The Zurich release has arrived! Interested in new features and functionalities? Click here for more

Need help mapping MITRE Techniques from Azure Sentinel to map to SIR tactics and Technique

Pooja P
Tera Contributor

‎03-12-2025 01:50 AM

Hi Team,

 

We are building integration between Microsoft Azure sentinel to ServiceNow SIR record. Sentinel has MITRE Technique ID and we want to fetch that ID and map it to Tactics and techniques in SIR record fields.

 

Please be informed we have Threat Intelligence plugin active in our instance.

 

Any urgent response will help us.

 

Thanks,

Pooja

0 Helpfuls
  • 1,254 Views
7 REPLIES 7

andy_ojha
ServiceNow Employee
ServiceNow Employee
In response to Pooja P

‎03-19-2025 06:02 PM

Hi there -- apologies your config seems correct and aligned with the similar posts that folks have made recently.

As others suggested, unfortunately we will want to create a NOW Support Case for this.

You mentioned "Particular Domain" in your first response - did you mean NOW Platform Domain Separation?  I believe that should not be an issue, but worth mentioning on the Support Case you open.

0 Helpfuls

Pooja P
Tera Contributor
In response to andy_ojha

‎03-20-2025 04:19 AM

@andy_ojha Andy we sorted this MITRE Attack issue by upgrading Integration plugin.

but we are facing one more issue is we want to fetch Site name from sentinel but after upgrade of plugin also we can not see site name in Incident raw even in azure profile mapping we can not see that filed . 

Finally we want to map site name from sentinel to Business Unit of SIR.

 

Can you please suggest on this .

 

Thanks,

Pooja

0 Helpfuls

AJ_UK
Tera Contributor

‎05-02-2025 06:44 AM

Hi Pooja,

See if note I have put in this post helps. I have got it working without any extra coding:
https://www.servicenow.com/community/secops-forum/auto-technique-extraction-rule-for-azure-sentinel/...

AJ

0 Helpfuls