Azure microsoft_defender_for_identity Mappings

Microsoft Defender for Identity (formerly Azure Advanced Threat Protection, also known as Azure ATP) is a cloud-based security solution that leverages your on-premises Active Directory signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions directed at your organization.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1087 Account Discovery
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1087.002 Domain Account
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1482 Domain Trust Discovery
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1201 Password Policy Discovery
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1069 Permission Groups Discovery
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1069.002 Domain Groups
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1210 Exploitation of Remote Services
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550 Use Alternate Authentication Material
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550.002 Pass the Hash
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1550.003 Pass the Ticket
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1557 Man-in-the-Middle
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1110 Brute Force
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1110.003 Password Spraying
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1110.001 Password Guessing
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558 Steal or Forge Kerberos Tickets
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.003 Kerberoasting
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.004 AS-REP Roasting
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1558.001 Golden Ticket
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1133 External Remote Services
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1555 Credentials from Password Stores
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1555.003 Credentials from Web Browsers
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1047 Windows Management Instrumentation
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1059 Command and Scripting Interpreter
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1059.001 PowerShell
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1021 Remote Services
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1021.002 SMB/Windows Admin Shares
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1569 System Services
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1569.002 Service Execution
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1207 Rogue Domain Controller
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1003 OS Credential Dumping
microsoft_defender_for_identity Microsoft Defender for Identity detect significant T1003.006 DCSync
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1003.003 NTDS
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1556 Modify Authentication Process
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1556.001 Domain Controller Authentication
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1098 Account Manipulation
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1543 Create or Modify System Process
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1543.003 Windows Service
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1071 Application Layer Protocol
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1071.004 DNS
microsoft_defender_for_identity Microsoft Defender for Identity detect minimal T1048 Exfiltration Over Alternative Protocol
microsoft_defender_for_identity Microsoft Defender for Identity detect partial T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol