Forum Discussion

dmarquesgn's avatar
dmarquesgn
Iron Contributor
Jun 02, 2023

Align Sentinel incident taxonomy with ENISA

Hi,

I'm starting now to work with Microsoft Sentinel, and quite like it. Before we can do a more complete implementation and go into production with it, one of the things that I would like is to align incidents with the incident taxonomy suggested by ENISA, which is here:

https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy/at_download/fullReport

 

Has anyone found a way to define the taxonomy in Sentinel according to ENISA taxonomy?

 

Thanks

siem

4 Replies

  • cyb3rmik3's avatar
    cyb3rmik3
    Icon for Microsoft rankMicrosoft
    Jun 02, 2023

    Hi dmarquesgn,

     

    interesting question, given that Sentinel's contextualization is heavily based on MITRE ATT&CK framework (amongst some other categories as well), I believe you could achieve what you ask through Tags. Unfortunately, it is not possible through Analytics > Rules upon creation of an incident to automatically assign a tag, but you may create Automation rules (Automation > Create > Automation rule) and based on the analytic rule name, you could automatically assign your custom tags to incidents.

     

    Taking it one step further, you may search for Tags of your incidents based on the Incidents blade in Sentinel but you may also use KQL to search for your Tagged security incidents by Clive_Watson: > https://techcommunity.microsoft.com/t5/microsoft-sentinel/what-s-new-tags-column-is-now-available-in-azure-sentinel/m-p/3735948/highlight/true#M10591.

     

    If I have answered your question, please mark your post as Solved

    If you like my response, please consider giving it a like

    • dmarquesgn's avatar
      dmarquesgn
      Iron Contributor
      Jun 02, 2023

      cyb3rmik3 

      Thanks for the input. I've also thought about tags as an option, but also thought that being ENISA well known in Europe, that Sentinel might had already some way to fit into their taxonomy.

      And if there any possible way to automate the creation of tags according to the MITRE ATT&CK framework already stated in each incident?

       

      Thanks

      • cyb3rmik3's avatar
        cyb3rmik3
        Icon for Microsoft rankMicrosoft
        Jun 02, 2023

        dmarquesgn hello,

         

        you can follow the exact same method as I described earlier but choose "Tactic" as a condition to your automation rules, to assign your custom tags.

         

         

        If I have answered your question, please mark your post as Solved

        If you like my response, please consider giving it a like