Need help mapping MITRE Techniques from Azure Sentinel to map to SIR tactics and Technique
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2025 01:50 AM
Hi Team,
We are building integration between Microsoft Azure sentinel to ServiceNow SIR record. Sentinel has MITRE Technique ID and we want to fetch that ID and map it to Tactics and techniques in SIR record fields.
Please be informed we have Threat Intelligence plugin active in our instance.
Any urgent response will help us.
Thanks,
Pooja
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2025 05:10 AM
Hi there.
By chance have you opened a ServiceNow Support Case for assistance?
The Store App integration available today, combined with Threat Intelligence (from SIR, not TISC) should do the trick, with a few configuration updates.
After you install the Azure Sentinel for SIR Store App, you may need to update a property that sets what version of the Azure Sentinel Incident API is used. This is because, the default version it is set to use, only pulls MITRE Tactics and not Techniques.
- https://learn.microsoft.com/en-us/rest/api/securityinsights/api-versions
- https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secops-integration-...
- The Property in ServiceNow is called "sn_sec_sentinel.sentinel_security_incident_api_version"
- The Default Value is [2021-10-01]
- The Version that has both, MITRE Techniques and Tactics would be [2024-03-01] (or later)
Then you would ensure you have the MITRE Technique Exraction Rule feature setup for Azure Sentinel
- https://www.servicenow.com/docs/bundle/yokohama-security-management/page/product/secops-integration-...
- This will parse out the MITRE Tactics and Techniques from the raw import payload table (Sentinel) and incoming field we choose (e.g. properties(additionalData(tactics))).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2025 05:56 AM - edited 03-12-2025 06:01 AM
Hi @andy_ojha ,
Thank you for the reply , we have already configured Integration between Sentinel and SIR in servicenow. Kindly correct me if my steps to be flowed for further is
1. Update the version of system property "sentinel_security_incident_api_version".
2. Create Extraction rule as attached in screenshot.
Please be informed our Integration configuration and Azure profiles are in Particular domain.
are these steps enough or do we need to write any BR to map technique and tactics?
Kindly suggest. Thanks in advance!
Regards,
Pooja
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2025 06:48 AM
Hey there - that should work.
You may need to test that Extraction Rule (SIEM, with that Field Incident Raw). Another object/field that may work (based on your testing) is -> `properties(additionalData(tactics))` ...if `IncidentRaw` does not work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2025 02:27 AM - edited 03-17-2025 03:17 AM
Hi @andy_ojha ,
After updating version below is the payload for technique and tactics
properties(additionalData(tactics))":{"value":"Persistence"},"properties(additionalData(techniques))":{"value":"T1078, T1098"},"
OR
properties(additionalData(tactics))":{"value":"DefenseEvasion"},"properties(additionalData(techniques))":{"value":"T1562"}
But with extraction rule written as suggested are not updating SIR record field values for MITRE Technique and tactic.
Can you please suggest how can we update these SIR fields with provided payload.
Thanks in advance!
Pooja
