Home
Mapping Frameworks
M365 Home
Incident Response

M365 DEF-IR-E5 Mappings

Microsoft Defender XDR automatically aggregates the alerts and their associated information into an incident. Grouping related alerts into an incident gives you a comprehensive view of an attack.; for example, where the attack started, what tactics were used, and the scope of the attack.

Mappings

Capability ID	Capability Description	Mapping Type	ATT&CK ID	ATT&CK Name
DEF-IR-E5	Incident Response	Technique Scores	T1098	Account Manipulation
DEF-IR-E5	Incident Response	Technique Scores	T1098.001	Additional Cloud Credentials
DEF-IR-E5	Incident Response	Technique Scores	T1098.002	Additional Email Delegate Permissions
DEF-IR-E5	Incident Response	Technique Scores	T1098.003	Additional Cloud Roles
DEF-IR-E5	Incident Response	Technique Scores	T1531	Account Access Removal
DEF-IR-E5	Incident Response	Technique Scores	T1110	Brute Force
DEF-IR-E5	Incident Response	Technique Scores	T1110.001	Password Guessing
DEF-IR-E5	Incident Response	Technique Scores	T1110.002	Password Cracking
DEF-IR-E5	Incident Response	Technique Scores	T1110.003	Password Spraying
DEF-IR-E5	Incident Response	Technique Scores	T1110.004	Credential Stuffing
DEF-IR-E5	Incident Response	Technique Scores	T1136	Create Account
DEF-IR-E5	Incident Response	Technique Scores	T1136.003	Cloud Account
DEF-IR-E5	Incident Response	Technique Scores	T1538	Cloud Service Dashboard
DEF-IR-E5	Incident Response	Technique Scores	T1059	Command and Scripting Interpreter
DEF-IR-E5	Incident Response	Technique Scores	T1059.009	Cloud API
DEF-IR-E5	Incident Response	Technique Scores	T1530	Data from Cloud Storage
DEF-IR-E5	Incident Response	Technique Scores	T1213	Data from Information Repositories
DEF-IR-E5	Incident Response	Technique Scores	T1213.002	Sharepoint
DEF-IR-E5	Incident Response	Technique Scores	T1606	Forge Web Credentials
DEF-IR-E5	Incident Response	Technique Scores	T1606.002	SAML Tokens
DEF-IR-E5	Incident Response	Technique Scores	T1564	Hide Artifacts
DEF-IR-E5	Incident Response	Technique Scores	T1564.008	Email Hiding Rules
DEF-IR-E5	Incident Response	Technique Scores	T1562	Impair Defenses
DEF-IR-E5	Incident Response	Technique Scores	T1562.008	Disable or Modify Cloud Logs
DEF-IR-E5	Incident Response	Technique Scores	T1556	Modify Authentication Process
DEF-IR-E5	Incident Response	Technique Scores	T1556.006	Multi-Factor Authentication
DEF-IR-E5	Incident Response	Technique Scores	T1621	Multi-Factor Authentication Request Generation
DEF-IR-E5	Incident Response	Technique Scores	T1566	Phishing
DEF-IR-E5	Incident Response	Technique Scores	T1598.003	Spearphishing Link
DEF-IR-E5	Incident Response	Technique Scores	T1598.004	Spearphishing Voice
DEF-IR-E5	Incident Response	Technique Scores	T1552	Unsecured Credentials
DEF-IR-E5	Incident Response	Technique Scores	T1552.008	Chat Messages
DEF-IR-E5	Incident Response	Technique Scores	T1550	Use Alternate Authentication Material
DEF-IR-E5	Incident Response	Technique Scores	T1550.001	Application Access Token
DEF-IR-E5	Incident Response	Technique Scores	T1550.004	Web Session Cookie
DEF-IR-E5	Incident Response	Technique Scores	T1078	Valid Accounts
DEF-IR-E5	Incident Response	Technique Scores	T1087.004	Cloud Account