Introduction
Mapping security detections to the MITRE ATT&CK framework is crucial for understanding adversary behavior and improving threat response. However, maintaining accurate and consistent MITRE mappings across all analytics rules in large environments can be challenging.
To support this process, Microsoft introduced AI-powered MITRE tagging—a feature available in public preview (as of May 2025). This capability leverages artificial intelligence to suggest relevant MITRE tactics and techniques for your detection rules, helping streamline SOC workflows and increase coverage quality.
In this post, I’ll guide you through how this feature works, how to use it in your environment, and where it can provide the most value. We’ll also explore hands-on examples and practical advice from a SOC perspective—now primarily using Microsoft Defender XDR as the unified security operations platform.
What is AI-powered MITRE tagging?
AI-powered MITRE tagging uses machine learning models to analyze detection rule logic and recommend appropriate MITRE ATT&CK mappings:
- Tactics (e.g., Credential Access, Lateral Movement)
- Techniques (e.g., T1056.001: Input Capture, T1021.001: RDP)
These mappings are crucial for:
- Understanding adversary behavior patterns
- Enabling MITRE-based dashboards and threat visualizations
- Standardizing detection quality across rule sets
- Supporting red/purple team alignment
The suggestions can be applied manually or in bulk, and integrate with existing MITRE coverage workbooks.
Licensing and prerequisites
| Requirement | Details |
|---|---|
| Unified security operations platform | Required (Microsoft Defender XDR workspace; Microsoft Sentinel integration recommended) |
| Microsoft Sentinel workspace | Required for using workbooks and broader integration |
| Permissions | Microsoft Defender Contributor or higher |
| Access point | Microsoft Defender portal: Settings > SOC optimization > MITRE optimization |
| Preview availability | Public preview – enabled by default in supported tenants |
Why it matters: SOC benefits
- Faster detection development: Analysts no longer need to manually search for matching MITRE techniques
- More consistent quality: Uniform mappings lead to more accurate hunting and reporting
- Improved threat modeling: Visibility into tactics and techniques helps teams align detection to risk
- Stronger purple teaming: Well-tagged rules are easier to simulate, validate, and test against real threats
- Readiness for automation: Standardized tagging simplifies downstream processes like enrichment, alert fusion, and incident correlation
Step-by-step: How to use AI-powered MITRE tagging
Step 1: Open the SOC optimization view
- Sign in to the Microsoft Defender Portal
- Navigate to SOC optimization
- Search for AI MITRE ATT&CK tagging

Step 2: Review incomplete or missing tags
- You’ll see an amount of analytics rules missing tactic or technique mappings (in my example 4)
- Below you can see amount of coverage vs the things that could be improved vs the coverage

Step 3: Review suggestions and confidence levels
If you click Choose Rules, you will see suggestion that includes:
- Suggested tactic (e.g., Persistence, Execution)
- Suggested technique (e.g., T1059: Command Scripting Interpreter)
- Detection type
- Actions: Apply

Focus on high-confidence suggestions to improve efficiency
Step 4: Validate and measure impact
- Open the analytics rules that were updated
- Confirm that the mappings match the detection intent
- Open the MITRE coverage workbook (in Sentinel) to evaluate coverage improvement
- Schedule periodic reviews as your detection logic evolves
Best practices for implementation
- Prioritize high-severity rules: Start with rules that trigger frequently or impact critical assets
- Tag during rule creation: Make MITRE tagging part of your detection engineering lifecycle
- Use version control: Store rules (including tags) in Git or other version-controlled systems
- Review low-confidence tags carefully: Involve senior SOC analysts to ensure contextual accuracy
- Correlate with threat modeling: Validate whether the tagged technique aligns with real-world threat scenarios for your industry
- Leverage dashboards: Use MITRE coverage workbooks for stakeholder reporting and identifying gaps
- Maintain documentation: Track who approved what tags and when, for audit readiness
Real-world example: Improving MITRE coverage
A multinational SOC team with over 500 detection rules struggled to maintain updated MITRE coverage. After enabling AI-powered tagging:
- Over 300 rules received high-confidence technique mappings
- MITRE coverage in the workbook improved by more than 30%
- Purple teaming became easier thanks to better visibility of technique gaps
- New rule creation became faster with built-in AI tag suggestions
Extra resources
Microsoft Defender XDR Documentation
Official docs: MITRE optimization in Microsoft Sentinel
AI-Powered MITRE ATT&CK Tagging for SOC Optimization
Final thoughts
AI-powered MITRE tagging is not a replacement for human logic—it’s a valuable accelerator. It bridges the gap between automated rule generation and strategic threat alignment. If you’re operating at scale, this feature can significantly reduce manual overhead and improve consistency across your detection estate.








