Mitre information missing from incident

Question

GreetingsI have a tough time getting the MITRE parsing to work for one of my integrations. It's a security platform that's sending incidents to Sentinel using CEF and they arrive into Log Analytics looking like this, it's been truncated for clarity etc.Now, in the analytics rule under Alert Details I've tried different settings for the tactics and/or techniques using either the mitre_id column or mitre_name but none of those ever show up in the incident.&nbsp;Does anyone have any pointers on how to get this to work?/Fredrik

clive_watson · Answer

TheHoff70&nbsp;&nbsp;The Columns have to be in the returned data from the Alert, so the drop down will show you whats there or the Column name will error (see red text), if its missing you will have to add an Entity first

thehoff70 · Answer

Clive_Watson&nbsp;Maybe I misunderstand your answer but my initial post show what's seen by sentinel in the alert. In the analysis rule I've tried with with the column holding the Mitre ID or the Mitre name and neither work. The respective columns are visible and selectable without error in the analytics rule.

clive_watson · Answer

I showed the Alert Details to answer this: "Now, in the analytics rule under Alert Details I've tried different settings for the tactics and/or techniques" Are you not getting an error in that part of the Analytic setup? If no error, which sounds like your situation then, the Values should appear in the Alert Name or Description of the Alert.

So if we use this as and example

Alert from {{Mitre_id}}

Do you just get the "Alert from " part in the Name / Description? Or do you get nothing?

https://learn.microsoft.com/en-gb/azure/sentinel/customize-alert-details?tabs=azure#how-to-customize-alert-details

thehoff70 · Answer

Clive_Watson&nbsp;Ah, now I understand. I've configured Alert Description to include the variables for Mitre ID and name and these are visible in the incident description, as shown below (some data deleted) but not as the Tactics or Techniques for the whole incident.&nbsp;&nbsp;&nbsp;&nbsp;Update: I've dug around in the documentation for the security platform sending to Sentinel and it seems it doesn't operate with Tactics, it is only able to send Techniques.&nbsp;&nbsp;

thehoff70 · Answer

TheHoff70&nbsp;I've always felt it to be cheesy to answer ones own question but since I've made sort of a breakthrough I needed to point it out for anyone else trying to integrate external Mitre into Sentinel.It seems Sentinel will access dynamic Mitre Tactics by name as long as I remove any spaces in the name.&nbsp;For example "Credential Access" is seen throughout Sentinel but isn't accepted if it's parsed in that form by my analytics rule. "CredentialAccess" is ok and show up in the incident.Regarding techniques I haven't been able to map those yet, regardless if I send in the ID in the form of TIxxx or the related name without spaces.&nbsp;/Fredrik

Forum Discussion

Mitre information missing from incident

5 Replies

Resources