This chapter covers how to map Microsoft Sentinel analytics rules to the MITRE ATT&CK framework, a critical skill for the SC-200 exam. You will learn why mapping matters, how to configure it in Sentinel, and how to interpret the coverage dashboard. Approximately 10-15% of exam questions touch on threat intelligence integration or framework mapping, making this a high-yield topic. By the end, you will be able to create rules that automatically tag detected threats with the appropriate MITRE tactic and technique, enabling better reporting and gap analysis.
Jump to a section
Imagine a police department (Microsoft Sentinel) that must solve crimes (security incidents). The department has a massive evidence locker (log sources) containing phone records, CCTV footage, and witness statements. To find a specific crime pattern, a detective doesn't read every file manually. Instead, they create a 'case file' (an analytics rule) that describes exactly what to look for: a specific sequence of events, specific locations, or specific persons. The detective fills out a template: "If a person (user) enters a restricted area (sensitive resource) after hours (time condition), and then accesses a safe (data exfiltration), flag this as a potential burglary (incident)." The case file also specifies how to prioritize (severity), how long to keep looking (lookback period), and how often to check (frequency). This case file is then stored in a filing cabinet (the MITRE ATT&CK framework) under the appropriate category (tactic) and technique. When new evidence arrives, the clerk (Sentinel's analytics engine) checks each active case file. If the evidence matches the description, the clerk creates a new incident report (alert) and assigns it to a detective (security analyst). The MITRE ATT&CK mapping helps the department see which types of crimes they are best at detecting and where they have gaps. Without this mapping, the case files are just isolated patterns—they don't connect to a broader strategy. In Sentinel, mapping a rule to MITRE ATT&CK is like assigning that case file to a specific crime category, enabling the department to measure coverage and prioritize resources.
What is MITRE ATT&CK and Why Map to It?
The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used by security operations centers (SOCs) to classify attacks, communicate threat intelligence, and assess defensive coverage. The framework is organized into a matrix with tactics (the 'why'—the goal of an attack, like Initial Access or Exfiltration) and techniques (the 'how'—the specific method, like T1078 Valid Accounts or T1041 Exfiltration Over C2 Channel). Sub-techniques provide finer granularity (e.g., T1078.001 for Default Accounts).
Mapping Sentinel analytics rules to MITRE ATT&CK means associating each rule with one or more tactics and techniques that the rule is designed to detect. This allows Sentinel to generate a unified view of your detection coverage across the kill chain. For the SC-200 exam, you must understand how to perform this mapping in the Azure portal and via KQL, and how to interpret the MITRE ATT&CK coverage dashboard.
How Mapping Works Internally
When you create or edit an analytics rule in Sentinel, you have the option to specify MITRE ATT&CK tactics and techniques. This is stored as metadata within the rule definition. The mapping can be done at two levels:
Tactics: Up to 10 tactics per rule (e.g., InitialAccess, Execution, Persistence). Each tactic corresponds to a phase of the attack lifecycle.
Techniques: Up to 50 techniques per rule (e.g., T1078, T1041). Techniques are nested under tactics. You can also specify sub-techniques (e.g., T1078.001).
Internally, Sentinel stores this mapping as a JSON array in the rule's properties. For example, a rule that detects a user logging in from an unusual location might be mapped to:
{
"tactics": ["InitialAccess", "Persistence"],
"techniques": ["T1078", "T1098"]
}When an alert is generated by a mapped rule, the alert inherits the MITRE tags. These tags are then used by the incident creation pipeline to populate the MITRE ATT&CK fields in the incident. The coverage dashboard queries these fields to produce a heatmap showing which techniques your rules cover.
Key Components: Tactics, Techniques, Sub-Techniques
The SC-200 exam expects you to know the 14 tactics in the enterprise matrix: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact. Each tactic has a unique ID (e.g., TA0001 for Initial Access).
Techniques are identified by IDs like T1078 (Valid Accounts). Sub-techniques use a decimal notation (T1078.001). The exam may ask you to identify the correct tactic or technique for a given scenario. For example, 'Spearphishing Attachment' is T1566.001 under Initial Access.
Configuration in the Azure Portal
To map a rule to MITRE ATT&CK:
Navigate to Microsoft Sentinel > Analytics > Scheduled query rules (or other rule types).
Create a new rule or edit an existing one.
In the 'Analytics rule wizard', go to the 'Set rule logic' tab.
Under 'MITRE ATT&CK', click '+ Add tactic' and select from the dropdown. After selecting a tactic, you can click '+ Add technique' to choose specific techniques. The dropdown shows all techniques available for that tactic.
You can add multiple tactics and techniques. The maximum per rule is 10 tactics and 50 techniques.
Complete the wizard and save.
Note: Not all rule types support MITRE mapping. Scheduled query rules, NRT rules, and Microsoft Security rules support mapping. Anomaly rules and Fusion rules do not support manual mapping (Fusion uses built-in ML models).
Configuration via KQL and ARM Templates
You can also set MITRE tags programmatically using the Azure Resource Manager (ARM) API or via KQL in Log Analytics workspaces (though rare). For the exam, you should know that the mapping is stored as part of the rule's properties. An example ARM template snippet:
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[parameters('ruleName')]",
"properties": {
"displayName": "My Rule",
"query": "...",
"tactics": ["InitialAccess", "Persistence"],
"techniques": ["T1078", "T1098"],
...
}
}How Mapping Affects Incidents and Alerts
When a rule fires, the resulting alert includes the MITRE tags. When the alert is turned into an incident (if enabled), the incident's 'MITRE ATT&CK' field is populated. This field is visible in the incident details pane. The exam may ask you to identify where to find the MITRE ATT&CK information in an incident: it is under the 'Tags' section or in the 'MITRE ATT&CK' field on the incident blade.
The MITRE ATT&CK Coverage Dashboard
Sentinel provides a built-in workbook called 'MITRE ATT&CK Coverage' under the 'Threat management' section. This dashboard visualizes your detection coverage as a heatmap of the MITRE matrix. Each cell represents a technique; the color intensity indicates how many rules cover that technique. You can filter by tactic, technique, or rule. The dashboard uses data from the 'SecurityAlert' table, which includes the MITRE tags. The exam expects you to know how to access this dashboard and interpret it.
Interaction with Other Technologies
Threat Intelligence: MITRE tags are used to correlate alerts with threat intelligence feeds. For example, if a threat intelligence indicator references a technique, you can search for incidents with that technique.
Automation (Playbooks): You can trigger playbooks based on MITRE tags, e.g., send a high-priority notification for any incident with Exfiltration technique.
Hunting: When you create hunting queries, you can also tag them with MITRE techniques. This helps in organizing hunting results.
Common Pitfalls
Over-mapping: Adding too many techniques dilutes the signal. A rule should map only to techniques it directly detects, not every possible related technique.
Missing sub-techniques: If you map only to the parent technique, you lose granularity. For example, mapping to T1078 instead of T1078.001 may cause you to miss coverage for default accounts specifically.
Not mapping at all: Many organizations skip mapping, losing the ability to use the coverage dashboard.
Verification Commands
To verify mapping via KQL:
SecurityAlert
| where TimeGenerated > ago(7d)
| extend Tactics = parse_json(tostring(parse_json(ExtendedProperties).["MitreTechniques"]))
| mv-expand Tactics
| summarize count() by tostring(Tactics)This query extracts MITRE techniques from the ExtendedProperties field (which stores them as JSON). Note that the exact field may vary; the exam may test the field name 'MitreTechniques' or 'Techniques'.
Identify Detection Scenario and Tactic
Start by understanding the specific behavior your rule should detect. For example, a rule that flags when a user creates a new Azure VM from an unusual location is likely detecting 'Execution' (TA0002) or 'Impact' (TA0040) depending on intent. Determine the primary tactic by asking: 'What is the adversary's goal at this stage?' Use the MITRE ATT&CK navigator or official documentation to confirm the tactic ID. This step ensures that subsequent mapping aligns with the framework's structure.
Select Specific Technique and Sub-Technique
Within the chosen tactic, identify the precise technique. For the VM creation example, the technique could be T1578 (Modify Cloud Compute Infrastructure) under Impact. If the rule detects creation of a VM with a public IP intended for data exfiltration, the sub-technique might be T1578.002 (Create Cloud Instance). Use the MITRE ATT&CK website to review technique descriptions and ensure they match your detection logic. Avoid mapping to generic techniques like T1078 (Valid Accounts) unless the rule specifically detects account misuse.
Configure MITRE Mapping in Rule Wizard
In the Sentinel analytics rule wizard, navigate to the 'Set rule logic' tab. Under 'MITRE ATT&CK', click '+ Add tactic'. Select the tactic from the dropdown (e.g., Impact). Then click '+ Add technique' and search for the technique ID (e.g., T1578). You can add multiple tactics and techniques. For each technique, you can optionally add sub-techniques by clicking the technique and selecting from the sub-technique list. Save the rule. Note: The mapping is stored as metadata and does not affect the rule's detection logic.
Verify Mapping via Incident Details
After the rule fires and creates an incident, open the incident in Sentinel. In the incident details pane, look for the 'MITRE ATT&CK' field (usually under 'Tags' or in a separate section). It should display the tactics and techniques you mapped. If the field is empty, the mapping was not applied. Also check the alert details by clicking 'View full details'—the MITRE tags should appear there. This step confirms that the mapping propagated correctly through the alert pipeline.
Assess Coverage Using the MITRE Dashboard
Navigate to the 'MITRE ATT&CK Coverage' workbook in Sentinel (under 'Threat management'). The dashboard shows a heatmap of the MITRE matrix. Each cell represents a technique; the color intensity indicates the number of rules mapping to that technique. Hover over a cell to see the list of rules. If your new rule appears for the intended technique, the mapping is successful. Use this dashboard to identify gaps—techniques with no coverage—and create new rules to fill them.
Enterprise Scenario 1: SOC with Compliance Requirements
A financial services company must comply with PCI DSS, which requires monitoring for unauthorized access to cardholder data. The SOC team creates a Sentinel rule that detects when a user accesses a database containing credit card numbers outside business hours. They map this rule to MITRE technique T1530 (Data from Information Repositories) under Collection (TA0009). The mapping allows them to generate compliance reports showing coverage for data theft techniques. However, they initially mapped only the parent technique T1530, missing the sub-technique T1530.001 (Data from Network Shared Drive). After a penetration test revealed that attackers exfiltrated data via network shares, they updated the mapping to include T1530.001. The coverage dashboard now shows two techniques covered, and the compliance report passes audit.
Enterprise Scenario 2: Merger of Two SOCs
Two companies merge, each with its own SIEM. The combined SOC adopts Sentinel and needs to consolidate detection rules. One company had mapped all rules to MITRE; the other had not. The team uses the MITRE coverage dashboard to identify overlapping rules (e.g., both had rules for T1078 Valid Accounts) and gaps (e.g., no coverage for T1059 Command and Scripting Interpreter). They prioritize creating new rules for uncovered techniques. They also discover that some rules were mapped incorrectly—a rule detecting brute force was mapped to T1110 (Brute Force) under Credential Access, but the actual attack used password spraying, which is T1110.003. They correct the mapping. The dashboard now provides a single pane of glass for detection coverage across the merged entity.
Enterprise Scenario 3: Cloud-Native Startup with Limited Resources
A startup uses Sentinel to monitor its Azure environment. They have only 10 analytics rules. They want to ensure they cover the most critical techniques for Initial Access and Execution. They map each rule to the most relevant technique. For example, a rule detecting suspicious sign-ins from unfamiliar locations is mapped to T1078 (Valid Accounts) under Initial Access. They also use the MITRE dashboard to identify that they have no coverage for Persistence (TA0003). They prioritize creating a rule for T1098 (Account Manipulation) to detect when an adversary adds a new admin account. The mapping helps them allocate their limited resources effectively, focusing on the techniques most likely to be used against their cloud infrastructure. They also use the dashboard to track improvements over time.
What SC-200 Tests on This Topic
The SC-200 exam objective for this topic is 'Configure and manage Microsoft Sentinel' (domain 2) and specifically 'Manage threat intelligence' (objective 2.3). The exam expects you to:
Understand the purpose of MITRE ATT&CK mapping.
Know how to map a rule to tactics and techniques in the portal.
Interpret the MITRE ATT&CK coverage dashboard.
Identify where MITRE tags appear in alerts and incidents.
Recognize the maximum number of tactics (10) and techniques (50) per rule.
Differentiate between rule types that support mapping (scheduled, NRT, Microsoft Security) and those that do not (anomaly, Fusion).
Common Wrong Answers and Why Candidates Choose Them
Wrong answer: 'All rule types support MITRE ATT&CK mapping.' Many candidates assume that because the option appears in the rule wizard for scheduled rules, it is available for all. In reality, anomaly rules and Fusion rules do not support manual mapping. The exam may present a scenario where a user tries to map an anomaly rule and fails.
Wrong answer: 'The MITRE technique is automatically determined by the rule query.' Candidates think Sentinel can infer the technique from the KQL query. It cannot—the mapping is manual and must be explicitly configured. The exam may ask: 'How does Sentinel determine the MITRE technique for an alert?' The correct answer is 'From the rule's configuration.'
Wrong answer: 'Mapping a rule to a technique automatically creates a detection for that technique.' Some believe mapping is a detection mechanism. Actually, the detection is defined by the query; mapping only tags the alert for reporting. The exam may test this by asking: 'What is the primary benefit of mapping a rule to MITRE ATT&CK?' The correct answer is 'To visualize detection coverage in the MITRE dashboard.'
Specific Numbers, Values, and Terms on the Exam
Maximum tactics per rule: 10
Maximum techniques per rule: 50
Tactic IDs: TA0001 through TA0040 (but only 14 are in the enterprise matrix; exam may ask to identify a tactic by ID)
Technique IDs: e.g., T1078, T1041, T1566
Sub-technique notation: T1078.001
Field names: 'tactics', 'techniques' in rule definition; 'MitreTechniques' in ExtendedProperties
Dashboard location: 'MITRE ATT&CK Coverage' under 'Threat management'
Rule types that support mapping: Scheduled, NRT, Microsoft Security
Rule types that do not support mapping: Anomaly, Fusion
Edge Cases and Exceptions
Multiple tactics per rule: A rule can detect behavior spanning multiple tactics (e.g., both Initial Access and Persistence). The exam may ask: 'Can a single rule be mapped to more than one tactic?' Answer: Yes, up to 10.
Sub-techniques: If you map to a parent technique, the coverage dashboard counts it as coverage for all sub-techniques. However, the exam may ask: 'What is the effect of mapping only to the parent technique?' The answer is that it shows coverage for the parent and all sub-techniques, but you lose granularity.
Microsoft Security rules: These are out-of-the-box rules that come pre-mapped. You can modify the mapping, but the exam may test that you cannot change the mapping for some built-in rules (though you can for most).
Alert grouping: When alerts are grouped into incidents, the MITRE tags from all alerts are combined. The incident may show multiple techniques. The exam may ask: 'How are MITRE techniques aggregated in an incident?' Answer: The incident shows all techniques from all contributing alerts.
How to Eliminate Wrong Answers
If an answer says 'automatically maps techniques based on query content,' eliminate it—mapping is manual.
If an answer says 'all rule types support mapping,' eliminate it—anomaly and Fusion do not.
If an answer says 'mapping changes the detection logic,' eliminate it—mapping only adds metadata.
If an answer says 'the maximum techniques per rule is 100,' eliminate it—the limit is 50.
MITRE ATT&CK mapping is a manual process done during rule creation or editing.
Only scheduled query, NRT, and Microsoft Security rules support mapping; anomaly and Fusion rules do not.
Maximum per rule: 10 tactics and 50 techniques.
Mapping adds metadata to alerts and incidents, enabling the MITRE ATT&CK coverage dashboard.
The coverage dashboard visualizes which techniques have at least one rule mapped, not which techniques are actively being detected.
You can verify mapping by checking the 'MITRE ATT&CK' field in an incident's details.
Sub-techniques provide granularity; mapping only to parent technique covers all sub-techniques in the dashboard.
ARM templates store mapping in the 'tactics' and 'techniques' properties of the rule definition.
The MITRE ATT&CK framework has 14 tactics in the enterprise matrix (TA0001-TA0040).
Common exam scenario: A rule detects a brute force attack; it should be mapped to T1110 (Brute Force) under Credential Access (TA0006).
These come up on the exam all the time. Here's how to tell them apart.
Scheduled Query Rule
Supports manual MITRE ATT&CK mapping (up to 10 tactics, 50 techniques).
Detection logic is based on a KQL query that runs on a schedule.
Alerts include MITRE tags as configured in the rule.
Commonly used for known attack patterns.
Can be exported and imported via ARM templates.
Anomaly Rule
Does NOT support manual MITRE ATT&CK mapping in the wizard.
Detection is based on machine learning models that learn baseline behavior.
Alerts do not include MITRE tags unless you add them via automation (e.g., playbook).
Used for detecting anomalous deviations from normal behavior.
Cannot be exported as ARM templates; they are created via the portal only.
Mistake
MITRE ATT&CK mapping is automatically applied by Sentinel based on the rule query.
Correct
Mapping is entirely manual. The rule creator must explicitly select tactics and techniques in the rule wizard. Sentinel does not parse the KQL query to infer the technique.
Mistake
All analytics rule types in Sentinel support MITRE ATT&CK mapping.
Correct
Only scheduled query rules, NRT rules, and Microsoft Security rules support manual mapping. Anomaly rules and Fusion rules do not have this option in the wizard.
Mistake
Mapping a rule to a technique means Sentinel will detect that technique more accurately.
Correct
Mapping does not affect detection logic. It only adds metadata tags to alerts and incidents for reporting and visualization in the MITRE coverage dashboard.
Mistake
You can map a rule to a maximum of 5 tactics and 20 techniques.
Correct
The actual limits are 10 tactics and 50 techniques per rule. These are hard limits enforced by the Azure portal and API.
Mistake
The MITRE ATT&CK coverage dashboard shows real-time detection coverage for all techniques.
Correct
The dashboard shows coverage based on the number of rules mapped to each technique, not whether those rules have actually fired. A technique may appear covered even if the rule never triggers.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
In the Sentinel analytics rule wizard, go to the 'Set rule logic' tab. Under 'MITRE ATT&CK', click '+ Add tactic' and select the appropriate tactic from the dropdown. Then click '+ Add technique' and choose the technique ID (e.g., T1078). You can add multiple tactics and techniques. The mapping is saved as part of the rule definition. Note that only scheduled, NRT, and Microsoft Security rules support this; anomaly and Fusion rules do not.
You can map up to 10 tactics and 50 techniques per rule. These are hard limits enforced by the Azure portal and API. If you exceed these limits, the rule creation or update will fail. The exam may test these specific numbers.
Open the incident in Sentinel. In the incident details pane, look for the 'MITRE ATT&CK' field. It is usually located under the 'Tags' section or in a dedicated field on the incident blade. You can also see the tags by clicking 'View full details' on the alert that generated the incident. The tags are inherited from the rule's mapping.
No. The dashboard shows which techniques have at least one rule mapped to them, regardless of whether those rules have ever fired. It is a coverage heatmap, not a detection heatmap. For example, a technique may appear fully covered (dark green) even if the mapped rule never triggers. The dashboard helps identify gaps in rule coverage, not active threats.
Yes, you can map a rule to up to 10 tactics. This is useful when a single detection covers multiple stages of an attack. For example, a rule detecting a user creating a new admin account could be mapped to both Persistence (TA0003) and Privilege Escalation (TA0004). The exam may ask whether this is allowed; the answer is yes.
Mapping to a parent technique (e.g., T1078) covers all sub-techniques (T1078.001, T1078.002, etc.) in the coverage dashboard. Mapping to a specific sub-technique provides granularity but only covers that sub-technique. The exam may test that you can map to either, but the dashboard treats parent mapping as coverage for all children.
You can query the SecurityAlert table to extract the MITRE tags. Use a query like: SecurityAlert | where TimeGenerated > ago(7d) | extend Techniques = parse_json(tostring(parse_json(ExtendedProperties).['MitreTechniques'])) | mv-expand Techniques | summarize count() by tostring(Techniques). This shows the techniques from alerts generated by your rules. Note that the field name may vary; 'MitreTechniques' is common but check Microsoft documentation.
You've just covered Mapping Sentinel Rules to MITRE ATT&CK — now see how well it sticks with free SC-200 practice questions. Full explanations included, no account needed.
Done with this chapter?