- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2023 11:22 AM
Hi,
We're looking to see if there's a way to execute the "Associate MITRE ATT&CK Technique" action through the ServiceNow API? We have SIRs that are automatically created and we have the MITRE ATT&CK info from another source, and right now we are manually adding that info through the web UI, but would prefer to automate it using the ServiceNow API. For reference, this is the documentation on how to manually do it: https://docs.servicenow.com/en-US/bundle/utah-security-management/page/product/threat-intelligence/t...
Is this possible? If so, what API do we need to use? We've generally used the Table API to access/create SIRs.
Appreciate any help anyone can provide.
Thanks!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2023 02:47 PM - edited 08-28-2023 02:49 PM
Following up, the MITREUtil.js script was really helpful in understanding how to make this work. Essentially, you need to create a record in the sn_ti_stix2_m2m_incident_attack table with an entry for the sys_id of the SIR, the sys_id of the tactic and the sys_id of the technique. Working with the Table API, the POST data looks like this:
{
"source": "Manual",
"type": "MANUAL",
"tactic": "11176f7897ba2dd07b1e3aa3f153afcb",
"attack": "b447efb897ba2dd07b1e3aa3f153af73",
"incident": "cdb2f99887b87110844a20e7dabb3557"
}
You can query for the sys_id of the tactic in the sn_ti_stix2_kill_chain_phase table and you can query for the technique in the sn_ti_stix2_attack_pattern. If you query either of those tables for external_id, that let's you search for e.g. TA0005 or T1078 (depending on the table), and you can pull the sys_id from the record you get back.
Once you have all that info you can plug it into the request as I wrote above and that will create an entry in the table, and when you open the MITRE ATT&CK Card on the SIR it will show the TTPs that you associated with the SIR.
Thanks again for the help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-14-2023 02:39 PM - edited 08-14-2023 02:44 PM
Hey there,
This is a neat use-case,
- This is supported with the native SecOps Event Ingestion integrations today and the parsing / mapping logic is already laid out for grabbing the MITRE TTPs and associating them to the target SIR / Security Incidents
- Refer to SIEM Extraction Rules in the Docs page below:
- This is supported when using the available Store Applications for SecOps Event Ingestion - e.g. Splunk, Q-Radar, etc. to create SIRs, when the MITRE TTPs are included in the data being sent over at that time
---------------------------------------------------------
If you still need to pursue the two tool method (one for SIR creation and the other for MITRE TTP associations to existing SIRs)...
- Would start reviewing the baseline Script Include `sn_ti.MITREUtil` and in particular the Method `addTechniques`.
- One challenging bit here, is you'd need to use the SYS_ID of the Target SIR you want to associate the MITRE TTPs to (rather than the SIR Number)
- Suppose that you could ahve ServiceNow could reach out into your tool - or - you could push data to ServiceNow
- For the push model, maybe a Scripted REST API would do the trick (send the SYS_ID of the SIR, or SIR Number, and array of MITRE TTPs to parse out) as a POST API call
- Then look at calling the `addTechniques` method out of the `sn_ti.MITREUtil()` Script Include
- There doesn't appear to be an existing Scripted REST API "off-the-shelf" that you could call today
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2023 02:47 PM - edited 08-28-2023 02:49 PM
Following up, the MITREUtil.js script was really helpful in understanding how to make this work. Essentially, you need to create a record in the sn_ti_stix2_m2m_incident_attack table with an entry for the sys_id of the SIR, the sys_id of the tactic and the sys_id of the technique. Working with the Table API, the POST data looks like this:
{
"source": "Manual",
"type": "MANUAL",
"tactic": "11176f7897ba2dd07b1e3aa3f153afcb",
"attack": "b447efb897ba2dd07b1e3aa3f153af73",
"incident": "cdb2f99887b87110844a20e7dabb3557"
}
You can query for the sys_id of the tactic in the sn_ti_stix2_kill_chain_phase table and you can query for the technique in the sn_ti_stix2_attack_pattern. If you query either of those tables for external_id, that let's you search for e.g. TA0005 or T1078 (depending on the table), and you can pull the sys_id from the record you get back.
Once you have all that info you can plug it into the request as I wrote above and that will create an entry in the table, and when you open the MITRE ATT&CK Card on the SIR it will show the TTPs that you associated with the SIR.
Thanks again for the help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-05-2024 11:04 AM
Just wanted to say thank you so much for posting this!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-17-2023 07:36 AM
Hi,
Thanks for the detailed response, and appreciate the confirmation that there isn't an existing API that I'm missing. I think we'll have to go with the two tool method, but I like the idea of pushing the TTPs in earlier in the flow and then pulling them out with the SecOps Event Ingestion. That may be where we ultimately get to with it. I don't know if I'll be able to get access to use a Scripted API, but thanks for pointing me to the `addTechniques` function, it's great being able to see how SNOW is executing it.
I'm gonna leave this open for now and will update when I sort out the process that works for us. Thanks again for the reply and all the info.
