Hey there,
It's probably a good way to approach it, since existing content and data models exist in Splunk to map (lookup) MITRE ATT&CK TTPs and can be baked into your Correlation Rules.
Eventually your Notable Events can contain specific MITRE ATT&CK information based on your Correlation Rules and MITRE ATT&CK Lookups in Splunk ES.
You'll use the ServiceNow Splunk ES Event Ingestion Store App, to create Security Incidents from Notable Events in Splunk ES:
You will need to setup Splunk ES Event Profiles in ServiceNow, where you create a Profile for each Correlation Rule, that you want to have create a Security Incident record in ServiceNow (it is a 1:1 setup activity)...
- When Notable Events are brought into ServiceNow, they will create Security Incidents
- You will build Splunk ES Alert Profiles in ServiceNow, to setup field mappings between Notable Event data, and the target fields on the Security Incident records
- Two types of profiles can be created (see URL link above to docs)
- 1) for Scheduled Alerts
- 2) Manual Alerts (optional - if you want users to click a button on Splunk ES Incident Review Page to create an SIR)
The new "Technique Extraction Rules" - specifically SIEM Extraction Rules, will need to be enabled for the Splunk ES integration in ServiceNow (set Ignore Auto-Extraction to 'false').
Once you enable the "Technique Extraction Rule" for Splunk ES in ServiceNow - then a regular expression query will run on the Splunk ES Notable Event data that come into ServiceNow, to automatically set the MITRE ATT&CK Technique data on the MITRE Card on resulting Security Incident records that are created.
You do not have to do any other configurations or field mappings for this -> basically ensure the MITRE ATT&CK data is passed over in the Notable Events, and that you have the "Technique Extraction Rule" enabled for Splunk ES.
Hope that helps.
Reference:
- https://docs.servicenow.com/bundle/quebec-security-management/page/product/threat-intelligence/concept/auto-extract-technique-rules.html
