 |
Web Protocols |
| azure_web_application_firewall |
Azure Web Application Firewall |
detect |
partial |
T1071.001 |
Web Protocols |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1071 |
Application Layer Protocol |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1071.004 |
DNS |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1568 |
Dynamic Resolution |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1568.001 |
Fast Flux DNS |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1568.002 |
Domain Generation Algorithms |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1048 |
Exfiltration Over Alternative Protocol |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1041 |
Exfiltration Over C2 Channel |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1566 |
Phishing |
| azure_dns_analytics |
Azure DNS Analytics |
detect |
minimal |
T1566.002 |
Spearphishing Link |
| just-in-time_vm_access |
Just-in-Time VM Access |
protect |
minimal |
T1190 |
Exploit Public-Facing Application |
| just-in-time_vm_access |
Just-in-Time VM Access |
protect |
significant |
T1133 |
External Remote Services |
| just-in-time_vm_access |
Just-in-Time VM Access |
protect |
significant |
T1110 |
Brute Force |
| just-in-time_vm_access |
Just-in-Time VM Access |
protect |
significant |
T1110.003 |
Password Spraying |
| just-in-time_vm_access |
Just-in-Time VM Access |
protect |
significant |
T1110.001 |
Password Guessing |
| just-in-time_vm_access |
Just-in-Time VM Access |
protect |
significant |
T1110.004 |
Credential Stuffing |
| sql_vulnerability_assessment |
SQL Vulnerability Assessment |
protect |
minimal |
T1190 |
Exploit Public-Facing Application |
| sql_vulnerability_assessment |
SQL Vulnerability Assessment |
protect |
minimal |
T1078 |
Valid Accounts |
| sql_vulnerability_assessment |
SQL Vulnerability Assessment |
protect |
partial |
T1078.001 |
Default Accounts |
| sql_vulnerability_assessment |
SQL Vulnerability Assessment |
protect |
minimal |
T1505 |
Server Software Component |
| sql_vulnerability_assessment |
SQL Vulnerability Assessment |
protect |
partial |
T1505.001 |
SQL Stored Procedures |
| sql_vulnerability_assessment |
SQL Vulnerability Assessment |
protect |
partial |
T1068 |
Exploitation for Privilege Escalation |
| sql_vulnerability_assessment |
SQL Vulnerability Assessment |
protect |
minimal |
T1112 |
Modify Registry |
| passwordless_authentication |
Passwordless Authentication |
protect |
significant |
T1110 |
Brute Force |
| passwordless_authentication |
Passwordless Authentication |
protect |
significant |
T1110.004 |
Credential Stuffing |
| passwordless_authentication |
Passwordless Authentication |
protect |
significant |
T1110.001 |
Password Guessing |
| passwordless_authentication |
Passwordless Authentication |
protect |
significant |
T1110.003 |
Password Spraying |
| passwordless_authentication |
Passwordless Authentication |
protect |
significant |
T1110.002 |
Password Cracking |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1590 |
Gather Victim Network Information |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1590.004 |
Network Topology |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1590.005 |
IP Addresses |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1590.006 |
Network Security Appliances |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1595 |
Active Scanning |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1595.001 |
Scanning IP Blocks |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1595.002 |
Vulnerability Scanning |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1133 |
External Remote Services |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1205 |
Traffic Signaling |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1205.001 |
Port Knocking |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1046 |
Network Service Scanning |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1018 |
Remote System Discovery |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1008 |
Fallback Channels |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1095 |
Non-Application Layer Protocol |
| azure_firewall |
Azure Firewall |
protect |
significant |
T1571 |
Non-Standard Port |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1219 |
Remote Access Software |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1048 |
Exfiltration Over Alternative Protocol |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| azure_firewall |
Azure Firewall |
protect |
partial |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| alerts_for_dns |
Alerts for DNS |
detect |
partial |
T1568 |
Dynamic Resolution |
| alerts_for_dns |
Alerts for DNS |
detect |
partial |
T1568.001 |
Fast Flux DNS |
| alerts_for_dns |
Alerts for DNS |
detect |
partial |
T1568.002 |
Domain Generation Algorithms |
| alerts_for_dns |
Alerts for DNS |
detect |
minimal |
T1071 |
Application Layer Protocol |
| alerts_for_dns |
Alerts for DNS |
detect |
significant |
T1071.004 |
DNS |
| alerts_for_dns |
Alerts for DNS |
detect |
minimal |
T1572 |
Protocol Tunneling |
| alerts_for_dns |
Alerts for DNS |
detect |
minimal |
T1090 |
Proxy |
| alerts_for_dns |
Alerts for DNS |
detect |
minimal |
T1048 |
Exfiltration Over Alternative Protocol |
| continuous_access_evaluation |
Continuous Access Evaluation |
respond |
minimal |
T1078 |
Valid Accounts |
| continuous_access_evaluation |
Continuous Access Evaluation |
respond |
partial |
T1078.004 |
Cloud Accounts |
| integrated_vulnerability_scanner_powered_by_qualys |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1189 |
Drive-by Compromise |
| integrated_vulnerability_scanner_powered_by_qualys |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1190 |
Exploit Public-Facing Application |
| integrated_vulnerability_scanner_powered_by_qualys |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1203 |
Exploitation for Client Execution |
| integrated_vulnerability_scanner_powered_by_qualys |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1068 |
Exploitation for Privilege Escalation |
| integrated_vulnerability_scanner_powered_by_qualys |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1211 |
Exploitation for Defense Evasion |
| integrated_vulnerability_scanner_powered_by_qualys |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1212 |
Exploitation for Credential Access |
| integrated_vulnerability_scanner_powered_by_qualys |
Integrated Vulnerability Scanner Powered by Qualys |
protect |
partial |
T1210 |
Exploitation of Remote Services |
| azure_key_vault |
Azure Key Vault |
protect |
partial |
T1528 |
Steal Application Access Token |
| azure_key_vault |
Azure Key Vault |
protect |
partial |
T1555 |
Credentials from Password Stores |
| azure_key_vault |
Azure Key Vault |
protect |
partial |
T1552 |
Unsecured Credentials |
| azure_key_vault |
Azure Key Vault |
protect |
minimal |
T1040 |
Network Sniffing |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1199 |
Trusted Relationship |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1602 |
Data from Configuration Repository |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1602.001 |
SNMP (MIB Dump) |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1602.002 |
Network Device Configuration Dump |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
minimal |
T1542 |
Pre-OS Boot |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1542.005 |
TFTP Boot |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1563 |
Remote Service Session Hijacking |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1563.002 |
RDP Hijacking |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1563.001 |
SSH Hijacking |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1048 |
Exfiltration Over Alternative Protocol |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1048.003 |
Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1048.002 |
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1048.001 |
Exfiltration Over Symmetric Encrypted Non-C2 Protocol |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1190 |
Exploit Public-Facing Application |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1021 |
Remote Services |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1021.006 |
Windows Remote Management |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1021.005 |
VNC |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1021.004 |
SSH |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1021.002 |
SMB/Windows Admin Shares |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1021.001 |
Remote Desktop Protocol |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1021.003 |
Distributed Component Object Model |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1072 |
Software Deployment Tools |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1133 |
External Remote Services |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
significant |
T1046 |
Network Service Scanning |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
significant |
T1571 |
Non-Standard Port |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1071 |
Application Layer Protocol |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1071.004 |
DNS |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1071.003 |
Mail Protocols |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1071.002 |
File Transfer Protocols |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1499 |
Endpoint Denial of Service |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1499.003 |
Application Exhaustion Flood |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1499.002 |
Service Exhaustion Flood |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1499.001 |
OS Exhaustion Flood |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1090 |
Proxy |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1090.003 |
Multi-hop Proxy |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1090.002 |
External Proxy |
| azure_network_traffic_analytics |
Azure Network Traffic Analytics |
detect |
partial |
T1090.001 |
Internal Proxy |
| docker_host_hardening |
Docker Host Hardening |
detect |
minimal |
T1525 |
Implant Container Image |
| docker_host_hardening |
Docker Host Hardening |
protect |
minimal |
T1548 |
Abuse Elevation Control Mechanism |
| docker_host_hardening |
Docker Host Hardening |
protect |
minimal |
T1548.001 |
Setuid and Setgid |
| docker_host_hardening |
Docker Host Hardening |
protect |
minimal |
T1068 |
Exploitation for Privilege Escalation |
| docker_host_hardening |
Docker Host Hardening |
protect |
minimal |
T1040 |
Network Sniffing |
| docker_host_hardening |
Docker Host Hardening |
protect |
minimal |
T1083 |
File and Directory Discovery |
| docker_host_hardening |
Docker Host Hardening |
protect |
minimal |
T1021 |
Remote Services |
| docker_host_hardening |
Docker Host Hardening |
protect |
minimal |
T1021.004 |
SSH |
| docker_host_hardening |
Docker Host Hardening |
protect |
minimal |
T1005 |
Data from Local System |
