Mapping MITRE Technique from Azure Sentinel

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-04-2022 02:41 AM
Hi all
has anyone successfully mapped the MITRE Technique ID/Name from Azure Sentinel source data into the Security Incident?
We have been informed from our analysts that the Technique is available for the Sentinel incidents but it does not appear anywhere that we can see in the incident raw or source attributes for us to be able to map.
Many thanks
- Labels:
-
Security Incident Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2022 09:22 AM
Hi
This link may help you get started - scroll down to the "Use SIEM auto-extraction rules":
Effectively the process involves identifying the SIEM integration (ie: Azure Sentinel), and providing pattern matching in Technique Extraction Rules.
The myriad sensors and threat sources out there can share technique IDs in different ways (string-wise), so the system provides a way to enter new patterns for correlation.
Hope this helps!
Alex

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2022 11:34 AM
Thanks Alex, this approach makes sense but the Technique ID is not visible anywhere in the raw data via the import table.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-07-2022 01:40 PM
Oh I see! Ultimately we do need that to come in from somewhere to make the extraction, of course.
I'd start with the raw log, or event, that is triggering these incidents from the third party system. It should be there, if the team is saying it is! Then I'd look at the configuration of the rules on the Azure Sentinel integration, and see if perhaps those rules are not extracting that info.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-17-2024 06:22 AM
Hi @rawdy ,
were you able to solve the problem? I know it is quite a while, but I am facing the same problem at the moment.
Seems like the payload doesnt contain techniques, only the tactics. Maybe some misconfiguration on Azure Sentinel?
Thanks!
Regards
Malte