ITDR
Viewing the Entra ID Issue Details Grouped by MITRE ATT&CK Techniques
You can view the Entra ID issues mapped to MITRE ATT&CK techniques and displayed on a kill chain on the Entra ID Dashboard. The issues are grouped by the following MITRE ATT&CK techniques. You can drill down to a specific issue on the kill chain to further investigate and remediate the issue:
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command and Collection (CnC)
- Exfiltration
- Impact
To view the issue details grouped by MITRE ATT&CK techniques:
- Go to ITDR > Dashboard > Entra ID.
- On the Entra ID Dashboard:
- Select an Entra ID tenant from the Result for drop-down menu.
Select a timestamp from the scanned on drop-down menu.
The scan result for the Entra ID tenant appears.
Click MITRE ATT&CK technique exposure, or click an issue mapped on the horizontal kill chain.
The Issues by MITRE ATT&CK technique page appears. The issues are grouped by MITRE ATT&CK techniques and are listed under the tabs (All, Initial Access, Execution, Persistence, etc.).
Select a tab, and then select an issue to view the following information:
- Vulnerability issue and attack details:
- Issue: The issue name.
- Type Of Risk: The type of risk (e.g., Privilege Escalation, Weak Authentication Measures, Insecure Privilege Management, etc.).
- Severity: The severity level of the risk (Critical, High, Medium, and Low).
- Remediation: The remediation assessment (Easy, Moderate, or Difficult).
- MITRE ATT&CK Tactics: The type of the MITRE ATT&CK tactic (e.g., Privilege Escalation, Credential Access, etc.).
- What is the issue?: The description of the vulnerability issue.
- What is the impact?: The consequences of the attack.
- References: You can click the reference link to view the Microsoft documentation or any other reference document to understand the issue context and remediation.
Who is affected?: A list of affected identities that are vulnerable to attack.
Click Export as CSV to export the affected identities as a CSV file, click Copy Table to copy specific columns from the table, and click Actions to automatically remediate Entra ID issues.
- Remediation: The remediation description and assessment (Easy, Moderate, Difficult). For every remediation step, you can view:
- How to fix?: Steps to manually remediate the issue.
- Commands: A command that you can run in PowerShell to remediate the issue.
- Caveats: Warnings to consider before remediating the issue.
- References: A link to the Microsoft documentation or any other reference document that provides remediation details.
- Vulnerability issue and attack details: