1. Home
  2. Mapping Frameworks
  3. M365 Home
  4. Adaptive Application Control Integration

M365 DEF-AACI-E3

Adaptive Application Control Integration, formerly Azure Security Center's Adaptive Application Controls, uses machine learning to analyze the applications running on machines and create a list of known-safe software. Allow lists are based on specific workloads, trusted paths, publishers, and hashes and can be further customized. Security alerts are generated when applications are run that have not been defined as safe.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1036 Masquerading
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1036 Masquerading
Comments
This control provides detection for some of this technique's sub-techniques and procedure examples and therefore its coverage score is Partial, resulting in a Partial score. Its detection occurs once every twelve hours, so its temporal score is also Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent#feature-functionality
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1036.001 Invalid Code Signature
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1036.001 Invalid Code Signature
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Because signatures generated via this technique are not valid, these malicious executables would be detected via any form of allow list, including publisher-based. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1036.005 Match Legitimate Name or Location
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1036.005 Match Legitimate Name or Location
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Path-based masquerading may subvert path-based rules within this control, resulting in false negatives, but hash and publisher-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1036.006 Space after Filename
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1036.006 Space after Filename
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Malicious files of this type would be unlikely to evade detection from any form of allow list. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1204 User Execution
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1204 User Execution
Comments
This control only provides detection for one of this technique's sub-techniques while not providing any detection capability for its other sub-technique, and therefore its coverage score is Partial, resulting in a Partial score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1204.002 Malicious File
Comments
Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1204.002 Malicious File
Comments
Once this control is activated, it generates alerts for any executable that has been run and is not included in an allow list. There is a significant potential for false positives from new non-malicious executables, and events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect minimal T1553 Subvert Trust Controls
Comments
This control only provides detection for some of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect minimal T1553 Subvert Trust Controls
Comments
This control only provides detection for some of this technique's sub-techniques while not providing any detection capability for the remaining sub-techniques, and therefore its coverage score is Minimal, resulting in a Minimal score.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1553.002 Code Signing
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1553.002 Code Signing
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While publisher-based allow lists may fail to detect malicious executables with valid signatures, hash and path-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1553.005 Mark-of-the-Web Bypass
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description
DEF-AACI-E3 Adaptive Application Control Integration detect partial T1554 Compromise Host Software Binary
Comments
Once this control is activated, it generates alerts for any executable that is run and is not included in an allow list. While name and publisher-based allow lists may fail to detect malicious modifications to executable client binaries, hash-based rules will still detect untrusted executables. Events are calculated once every twelve hours, so its temporal score is Partial.
References
  1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/prepare-deprecation-log-analytics-mma-agent
  2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-servers-overview
  3. https://learn.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-defender-service-description