Need help mapping MITRE Tactics and Techniques from Azure Sentinel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-13-2025 09:46 AM
Hi Community,
We’re currently implementing Security Incident Response (SIR) for a customer using the Microsoft Azure Sentinel integration. They’re looking to include MITRE ATT&CK information (Tactics and Techniques) in their Security Incidents; however, they do not appear to be licensed for the full Threat Intelligence suite. We do see raw data from Sentinel that includes both the Tactics and Techniques (T-numbers), and we also have the Technique Extraction Rules table (part of Threat Intelligence common, which ships with SIR).
Is there a way to bring this MITRE data into Security Incidents without having the full TI plugin/license? Any insights or best practices on how to accomplish this would be greatly appreciated!
Thanks in advance!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2025 01:07 AM
Hi @Dhruv Gupta1 , we have TI plugin activated at our instance , and need the same requirement .
Kindly help us with the steps.
Thanks ,
Pooja
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-02-2025 06:45 AM
Hi Travis,
See if note I have put in this post helps. I have got it working without any extra coding:
https://www.servicenow.com/community/secops-forum/auto-technique-extraction-rule-for-azure-sentinel/...
AJ
