Am I being attacked?!

Recently there has been some new tools introduced in Microsoft Sentinel to help security teams understand better the types and methods of attacks they have faced, in addition to intelligence to help them perform proactive threat modeling to implement better defenses.

There has been very tight integration with the MITRE ATT&CK library which provides a knowledge base of adversary tactics and techniques based on real-world observations. Let’s explore the new tools.

Threat Analysis & Response Workbook

The first tool is a workbook that helps you understand the following:

  • Lists the out-of-the box Microsoft Sentinel detections coverage across MITRE ATT&CK framework and the number of events coming for those detections.

Screenshot showing the Sentinel detections

  • Lists all of the Sentinel GitHub content categorized by detection type like hunting, analytics,..etc which is mapped to the corresponding MITRE tactics and also content by cloud platform, which helps understand for example what is avaialble for Azure Vs AWS Vs Office 365,…etc

Screenshot showing the Sentinel GitHub content

Screenshot showing the Sentinel GitHub content by cloud platform

  • Lists all of detections and alerts by Microsoft service so showing detections by Microsoft Defender for Linux, Microsoft Defender for Identity, Microsoft Defender for Containers ,…etc

Screenshot showing all of the detections

Screenshot showing all of the detections by service

  • Shows a heatmap of all of the MITRE ATT&CK matrix categorized by cloud platform such as Azure, AWS, GCP as well as by service such as Azure AD, Office 365, Windows, Linux

Screenshot showing MITRE Heatmap

Screenshot showing MITRE Heatmap by platform

NOTE This workbook is mainly informational to help you understand your current posture and gaps.

Dynamic Threat Analysis & Response Workbook

This workbook is actually pretty powerful, it visualizes all of the attacks to your cloud, onprem and multi-cloud resources and categorizes them to the corresponding MITRE ATT&CK tactic. This workbook allows you to perform hunting and investigation activities where you can focus on a specific user, source Ip address, country or machine.

Screenshot showing the dynamic threat analysis workbook

Filtering by a specific source Ip address and detecting product

Screenshot showing the dynamic threat analysis workbook with filtering

You get also useful logs to do more in-depth investigation, defense recommendations against those types of attacks, different resources to close those gaps in your environment and remediation through response playbooks.

Screenshot showing the defense recommendations

Screenshot showing the defense recommendations


This is a new blade in Microsoft Sentinel that helps you to visualize your current coverage to understand if there are any blind spots or areas where you need to create your own analytics rules.

Screenshot showing the MITRE blade in Sentinel

Workbooks deployment

To deploy those two workbooks you can either search for them in the content hub.

Screenshot showing the Sentinel content hub

Screenshot showing installing the first workbook

You can also simply deploy an ARM template which will install both workbooks into your Sentinel services

Screenshot showing the GitHub repo for workbooks deployment

Screenshot showing the workbooks deployed

Video walkthrough

Share on:

You May Also Like