MITRE ATT&CK Technique Reference

4 min read

MITRE ATT&CK is the industry-standard taxonomy for describing adversary techniques. Every Burrow alert is tagged with a MITRE technique ID so the activity is comparable to what other security products (Microsoft Defender, Sentinel, CrowdStrike) detect using the same vocabulary.

This page lists the MITRE techniques Burrow's detection rules currently map to, what each technique represents, and where to see live counts in the dashboard.

Why MITRE matters in Burrow

Three reasons:

Comparable findings. When a SOC analyst reads "T1486 Data Encrypted for Impact" on a Burrow alert, they can pivot to Defender or Sentinel using the same technique ID and pull additional telemetry without losing context.
Coverage mapping. Audit and risk teams can answer "which MITRE techniques does Burrow actually cover in our tenant?" by reading the catalog below.
Top-N reporting. The dashboard's Top MITRE tab on the home page shows which techniques are most active in your tenant for the current lookback window — useful for prioritising hunt activity and writing executive summaries.

How to read the Top MITRE tab

Open the Burrow home page.
In the Top items card on the right, click the Top MITRE tab.
The list shows MITRE technique IDs ranked by alert count in the current lookback window.

Clicking any technique row navigates to the Alerts page pre-filtered to that technique — useful for "show me every alert tagged T1078" investigations.

Techniques Burrow covers

The table below maps every Burrow rule category to its MITRE technique.

MITRE ID	Technique name	Burrow rule categories
T1486	Data Encrypted for Impact	`ransomware_signature`
T1485	Data Destruction	`mass_deletion_high`, `mass_deletion_med`
T1567.002	Exfiltration to Cloud Storage	`data_exfiltration_high`, `data_exfiltration_med`, `sensitive_ext_exfil_critical`, `risky_sharing`, `risky_sharing_orgwide`
T1530	Data from Cloud Storage	`risky_sharing` family
T1083	File and Directory Discovery	`search_enumeration_high`, `search_enumeration_med`, `sensitive_search_high`, `new_site_access`, `search_baseline_deviation`
T1078	Valid Accounts	`behavioral_deviation`, `peer_group_deviation`, `intraday_velocity_burst`, `unusual_hour_activity`, `dow_drift`, `ua_anomaly`, `weekend_posture_drift`, `unmanaged_baseline_spike`, `label_rule` (typical)
T1078.004	Cloud Accounts	`account_compromise`, `impossible_travel_signin`, `site_collection_admin_grant`
T1070	Indicator Removal	`recyclebin_restore_high`, `recyclebin_restore_med`
T1090.003	Multi-hop Proxy	`anonymizer_access_critical` (Tor exit-node access)
T1071	Application Layer Protocol	`malicious_ip_access_critical` (known-bad IP access)
T1562.008	Disable Cloud Logs	`audit_tampering`
T1098	Account Manipulation	`external_user_group_add` (guest provisioning)
T1621	Multi-Factor Authentication Request Generation	`mfa_fatigue`
T1528	Steal Application Access Token	`oauth_consent_grant`
Cumulative	(varies — meta-alert)	`daily_pattern_escalation`
Operator-defined	(operator-set)	`custom_rule`

For the deterministic check behind each category, see the rule catalog.

When a MITRE technique looks under-represented

If you expected to see a technique (say, T1486 ransomware) on the Top MITRE tab but it is absent, that is a good sign — it means no rule in that family has fired in your lookback window. The absence is the signal: no ransomware activity is currently visible.

If you expected a technique because of an external event (e.g. industry advisory mentions a T1567.002 exfiltration spike) but Burrow shows nothing, the question to ask is: are the relevant rules tuned for your environment? See Tuning a noisy rule — the same workflow applies in reverse when a rule is too quiet.

External references

MITRE ATT&CK Enterprise Matrix — the canonical adversary-technique reference.
Microsoft Defender XDR also uses MITRE technique IDs — useful for cross-pivot during multi-product investigations.