Auto Technique extraction rule for Azure Sentinel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2024 04:41 AM
We have integrated the Azure Sentinel with ServiceNow for Security Incident creation, and it also passes the Tactic and Technique information.
We have enabled the MITRE ATT&CK matrice (Enterprise) and the associated techniques, however, this is only working manually and we would like to populate this information automatically when a SIR is created. We understand that this auto extraction of this information is no longer supported via Incident Profile and we need to create a technique extraction rule. When I created a new extraction rule for Sentinel, we set the Import Table as "Azure Sentinel Incident Import" & Import field as "Incident Raw", Ideally as per the documentation this is good enough to auto populate the MITRE framework in a security incident. However, this is not working as I tried different combinations of import field. Does anybody have relevant experience with auto extracting the MITRE data from Sentinel to ServiceNow SIR?
P.S - I have unchecked the "Ignore auto extraction" option in the extraction rule and enabled auto rollup MITRE information from the alert rules to security incidents.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2025 04:33 AM
Hi @Pooja P ,
After updating the API :
'update this sys_property: sn_sec_sentinel.sentinel_security_incident_api_version
to point to the latest API version: 2024-03-01'
We simply created a mitre technique extraction rule (sn_ti_mitre_tech_extraction_rule) using the sentinel import table (sn_sec_sentinel_incident_import) as the source table and the technique (properties(additionalData(techniques))) as the field.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2025 04:55 AM - edited 03-18-2025 04:56 AM
Thank you for the reply we followed same steps but in Extraction Rule we gave import table as Azure Sentinel Incident Import(sn_sec_sentinel_incident_import) but in Import filed we can see only properties(additionalData(tactics)) field (properties(additionalData(techniques))) is not available.
But this thing is not helping and we can not see any
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2025 06:56 AM
To have the Techniques, you need to first update the API version, have you done that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2025 11:19 PM
Yes @Greg33 i have updated that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2025 01:59 AM
Unfortunately, If you have updated the API version and still don't see the techniques in the /sn_sec_sentinel_incident_raw table, then the only thing I can suggest is requesting help via a HI case or through Sentinel support
