This chapter covers how Microsoft Defender for Cloud and Microsoft 365 Defender automatically map alerts and incidents to the MITRE ATT&CK® framework, a globally recognized knowledge base of adversary tactics and techniques. Understanding this mapping is critical for the AZ-500 exam because it tests your ability to interpret attack chains, prioritize alerts, and assess detection coverage using ATT&CK-based reporting. Approximately 10-15% of Security Operations questions involve ATT&CK mapping, incident correlation, or using the framework to improve security posture.
Jump to a section
Imagine a police department has a detailed playbook of every known burglary technique: how criminals case a house, pick locks, bypass alarms, disable cameras, and exit without leaving evidence. Each technique is assigned a unique ID (e.g., T1078 for valid accounts). When a new burglary occurs, detectives map each observed action to the playbook—'They used a lock pick (T1078) and disabled the alarm (T1079).' This mapping reveals the burglar's tactics and whether they are following a known pattern. In Microsoft Defender, alerts and incidents are automatically mapped to MITRE ATT&CK techniques. Just as detectives use the playbook to identify the burglar's modus operandi and predict next steps, security analysts use ATT&CK mapping to understand the attack chain, prioritize responses, and identify gaps in detection coverage. The playbook itself is maintained by a central authority (MITRE) and updated as new techniques emerge. Defender's mapping is not just a label—it links each detection to a specific phase of the attack lifecycle, enabling automated response playbooks and reporting on coverage against prevalent techniques.
What is MITRE ATT&CK and Why Does It Matter?
MITRE ATT&CK® (Adversarial Tactics, Techniques, and Common Knowledge) is a curated knowledge base that models adversary behavior. It categorizes attacks into tactics (the 'why' – the objective of a step) and techniques (the 'how' – the specific method used). For example, the tactic 'Initial Access' includes techniques like 'T1078 – Valid Accounts' and 'T1190 – Exploit Public-Facing Application.' The framework is updated regularly by MITRE, with the latest enterprise matrix (v14 as of early 2025) containing 14 tactics and over 200 techniques.
Microsoft Defender products—including Microsoft Defender for Cloud (MDC), Microsoft 365 Defender (M365D), and Microsoft Defender for Endpoint (MDE)—ingest telemetry from Azure, endpoints, identities, and cloud apps. When an alert fires, Defender's detection logic correlates multiple signals and assigns one or more MITRE technique IDs. This mapping is not arbitrary; it follows a deterministic mapping table maintained by Microsoft, which links specific detection rules to ATT&CK techniques.
How ATT&CK Mapping Works Internally
Data Ingestion: Defender collects logs from various sources: Azure Activity Log, Azure AD sign-in logs, Microsoft Defender for Endpoint sensors, Microsoft Defender for Identity, and Microsoft Cloud App Security. Each log entry is normalized into a common schema.
Detection Rules: Microsoft's security research team writes detection rules in Kusto Query Language (KQL). Each rule is designed to detect a specific behavior. For example, a rule that detects a user logging in from an unusual location might be mapped to 'T1078.003 – Valid Accounts: Local Accounts' or 'T1078.004 – Valid Accounts: Cloud Accounts' depending on the account type.
Mapping Tables: Every detection rule has a built-in mapping to one or more MITRE technique IDs. This mapping is stored in the rule metadata and is not user-configurable. When an alert is generated, the technique IDs are attached to the alert as properties.
Incident Correlation: When multiple alerts are correlated into an incident (based on common entities like user, IP, or device), the incident inherits all technique IDs from its constituent alerts. The incident also gets a tactical mapping: for example, if alerts span 'Initial Access' and 'Execution,' the incident is marked with both tactics.
User Interface: In the Azure portal, the Security Alerts blade and the Microsoft 365 Defender portal show a column for 'MITRE ATT&CK Tactics' and 'Techniques.' Clicking on a technique ID opens a pane with a description, the specific detection rule that triggered, and links to the MITRE ATT&CK page.
Key Components, Values, and Defaults
- Tactic ID Format: TA0001 (Initial Access), TA0002 (Execution), TA0003 (Persistence), TA0004 (Privilege Escalation), TA0005 (Defense Evasion), TA0006 (Credential Access), TA0007 (Discovery), TA0008 (Lateral Movement), TA0009 (Collection), TA0010 (Exfiltration), TA0011 (Command and Control), TA0012 (Impact), TA0043 (Reconnaissance), TA0042 (Resource Development). - Technique ID Format: T1078 (Valid Accounts), T1078.001 (Default Accounts), T1078.002 (Domain Accounts), T1078.003 (Local Accounts), T1078.004 (Cloud Accounts). Sub-techniques are separated by a dot. - Default Mapping: Defender automatically maps alerts. There is no way to disable mapping, but you can add custom threat intelligence indicators that also get mapped if they match known techniques. - Reporting: The Microsoft Defender for Cloud 'Security posture' dashboard includes a 'MITRE ATT&CK coverage' view, which shows a heatmap of which techniques your environment is covered against (detected) vs. missing. This is based on the alerts that have fired in the last 30 days. - API Access: You can retrieve technique IDs via the Microsoft Graph Security API. Example:
GET https://graph.microsoft.com/v1.0/security/alerts/{alertId} The response includes a mitreTechniques array.
Configuration and Verification Commands
While mapping is automatic, you can query it using KQL in Azure Sentinel (now part of Microsoft Sentinel) or in Advanced Hunting in M365D.
Advanced Hunting Query (M365D):
AlertInfo
| where Timestamp > ago(7d)
| where ServiceSource == "Microsoft Defender for Cloud"
| project AlertId, Title, MitreTechniques, Tactics
| evaluate bag_unpack(MitreTechniques)Azure Sentinel KQL:
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertName contains "Malware"
| mv-expand todynamic(Entities)
| project AlertName, Tactics = tostring(parse_json(ExtendedProperties).["tactics"]), Techniques = tostring(parse_json(ExtendedProperties).["techniques"])PowerShell (for Defender for Cloud):
Get-AzSecurityAlert -ResourceGroupName "myResourceGroup" | Select-Object AlertDisplayName, MitreTechniquesInteraction with Related Technologies
Microsoft Sentinel: Sentinel natively supports MITRE ATT&CK mapping for analytics rules. You can create custom rules and map them to techniques. The 'MITRE ATT&CK' workbook provides a visual coverage map.
Microsoft Defender for Identity: Alerts from MDI (like 'Suspicious Kerberos delegation') are mapped to techniques such as T1558 (Steal or Forge Kerberos Tickets).
Microsoft Cloud App Security: Activities like 'Mass download by a user' map to T1048 (Exfiltration Over Alternative Protocol).
Threat Intelligence: Custom indicators can be tagged with technique IDs, and alerts generated from those indicators will show the mapping.
Trap Patterns: Common Wrong Answers on the Exam
Myth: 'You can manually assign MITRE technique IDs to alerts.' Reality: Mapping is automatic and hardcoded in detection rules. You can only add custom threat intelligence that may generate alerts with your chosen technique IDs.
Myth: 'MITRE ATT&CK mapping is only available in Microsoft Sentinel.' Reality: It is built into Microsoft Defender for Cloud and Microsoft 365 Defender as well.
Myth: 'The mapping is based on the severity of the alert.' Reality: It is based on the behavior detected, not severity. A high-severity alert could map to 'Impact' (TA0011) or 'Exfiltration' (TA0010).
Myth: 'You can suppress alerts based on MITRE technique ID.' Reality: Suppression rules in Defender for Cloud are based on alert name, entity, or severity, not technique ID directly. However, you can use automation rules to auto-close alerts with certain technique IDs.
Edge Cases the Exam Loves
Multiple Techniques per Alert: Some alerts map to multiple techniques. For example, 'Malware detected' might map to T1204 (User Execution) and T1059 (Command and Scripting Interpreter). The exam expects you to know that an alert can have more than one technique ID.
Sub-techniques: The exam often tests whether you understand the difference between a technique (e.g., T1078) and a sub-technique (e.g., T1078.001). Defender uses sub-techniques when available.
Tactics vs. Techniques: A tactic is a category (e.g., 'Persistence'), and a technique is a method (e.g., 'Create Account'). The exam may ask which tactic a given technique belongs to.
Coverage Gaps: The 'MITRE ATT&CK coverage' report shows techniques that have triggered alerts. The exam might present a scenario where a customer has no alerts for 'Exfiltration' and ask what that means—it means either no exfiltration has occurred or detection rules are not covering that technique.
How to Eliminate Wrong Answers
If the question asks about 'mapping alerts to MITRE ATT&CK,' eliminate answers that suggest manual mapping or that it's limited to one product.
If the question involves 'coverage,' remember that coverage is based on historical alerts; absence of alerts does not guarantee no attacks.
For 'technique ID' questions, look for the correct format (e.g., T1078.001) and the correct tactic association.
Summary
MITRE ATT&CK mapping in Defender is an automatic, rule-based assignment of technique IDs to alerts and incidents. It provides a common language for describing attacks, enables coverage analysis, and integrates across Microsoft's security products. For the AZ-500 exam, focus on knowing the tactics, understanding how mapping works (automatic, per detection rule), and being able to interpret coverage reports.
Alert Generation and Technique Assignment
When Defender detects suspicious activity, it runs detection rules. Each rule has a hardcoded mapping to one or more MITRE technique IDs. The rule's logic matches specific patterns—e.g., a rule for 'Possible privilege escalation using shadow copy' maps to T1003.002 (OS Credential Dumping: Security Account Manager). The alert object is created with a property bag containing `MitreTechniques` (an array of technique IDs) and `Tactics` (an array of tactic IDs). This assignment happens at alert creation time and is immutable.
Incident Correlation and Tactic Inheritance
When multiple alerts are correlated into an incident (based on common entities like user, device, or IP address), the incident inherits all technique IDs from its constituent alerts. Additionally, the incident's `Tactics` field is set to the union of all tactics across alerts. For example, if one alert maps to TA0001 (Initial Access) and another to TA0002 (Execution), the incident's tactics will include both. The incident's `MitreTechniques` field becomes a deduplicated list of all technique IDs.
Coverage Calculation and Reporting
Defender for Cloud's 'MITRE ATT&CK coverage' report queries the last 30 days of alerts. For each technique ID that appears in at least one alert, the coverage is marked as 'detected.' Techniques with no alerts are marked as 'not covered.' The report is a heatmap of the ATT&CK matrix, color-coded by coverage status. This helps security teams identify blind spots. The calculation is done by a backend job that runs daily, aggregating technique IDs from all alerts in the tenant.
Visualization in Azure Portal and M365D
In the Azure portal, under 'Microsoft Defender for Cloud' > 'Security alerts,' each alert row shows a 'MITRE ATT&CK tactics' column. Clicking an alert opens a detail pane with a 'Techniques' section listing the technique IDs as clickable links. In Microsoft 365 Defender, the incident page shows a 'MITRE ATT&CK tactics' tab with a visual map. The 'Advanced hunting' interface allows querying technique IDs directly via the `AlertInfo` table. The visualization is updated in near real-time as new alerts are generated.
Integration with Automated Response
Automation rules in Defender for Cloud and M365D can trigger actions based on alert or incident properties, including technique IDs. For example, you can create a rule that automatically runs a playbook when an incident contains technique T1078 (Valid Accounts). The rule uses the `MitreTechniques` field in the condition. This enables targeted response: if a technique indicates credential theft, you can force a password reset. The integration uses Azure Logic Apps or Power Automate to execute the response.
Enterprise Scenario 1: SOC Triage Prioritization
A large financial institution uses Microsoft 365 Defender to monitor 50,000 endpoints and 100,000 users. The SOC receives 500 alerts per day. To prioritize, they use the MITRE ATT&CK mapping to focus on techniques that indicate active compromise, such as T1078 (Valid Accounts) and T1485 (Data Destruction). They created a custom dashboard in Azure Sentinel that shows the number of incidents per technique. When an incident includes T1078, it is automatically escalated to Tier 2. This approach reduced mean time to respond (MTTR) by 40%. The challenge was false positives from legitimate admin logins; they tuned detection rules to exclude known administrative IP ranges.
Enterprise Scenario 2: Compliance Reporting and Gap Analysis
A healthcare provider must demonstrate compliance with HIPAA security rules. They use Microsoft Defender for Cloud's MITRE ATT&CK coverage report to show auditors that they have detections for techniques like T1190 (Exploit Public-Facing Application) and T1059 (Command and Scripting Interpreter). The report is exported monthly and included in compliance documentation. However, they discovered that coverage for T1048 (Exfiltration Over Alternative Protocol) was low because they had not enabled Microsoft Cloud App Security. After enabling MCAS, they saw a 30% increase in coverage. The lesson: coverage is only as good as the products enabled.
Enterprise Scenario 3: Threat Hunting with ATT&CK
A tech company's threat hunting team uses Advanced Hunting queries to search for techniques that have never triggered alerts. They run weekly queries like:
AlertInfo
| where TimeGenerated > ago(30d)
| summarize by MitreTechniques
| where MitreTechniques !contains "T1078"This finds techniques with no recent alerts. Then they create custom analytics rules in Sentinel to detect those techniques. For example, they found no alerts for T1550 (Use Alternate Authentication Material) and built a rule that detects pass-the-hash behavior. This proactive approach improved their detection coverage from 45% to 72% over six months. The main performance consideration: the Advanced Hunting queries can be resource-intensive; they limit the time range to 30 days and use summarize to reduce data volume.
Exactly What AZ-500 Tests
AZ-500 objective 4.2 (Security Operations) includes 'Interpret MITRE ATT&CK mapping in Defender for Cloud and Microsoft 365 Defender.' The exam expects you to:
Identify the correct tactic for a given technique (e.g., 'T1078 belongs to which tactic?' Answer: TA0001 Initial Access or TA0003 Persistence depending on sub-technique).
Understand that mapping is automatic and based on detection rules.
Know how to view technique IDs in the portal and via API.
Interpret the coverage report to identify gaps.
Recognize that incidents inherit technique IDs from alerts.
Most Common Wrong Answers and Why
'You can manually assign MITRE technique IDs to alerts.' Candidates confuse the ability to add custom threat intelligence (which can have technique IDs) with manual assignment. Reality: You cannot edit an alert's technique IDs.
'MITRE ATT&CK mapping is only in Microsoft Sentinel.' This is false because Defender for Cloud and M365D also have it. Candidates may think Sentinel is the only SIEM with mapping.
'The technique ID is based on the alert severity.' No, it's based on the behavior detected. A low-severity alert can map to 'Discovery' (TA0007), while a high-severity alert can map to 'Impact' (TA0011).
'Coverage report shows all techniques that are detected.' Actually, it shows techniques that have triggered alerts in the last 30 days. If no alerts, it shows as 'not covered.' But absence of alerts does not mean the technique cannot be detected—it means no detection occurred.
Specific Numbers and Terms That Appear on the Exam
14 tactics in the enterprise matrix (as of v14).
Technique ID format: T followed by 4 digits, sub-technique with dot and 3 digits (e.g., T1078.001).
Tactic ID format: TA followed by 4 digits (e.g., TA0001).
30-day window for coverage report.
Advanced Hunting table: AlertInfo contains MitreTechniques column.
API endpoint: https://graph.microsoft.com/v1.0/security/alerts/{alertId} returns mitreTechniques array.
Edge Cases and Exceptions
Multiple techniques per alert: An alert can have more than one technique ID (e.g., 'Malware detected' maps to T1204 and T1059). The exam may present an alert with two techniques and ask which tactics are involved.
Sub-techniques: The exam expects you to know that sub-techniques are more specific. For example, T1078.004 is 'Cloud Accounts,' while T1078 is generic 'Valid Accounts.'
Tactics can be repeated: A technique can belong to multiple tactics (e.g., T1078 appears in Initial Access and Persistence). The exam may ask which tactic is NOT associated with a technique.
Coverage vs. detection: The coverage report only shows techniques that have triggered alerts. A technique may be 'detectable' but not yet triggered. The exam may ask why a technique shows as 'not covered' even though the product supports it.
How to Eliminate Wrong Answers
If a question says 'manually map,' it's wrong.
If a question limits mapping to one product, it's wrong (multiple products support it).
If a question says technique ID is based on severity, it's wrong.
For coverage questions, remember that 'not covered' means no alert fired, not that the product lacks detection ability.
MITRE ATT&CK mapping is automatic in Defender for Cloud and M365D; you cannot manually assign technique IDs to alerts.
Technique IDs follow the format Txxxx (e.g., T1078) and sub-techniques use Txxxx.xxx (e.g., T1078.001).
Tactic IDs follow the format TAxxxx (e.g., TA0001 for Initial Access).
An alert can have multiple technique IDs; an incident inherits all technique IDs from its alerts.
The coverage report in Defender for Cloud shows techniques that triggered alerts in the last 30 days.
Advanced Hunting in M365D uses the AlertInfo table to query technique IDs.
Microsoft Graph Security API returns mitreTechniques array for each alert.
Custom threat intelligence can be tagged with technique IDs, but existing alert mappings are fixed.
These come up on the exam all the time. Here's how to tell them apart.
Microsoft Defender for Cloud (MDC)
Automatic mapping for cloud workload alerts (Azure VMs, SQL, storage).
Mapping is hardcoded in Microsoft detection rules.
Coverage report shows techniques detected in last 30 days.
No custom mapping for user-created detections.
Access via Azure portal Security Alerts blade.
Microsoft Sentinel
Supports both automatic mapping (out-of-the-box analytics rules) and custom mapping for user-created rules.
Mapping is configurable in analytics rule wizard (technique ID field).
Provides a 'MITRE ATT&CK' workbook with more granular coverage analysis.
Allows mapping to sub-techniques and multiple techniques per rule.
Access via Azure Sentinel workspace > Threat management > MITRE ATT&CK.
Mistake
MITRE ATT&CK mapping is only available in Microsoft Sentinel.
Correct
Mapping is built into Microsoft Defender for Cloud, Microsoft 365 Defender, and Microsoft Defender for Endpoint, not just Sentinel. Sentinel extends the capability with custom analytics rules.
Mistake
You can manually assign MITRE technique IDs to alerts after they are generated.
Correct
Technique IDs are assigned automatically by detection rules at alert creation time and cannot be modified. You can only add custom threat intelligence that may generate alerts with specific technique IDs.
Mistake
The MITRE ATT&CK coverage report shows all techniques that Defender can detect.
Correct
The report shows only techniques that have triggered alerts in the last 30 days. A technique may be detectable but not shown if no alerts have fired.
Mistake
Each alert maps to exactly one MITRE technique.
Correct
An alert can map to multiple techniques. For example, 'Suspicious PowerShell command' may map to T1059.001 (Command and Scripting Interpreter: PowerShell) and T1086 (PowerShell) in older versions.
Mistake
Technique IDs are the same as tactic IDs.
Correct
Tactic IDs (TAxxxx) represent the goal of an attack step, while technique IDs (Txxxx) represent the method. They are different and appear in separate fields.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the Azure portal, navigate to Microsoft Defender for Cloud > Security alerts. Click on an alert to open its details. In the 'Techniques' section, you will see the MITRE technique IDs as clickable links. Alternatively, use Advanced Hunting in M365D with the query `AlertInfo | where AlertId == "<alertId>" | project MitreTechniques`. The technique IDs are also returned via the Microsoft Graph Security API.
No, Defender for Cloud does not support custom analytics rules with MITRE mapping. However, in Microsoft Sentinel, you can create custom analytics rules and assign MITRE technique IDs in the rule wizard. Sentinel also supports mapping to sub-techniques. For Defender for Cloud, you can only use the built-in mapping.
It means that in the last 30 days, no alerts have fired that map to that technique. This could be because (1) no attack using that technique has occurred, (2) the detection rule for that technique is not enabled or not deployed, or (3) the technique is not detectable by any enabled Defender product. The report helps identify gaps in detection coverage.
When multiple alerts are correlated into an incident, the incident inherits all unique technique IDs from all alerts in the incident. The incident's tactics are the union of all tactics from the alerts. This provides a comprehensive view of the attack chain. For example, if one alert maps to Initial Access and another to Execution, the incident will show both tactics.
In the Azure portal, the Security Alerts blade does not have a direct filter for technique IDs. However, you can use Advanced Hunting in M365D to filter by technique ID. For example: `AlertInfo | where MitreTechniques has "T1078"`. In Sentinel, you can use the MITRE ATT&CK workbook or create custom queries.
Yes, through Microsoft Defender for Identity and Microsoft Defender for Endpoint, which can monitor on-premises Active Directory and endpoints. Alerts from these products are mapped to MITRE techniques. For example, a suspicious Kerberos ticket request from an on-premises domain controller maps to T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting).
The coverage report in Defender for Cloud is updated daily. It aggregates alerts from the last 30 days. The underlying data is refreshed every 24 hours. In Sentinel, the MITRE ATT&CK workbook can be set to refresh more frequently, but the default is also daily.
You've just covered MITRE ATT&CK Mapping in Defender — now see how well it sticks with free AZ-500 practice questions. Full explanations included, no account needed.
Done with this chapter?