Hi,

We have an API from Sentinel which creates records directly into the sn_si table as Security Incident. This integration passes the MITRE Technique T numbers into a custom "techniques" field today as well as the Tactic numbers into a different custom field, multiple T numbers can be passed into the Technique field.

I have activated the MITRE attack configurations and can populate the MITRE attack card manually on the Security Incident. I would like to automate this however based on the use of the OOTB SIEM auto technique extraction rule.

I have confirmed the RegEx can parse the techniques out of the raw JSON.

My solution:

1. Reconfigure the Sentinel integration to create a record onto the sn_si staging table instead of directly into the sn_si table, as is today.

2. Apply the SIEM auto-extraction rule against the "Technique" custom field and the import table of sn_si.

This in theory should auto populate the MITRE attack card but it doesn't seem to do anything.

I have tried to post an Incident via the API to the sn_si staging table using POSTMAN, replicating a Sentinel Incident, although the Security Incident is creating fine the rule does not seem to be working and the auto-map of the techniques onto the card is not happening.

Does anyone have any suggestions?

I can create a customisation to create the record into the correct table as per this link https://www.servicenow.com/community/secops-forum/associate-mitre-att-amp-ck-via-servicenow-api/m-p/...  but I don't understand why the OOTB rule isn't working...