| Capability ID | Capability Description | Category | Value | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|---|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1578.005 | Modify Cloud Compute Configurations |
Comments
This control can identify anomalous admin activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1016.001 | Internet Connection Discovery |
Comments
Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1016.002 | Wi-Fi Discovery |
Comments
Microsoft Defender's ability to detect entities scanning the network configuration also covers the scanning of internet connections, providing a detection mechanism against this technique.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | significant | T1021.007 | Cloud Services |
Comments
Defender for Cloud leverages anomaly detection policies and Audit logging to mitigate Cloud Services based attacks.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | significant | T1027.006 | HTML Smuggling |
Comments
File policies in Microsoft Defender for Cloud perform content inspection which can provide continuous scans for detect and remediate any violations.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1027.007 | Dynamic API Resolution |
Comments
This control can protect against abuse of dynamic API resolution.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | significant | T1027.008 | Stripped Payloads |
Comments
Defender utilizes File Policies which allows file sandboxing and filtering based on file metadata.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | significant | T1027.009 | Embedded Payloads |
Comments
This control can detect embedded payloads through DLP content inspection
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1027.010 | Command Obfuscation |
Comments
This control can detect command obsfucation attacks through anomaly detection policies
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1071 | Application Layer Protocol |
Comments
This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1071.003 | Mail Protocols |
Comments
This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1071.005 | Publish/Subscribe Protocols |
Comments
This control can identify some evidence of potential C2 via a specific application layer protocol (mail). Relevant alerts include "Suspicious inbox forwarding" and "Suspicious inbox manipulation rule".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1078 | Valid Accounts |
Comments
This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity.
Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1078.001 | Default Accounts |
Comments
This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity.
Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1078.002 | Domain Accounts |
Comments
This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity.
Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1078.004 | Cloud Accounts |
Comments
This control can identify anomalous behavior such as geographically impossible logins and out-of-character activity.
Relevant alerts include "Activity from anonymous IP address" , "Activity from infrequent country", "Activity from suspicious IP address", "Impossible Travel", and "Activity performed by terminated user".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1098 | Account Manipulation |
Comments
This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1098.001 | Additional Cloud Credentials |
Comments
This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1098.002 | Additional Email Delegate Permissions |
Comments
This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1098.003 | Additional Cloud Roles |
Comments
This control can detect anomalous admin activity that may be indicative of account manipulation. Relevant alerts include "Unusual administrative activity (by user)" and "Unusual addition of credentials to an OAuth app".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1110 | Brute Force |
Comments
This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1110.001 | Password Guessing |
Comments
This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1110.003 | Password Spraying |
Comments
This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1110.004 | Credential Stuffing |
Comments
This control can detect some activity indicative of brute force attempts to login. Relevant alert is "Multiple failed login attempts".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1119 | Automated Collection |
Comments
This control's Information protection policies can detect and encrypt sensitive information at rest on supported platforms, which can inhibit automated data collection activities.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1119 | Automated Collection |
Comments
This control can detect sensitive information at rest, which may be indicative of data collection activities.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1133 | External Remote Services |
Comments
This control's polices for access control can limit abuse of external facing remote services.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1133 | External Remote Services |
Comments
This control can provide logging of activity associated with potential exploitation of remote services such as anomalous geographic access.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1213.004 | Customer Relationship Management Software |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1649 | Steal or Forge Authentication Certificates |
Comments
This control can protect authentication certificates by allowing you to create access and session policies that leverage device tags and valid client certificates
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | significant | T1187 | Forced Authentication |
Comments
This control can provide significant protection against forced authentication methods by restricting actions associated with multiple file access methods such as SMB.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | significant | T1187 | Forced Authentication |
Comments
This control can alert on anomalous sharing attempts of confidential data.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1189 | Drive-by Compromise |
Comments
This control can detect outdated client browser software, which is a common target of exploitation in drive-by compromises.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | minimal | T1213 | Data from Information Repositories |
Comments
This control can provide fine-grained access control to information sharing repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1213 | Data from Information Repositories |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence. Due to this capability being limited to these services, it has been scored as Partial coverage resulting in a Partial score.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1213.001 | Confluence |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1213.001 | Confluence |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1213.002 | Sharepoint |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1213.002 | Sharepoint |
Comments
This control may detect anomalous user behavior wrt information repositories such as Sharepoint or Confluence.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | significant | T1219 | Remote Access Software |
Comments
This control can limit potential C2 via unapproved remote access software.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1219 | Remote Access Software |
Comments
This control can identify potential malicious activity associated with the use or attempted use of unapproved remote access software.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1484 | Domain or Tenant Policy Modification |
Comments
This control can detect admin activity from risky IP addresses.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1484.001 | Group Policy Modification |
Comments
This control can detect admin activity from risky IP addresses.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1484.002 | Trust Modification |
Comments
This control can detect admin activity from risky IP addresses.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1485 | Data Destruction |
Comments
This control can identify deletion activity which could be potential malicious data destruction. Relevant Alerts include "Multiple storage deletion activities", "Multiple VM deletion activity", "Unusual file deletion activity (by user), "Suspicous email deletion activiy", and "Ransomware activity".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1486 | Data Encrypted for Impact |
Comments
This control can detect a range of ransomware-related activities including encryption. Relevant alert include "Ransomware activities" and "Unusual file deletion activity (by user)".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1496 | Resource Hijacking |
Comments
This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1496.001 | Compute Hijacking |
Comments
This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1496.002 | Bandwidth Hijacking |
Comments
This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1496.003 | SMS Pumping |
Comments
This control can identify some behaviors that are potential instances of compute hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1496.004 | Cloud Service Hijacking |
Comments
This control can identify some behaviors that are potential instances of resource hijacking. Relevant alerts include "Multiple VM Creation activities" and "Suspicious creation activity for cloud region".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1526 | Cloud Service Discovery |
Comments
This control can detect anomalous user activity that may be associated with cloud service discovery. Relevant alert is "Unusual file share activty (by user)".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1528 | Steal Application Access Token |
Comments
This control can restrict user app permissions which can limit the potential for theft of application access tokens.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1528 | Steal Application Access Token |
Comments
This control can detect potentially risky apps. Relevant alerts include "Misleading publisher name for an Oauth app" and "Misleading OAuth app name".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1530 | Data from Cloud Storage |
Comments
This control can detect use of unsanctioned business apps and data exfil to unsanctioned storage apps.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1531 | Account Access Removal |
Comments
This control can identify anomalous admin activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1534 | Internal Spearphishing |
Comments
This control can identify anomalous user impersonation activity, which can be an element of internal spearphishing. Relevant alert is "Unusual impersonated activity (by user)".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1535 | Unused/Unsupported Cloud Regions |
Comments
This control can detect unusual region and activity for cloud resources (preview feature as of this writing). Relevant alert is "Suspicious creation activity for cloud region".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1558.005 | Ccache Files |
Comments
Defender for Cloud Apps provides endpoint detection and response (EDR) capabilities. This can potentially block attempts to steal ccache files.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1565 | Data Manipulation |
Comments
This control can detect and encrypt sensitive information at rest on supported platforms and restrict access.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1565.001 | Stored Data Manipulation |
Comments
This control can detect and encrypt sensitive information at rest on supported platforms.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1567 | Exfiltration Over Web Service |
Comments
This control can limit user methods to send data over web services.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1567 | Exfiltration Over Web Service |
Comments
This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1567.001 | Exfiltration to Code Repository |
Comments
This control can identify large volume potential exfiltration activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1567.001 | Exfiltration to Code Repository |
Comments
This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1567.002 | Exfiltration to Cloud Storage |
Comments
This control can identify large volume potential exfiltration activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1567.002 | Exfiltration to Cloud Storage |
Comments
This control can identify large volume potential exfiltration activity, and log user activity potentially related to exfiltration via web services. A relevant alert is "Unusual file download (by user)".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1574.013 | KernelCallbackTable |
Comments
This control offers behavior prevention capabilities for cloud environments that can be configured to block some types of behaviors related to process injection/memory tampering.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1578 | Modify Cloud Compute Infrastructure |
Comments
This control can identify anomalous admin activity.
Relevant alerts include "Multiple storage deletion activities", "Multiple VM creation activities", and "Suspicious creation activity for cloud region".
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1578.001 | Create Snapshot |
Comments
This control can identify anomalous admin activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1578.002 | Create Cloud Instance |
Comments
This control can identify anomalous admin activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1578.003 | Delete Cloud Instance |
Comments
This control can identify anomalous admin activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | minimal | T1578.004 | Revert Cloud Instance |
Comments
This control can identify anomalous admin activity.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | detect | partial | T1666 | Modify Cloud Resource Hierarchy |
Comments
This control can detect suspicious or anomalous behavior indicative of potential threats, like attempts to transfer subscriptions to unauthorized tenants.
References
|
| DEF-CAPP-E5 | Defender for Cloud Apps | protect | partial | T1053.007 | Container Orchestration Job |
Comments
Microsoft 365 Defender for Cloud Apps can scan images and containers for threats and vulnerabilities, as well as identify misconfigurations for remediation.
References
|