Mapping MITRE Technique from Azure Sentinel

rawdy
Tera Contributor

Hi all

has anyone successfully mapped the MITRE Technique ID/Name from Azure Sentinel source data into the Security Incident?  

We have been informed from our analysts that the Technique is available for the Sentinel incidents but it does not appear anywhere that we can see in the incident raw or source attributes for us to be able to map.  

Many thanks

4 REPLIES 4

Alex Cox
ServiceNow Employee
ServiceNow Employee

Hi @rawdy 

This link may help you get started - scroll down to the "Use SIEM auto-extraction rules":

https://docs.servicenow.com/bundle/rome-security-management/page/product/threat-intelligence/concept...

Effectively the process involves identifying the SIEM integration (ie: Azure Sentinel), and providing pattern matching in Technique Extraction Rules. 

The myriad sensors and threat sources out there can share technique IDs in different ways (string-wise), so the system provides a way to enter new patterns for correlation.

Hope this helps!

Alex

rawdy
Tera Contributor

Thanks Alex, this approach makes sense but the Technique ID is not visible anywhere in the raw data via the import table.

Alex Cox
ServiceNow Employee
ServiceNow Employee

Oh I see!  Ultimately we do need that to come in from somewhere to make the extraction, of course.

I'd start with the raw log, or event, that is triggering these incidents from the third party system. It should be there, if the team is saying it is!  Then I'd look at the configuration of the rules on the Azure Sentinel integration, and see if perhaps those rules are not extracting that info.

Malte_K
Tera Expert

Hi @rawdy ,

 

were you able to solve the problem? I know it is quite a while, but I am facing the same problem at the moment.

Seems like the payload doesnt contain techniques, only the tactics. Maybe some misconfiguration on Azure Sentinel?

 

Thanks!

 

Regards
Malte