Auto Technique extraction rule for Azure Sentinel

praveenhamsaraj · ‎02-28-2024

We have integrated the Azure Sentinel with ServiceNow for Security Incident creation, and it also passes the Tactic and Technique information.

We have enabled the MITRE ATT&CK matrice (Enterprise) and the associated techniques, however, this is only working manually and we would like to populate this information automatically when a SIR is created. We understand that this auto extraction of this information is no longer supported via Incident Profile and we need to create a technique extraction rule. When I created a new extraction rule for Sentinel, we set the Import Table as "Azure Sentinel Incident Import" & Import field as "Incident Raw", Ideally as per the documentation this is good enough to auto populate the MITRE framework in a security incident. However, this is not working as I tried different combinations of import field. Does anybody have relevant experience with auto extracting the MITRE data from Sentinel to ServiceNow SIR?

P.S - I have unchecked the "Ignore auto extraction" option in the extraction rule and enabled auto rollup MITRE information from the alert rules to security incidents.

Pooja P · ‎03-17-2025

Can you provide the custom integration steps you followed for achieving this please.

praveenhamsaraj · ‎03-27-2025

@Pooja P & @Greg33

Our prayers were heard guys 🙂 A new spoke is released today in version 11.0.22 (Microsoft Azure Sentinel Incident Ingestion Integration For Security Operations)!

They gave a fix to load the Techniques from the Sentinel payload. Read the "Fixed" section of the release notes. Hope this going to work. I will test this and keep you guys posted

Pooja P · ‎03-27-2025

yes @praveenhamsaraj it worked we got help from HI support and solved this issue.

prit123 · ‎03-27-2025

@Pooja P @praveenhamsaraj - We have to integrate sentinel with Servicenow SIR. We are new to it. Can you please provide the screenshot of mapping done to get the details from Sentinel. Also, what needs to be done to show Sentinel Entities, Tactics & Techniques in SIR.

Pooja P · ‎03-27-2025

Hi @prit123 , Please go through this document , we followed every step from this document to achieve successful integration.

Get started with Microsoft Azure Sentinel integration

Hope this helps.

and to get technique and tactic please create one new extraction rule as shown in below screenshot.