SIEM Auto Technique Extraction Rule

Rash99 · ‎02-13-2024

Hi,

We have an API from Sentinel which creates records directly into the sn_si table as Security Incident. This integration passes the MITRE Technique T numbers into a custom "techniques" field today as well as the Tactic numbers into a different custom field, multiple T numbers can be passed into the Technique field.

I have activated the MITRE attack configurations and can populate the MITRE attack card manually on the Security Incident. I would like to automate this however based on the use of the OOTB SIEM auto technique extraction rule.

I have confirmed the RegEx can parse the techniques out of the raw JSON.

My solution:

1. Reconfigure the Sentinel integration to create a record onto the sn_si staging table instead of directly into the sn_si table, as is today.

2. Apply the SIEM auto-extraction rule against the "Technique" custom field and the import table of sn_si.

This in theory should auto populate the MITRE attack card but it doesn't seem to do anything.

I have tried to post an Incident via the API to the sn_si staging table using POSTMAN, replicating a Sentinel Incident, although the Security Incident is creating fine the rule does not seem to be working and the auto-map of the techniques onto the card is not happening.

Does anyone have any suggestions?

I can create a customisation to create the record into the correct table as per this link https://www.servicenow.com/community/secops-forum/associate-mitre-att-amp-ck-via-servicenow-api/m-p/... but I don't understand why the OOTB rule isn't working...

Martin Dewit · ‎02-13-2024

Assuming you have the Sentinel integration for SecOps store app and it is already ingesting Sentinel Incidents and creating SIRs - the Sentinel Incident Raw is where you should find the related MITRE Tactic/Technique based on what is already set on the Incident in Sentinel. The Technique Extraction Rules should work if you are using "Azure Sentinel Incident Import" as your Import Table and "Incident Raw" as your Import Field. The RegEx should find your Tactics/Techniques in the Incident Raw. Although I have noticed that the Sentinel API uses Tactic name (InitialAccess) instead of TA------(TA0001), I believe with just the Technique it will add the parent Tactic automatically. There is also the option of changing the Process Method to Scripting.

Rash99 · ‎02-14-2024

Hi Martin,

Thanks for the reply, we aren't using the SecOps store application currently, we are using the table api to create the Security Incident. Should this be an issue though? The SIEM rule is essentially set up to against a table and a field, mine is pointing directing at sn_si_incident_import and the custom field, this in theory should be able to parse the info and create the MITRE association.

Rash99 · ‎02-14-2024

Hi Martin,

Thanks for the reply, we aren't using the SecOps store application currently, we are using the table api to create the Security Incident. Should this be an issue though? The SIEM rule is essentially set up to against a table and a field, mine is pointing directly at sn_si_incident_import table and the custom field, this in theory should be able to parse the info and create the MITRE association.

Rash99 · ‎02-14-2024

Hi Martin,

Thanks for the reply, we aren't using the SecOps store application currently, we are using the table api to create the Security Incident. Should this be an issue though? The SIEM rule is essentially set up to against a table and a field, mine is pointing directing at (sn_si_incident_import) and the custom field, this in theory should be able to parse the info and create the MITRE association.