Auto Technique extraction rule for Azure Sentinel

praveenhamsaraj · ‎02-28-2024

We have integrated the Azure Sentinel with ServiceNow for Security Incident creation, and it also passes the Tactic and Technique information.

We have enabled the MITRE ATT&CK matrice (Enterprise) and the associated techniques, however, this is only working manually and we would like to populate this information automatically when a SIR is created. We understand that this auto extraction of this information is no longer supported via Incident Profile and we need to create a technique extraction rule. When I created a new extraction rule for Sentinel, we set the Import Table as "Azure Sentinel Incident Import" & Import field as "Incident Raw", Ideally as per the documentation this is good enough to auto populate the MITRE framework in a security incident. However, this is not working as I tried different combinations of import field. Does anybody have relevant experience with auto extracting the MITRE data from Sentinel to ServiceNow SIR?

P.S - I have unchecked the "Ignore auto extraction" option in the extraction rule and enabled auto rollup MITRE information from the alert rules to security incidents.

prit123 · ‎03-27-2025

Thanks @Pooja P for your reply. We have installed- "Microsoft Azure Sentinel Incident Ingestion Integration For Security Operations": sn_sec_sentinel, 11.0.21v. We were able to get the SIR incident, but the details like configuration item, Affected User, Observable are missing. Also we could see several fields related to Observable, with which Sentinel field it is mapped to get the observable in SIR. Also the extraction module is not available. Is it part of different plugin.

BozhidarNizamov · ‎04-01-2025

We just updated the Sentinel plugin to the latest version and this fixed the issue. The Technique extraction is listed as "fixed" for the latest release and i can confirm that it is indeed working and we pull it from Sentinel without any changes or customizations.

AJ_UK · ‎05-02-2025

I have it working by mapping the field ${SecurityAlert:properties(additionalDatat(MitreTechniques))}$ to MITRE ATT&CK Technique field.
It required the loading of the MITRE ATT&CK framework via Security Operations >Threat intel> MITRE-ATT&CK framework overview>MITRE-ATT&CK administration>Setup the MITRE-ATT&CK framework, and for example executing the sync of the Enterprise ATT&CK TAXII Collection.
From memory it also required setting up Azure Sentinel as an Alert Sensor in /sn_si_alert_sensor to make it work.