Auto Technique extraction rule for Azure Sentinel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2024 04:41 AM
We have integrated the Azure Sentinel with ServiceNow for Security Incident creation, and it also passes the Tactic and Technique information.
We have enabled the MITRE ATT&CK matrice (Enterprise) and the associated techniques, however, this is only working manually and we would like to populate this information automatically when a SIR is created. We understand that this auto extraction of this information is no longer supported via Incident Profile and we need to create a technique extraction rule. When I created a new extraction rule for Sentinel, we set the Import Table as "Azure Sentinel Incident Import" & Import field as "Incident Raw", Ideally as per the documentation this is good enough to auto populate the MITRE framework in a security incident. However, this is not working as I tried different combinations of import field. Does anybody have relevant experience with auto extracting the MITRE data from Sentinel to ServiceNow SIR?
P.S - I have unchecked the "Ignore auto extraction" option in the extraction rule and enabled auto rollup MITRE information from the alert rules to security incidents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-02-2024 06:10 AM
Hi,
Did you manage to do anything for the Mitre Technique? I'm currently facing the same challenge 🤔
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 02:31 AM
Hello,
The issue seems to be with the store integration plugin version 11.0.20 😒 To fix this we built a custom REST API integration to pull the correct MITRE ATT&CK and auto tag to the security incident.
I saw there is the latest plugin (11.0.21) was released from ServiceNow, but not sure whether they have fixed this issue. I don't want to try with their OOTB plugin yet as our existing custom integration works quite fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2024 11:53 PM
Hi Praveen,
Just an update on this.
We've had a HI case open with ServiceNow to ask them to check out why we are not receiving the Techniques.
They've asked us to update this sys_property: sn_sec_sentinel.sentinel_security_incident_api_version
to point to the latest API version: 2024-03-01
TBH, I've not had much time to look into it yet, and other things have been prioritised since, but it seems we are now receiving both the Tactics and Techniques in the payload (sn_sec_sentinel_incident_import) now.
Next step is to match the incoming data, with the SIRs, which I haven't looked at yet! let me know how you get on!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-17-2025 04:05 AM
Hi @Greg33 Have you worked on to match the incoming data with the SIRs? we have to implement same in our instance . can you please suggest
