πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 1
Domain 1 β€” Module 11 of 12 92%
11 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 1: Manage a Security Operations Environment Premium ⏱ ~11 min read

MITRE ATT&CK & Anomaly Detection

Are your detections actually covering the threats that matter? Learn how to use the MITRE ATT&CK matrix to find coverage gaps and configure anomaly detection in Microsoft Sentinel.

What is the MITRE ATT&CK matrix?

β˜• Simple explanation

Think of a burglar’s playbook. There are only so many ways to break into a house: pick the lock, smash a window, social-engineer a key from the cleaner, climb through the roof. Each method is a β€œtechnique.”

The MITRE ATT&CK matrix is the burglar’s playbook for cyberattacks. It catalogues every known technique attackers use, organised by tactics (what they want to achieve) and techniques (how they do it). From initial access through data exfiltration β€” every step is documented.

In Sentinel, you can overlay your analytics rules onto the MITRE matrix and instantly see: which techniques are you detecting, and which ones are you blind to? Those gaps are where attackers will slip through.

The MITRE ATT&CK framework is a globally recognised knowledge base of adversary tactics, techniques, and procedures (TTPs). It organises attacks into a matrix with 14 tactics (columns) and hundreds of techniques (rows).

Microsoft Sentinel maps analytics rules and data connectors to MITRE techniques, providing a visual coverage analysis that shows which techniques have active detections and which represent blind spots. This mapping drives detection engineering priorities β€” SOC teams focus on closing the most critical gaps.

Sentinel also provides anomaly detection as a complement to rules-based detection. While analytics rules catch known patterns, anomaly rules use statistical models to identify deviations from baseline behaviour β€” catching threats that have no pre-defined signature.

The MITRE ATT&CK matrix in Sentinel

14 tactics (the attack lifecycle)

#TacticWhat the Attacker Wants
1ReconnaissanceGather information about the target
2Resource DevelopmentSet up infrastructure for the attack
3Initial AccessGet a foothold (phishing, exploit, valid accounts)
4ExecutionRun malicious code
5PersistenceMaintain access after reboot/remediation
6Privilege EscalationGet higher-level access
7Defense EvasionAvoid detection
8Credential AccessSteal passwords, tokens, keys
9DiscoveryLearn about the environment
10Lateral MovementMove to other systems
11CollectionGather data of interest
12Command and ControlCommunicate with compromised systems
13ExfiltrationSteal data out
14ImpactDestroy, encrypt, or manipulate data

Coverage analysis in Sentinel

Sentinel’s MITRE ATT&CK page shows:

  • Green cells β€” techniques with at least one active analytics rule
  • Yellow cells β€” techniques with a data connector but no analytics rule
  • Empty cells β€” techniques with no detection or data source

The goal is to minimise empty cells, especially for techniques commonly used against your industry.

πŸ’‘ Scenario: James audits Pacific Meridian's coverage

James opens Sentinel’s MITRE ATT&CK page and reviews coverage:

Strong coverage (green): Initial Access, Execution, Credential Access β€” lots of rules from Content Hub Partial coverage (yellow): Lateral Movement β€” data connectors active but no custom rules Blind spot (empty): Defense Evasion (T1562 β€” Impair Defenses), Exfiltration (T1048 β€” Exfiltration Over Alternative Protocol)

James priorities:

  1. Lateral Movement β€” enable Content Hub analytics rules and write custom detections for PsExec and RDP lateral movement
  2. Defense Evasion β€” create rules detecting tamper protection disablement and audit log clearing
  3. Exfiltration β€” deploy custom detections for DNS tunnelling and unusual upload volumes

The MITRE page becomes his detection engineering roadmap.

πŸ’‘ Exam tip: MITRE drives SOC optimization

When the exam asks β€œhow to identify gaps in detection coverage,” the answer is the MITRE ATT&CK matrix in Sentinel. It directly connects to SOC optimization recommendations (Module 1) β€” Sentinel suggests new analytics rules based on your MITRE gaps.

Anomaly detection in Sentinel

Analytics rules catch known patterns. Anomaly rules catch unknown deviations.

How anomaly detection works

  1. Sentinel learns a baseline β€” what is normal behaviour for your environment over a training period
  2. Continuous monitoring β€” compares current activity against the baseline
  3. Anomaly detected β€” when behaviour deviates significantly, an anomaly record is created
  4. Analyst investigation β€” anomalies appear in the Anomalies table for review

Built-in anomaly rules

Sentinel ships with anomaly rules that detect:

  • Anomalous login activity β€” unusual time, location, or device for a user
  • Anomalous resource access β€” user accessing resources they have never touched before
  • Anomalous data transfer β€” unusual volume of data being moved or downloaded
  • Anomalous privilege use β€” sudden escalation or use of admin privileges
  • Anomalous process execution β€” new or rare processes running on endpoints

Customising anomalies

You can tune anomaly rules by adjusting:

  • Threshold β€” how far from baseline a behaviour must deviate to trigger
  • Scope β€” which users, devices, or resources to monitor
  • Exclusions β€” known-safe deviations (e.g., quarterly batch jobs that spike data transfers)
Rules catch known threats; anomalies catch the unknown
FeatureAnalytics RulesAnomaly Rules
Detection methodKQL query matching defined patternsStatistical deviation from learned baseline
What they catchKnown threat patterns (brute force, C2, exfiltration)Unknown deviations (first-time access, unusual volumes, new behaviour)
ConfigurationWrite KQL, set frequency, map entitiesEnable built-in rule, tune thresholds
OutputAlerts and incidentsRecords in the Anomalies table (lower signal than alerts)
False positive rateLow (if well-written)Higher β€” baseline deviations are not always malicious
Complementary?Yes β€” use both together for comprehensive detectionYes β€” anomalies fill gaps that rules-based detection misses
πŸ’‘ Scenario: Tyler uses anomalies to catch a stealthy attacker

Tyler at CipherStack has strong analytics rules for brute force, phishing, and malware. But a sophisticated attacker used valid stolen credentials β€” no brute force, no malware, no phishing detected.

The attacker logged in at 2 AM (unusual for that user), accessed the source code repository (never done before), and downloaded 3 GB of data (baseline was 50 MB/day). None of Tyler’s KQL rules fired.

But three anomaly rules did:

  • Anomalous login activity β€” flagged the 2 AM login
  • Anomalous resource access β€” flagged the first-time repo access
  • Anomalous data transfer β€” flagged the 3 GB download

Tyler correlated these anomalies and identified the compromised account within hours.

Question

What do the colours in Sentinel's MITRE ATT&CK coverage page mean?

Click or press Enter to reveal answer

Answer

Green = techniques with at least one active analytics rule. Yellow = techniques with a data connector but no analytics rule. Empty = no detection or data source. The goal is to maximise green cells, especially for techniques used against your industry.

Click to flip back
Question

How are anomaly detections different from analytics rules?

Click or press Enter to reveal answer

Answer

Analytics rules use KQL queries to match known patterns. Anomaly rules use statistical models that learn baseline behaviour and flag deviations. Anomalies catch unknown threats that don't match pre-defined signatures, but have a higher false positive rate.

Click to flip back
Question

Name 3 types of anomalies Sentinel can detect out of the box.

Click or press Enter to reveal answer

Answer

1. Anomalous login activity (unusual time, location, device). 2. Anomalous resource access (user accessing new resources). 3. Anomalous data transfer (unusual volume of data movement). Also: anomalous privilege use and anomalous process execution.

Click to flip back
Knowledge Check

James reviews Pacific Meridian's MITRE ATT&CK page and sees that Lateral Movement techniques are yellow (data connectors active but no analytics rules). What should he do?
Knowledge Check

A sophisticated attacker at CipherStack uses valid stolen credentials to access systems. No brute force, malware, or phishing alerts fire. Which Sentinel feature is most likely to detect this?

🎬 Video coming soon

Next up: Domain 1 wraps up with a synthesis module β€” putting detection engineering together: custom detections, analytics rules, threat intelligence, and MITRE coverage working as one system.

← Previous

Sentinel Analytics & Threat Intelligence

Next β†’

Detection Engineering: Putting It All Together

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.