Forum Discussion
Align Sentinel incident taxonomy with ENISA
Hi dmarquesgn,
interesting question, given that Sentinel's contextualization is heavily based on MITRE ATT&CK framework (amongst some other categories as well), I believe you could achieve what you ask through Tags. Unfortunately, it is not possible through Analytics > Rules upon creation of an incident to automatically assign a tag, but you may create Automation rules (Automation > Create > Automation rule) and based on the analytic rule name, you could automatically assign your custom tags to incidents.
Taking it one step further, you may search for Tags of your incidents based on the Incidents blade in Sentinel but you may also use KQL to search for your Tagged security incidents by Clive_Watson: > https://techcommunity.microsoft.com/t5/microsoft-sentinel/what-s-new-tags-column-is-now-available-in-azure-sentinel/m-p/3735948/highlight/true#M10591.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
Thanks for the input. I've also thought about tags as an option, but also thought that being ENISA well known in Europe, that Sentinel might had already some way to fit into their taxonomy.
And if there any possible way to automate the creation of tags according to the MITRE ATT&CK framework already stated in each incident?
Thanks
- cyb3rmik3Jun 02, 2023
Microsoft
dmarquesgn hello,
you can follow the exact same method as I described earlier but choose "Tactic" as a condition to your automation rules, to assign your custom tags.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
- dmarquesgnJun 07, 2023Iron Contributor
Hi,
I'll go on and want to try the Tags in order to achieve what I need.
Now I want to start by creating my tags. Where do I have an option to see all tags and create some new tags?
Thanks