Forum Discussion
Solved
Mitre link from Sentinel into Service Now
Hi all I am wondering before I start work on it whether anyone has built or is looking to build Mitre framework correlation of Tactics and Techniques from Sentinel into SIR ServiceNow. I can s...
- You can extend the Workbook query to also lookup the Techniques as well as the Tactics per Rule.
let SentinelGithub = (externaldata(MITREMatrix: string, Tactic: string, TechniqueId:string, TechniqueName:string, Platform: string , DetectionType: string , DetectionService: string , DetectionId: string, DetectionName: string, DetectionDescription: string, ConnectorId: string, DataTypes: string, Query: string , QueryFrequency: string , QueryPeriod:string , TriggerOperator: string, TriggerThreshold: string, DetectionSeverity: string, DetctionUrl: string, IngestedDate: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/MITRE%20ATT%26CK/AzureSentinel.csv"]
);
SentinelGithub
| where isnotempty(Tactic)
| summarize make_set(TechniqueId), make_set(Tactic) by DetectionName, DetectionDescription, DataTypes, Query, DetctionUrl
You can extend the Workbook query to also lookup the Techniques as well as the Tactics per Rule.
let SentinelGithub = (externaldata(MITREMatrix: string, Tactic: string, TechniqueId:string, TechniqueName:string, Platform: string , DetectionType: string , DetectionService: string , DetectionId: string, DetectionName: string, DetectionDescription: string, ConnectorId: string, DataTypes: string, Query: string , QueryFrequency: string , QueryPeriod:string , TriggerOperator: string, TriggerThreshold: string, DetectionSeverity: string, DetctionUrl: string, IngestedDate: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/MITRE%20ATT%26CK/AzureSentinel.csv"]
);
SentinelGithub
| where isnotempty(Tactic)
| summarize make_set(TechniqueId), make_set(Tactic) by DetectionName, DetectionDescription, DataTypes, Query, DetctionUrl
let SentinelGithub = (externaldata(MITREMatrix: string, Tactic: string, TechniqueId:string, TechniqueName:string, Platform: string , DetectionType: string , DetectionService: string , DetectionId: string, DetectionName: string, DetectionDescription: string, ConnectorId: string, DataTypes: string, Query: string , QueryFrequency: string , QueryPeriod:string , TriggerOperator: string, TriggerThreshold: string, DetectionSeverity: string, DetctionUrl: string, IngestedDate: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/MITRE%20ATT%26CK/AzureSentinel.csv"]
);
SentinelGithub
| where isnotempty(Tactic)
| summarize make_set(TechniqueId), make_set(Tactic) by DetectionName, DetectionDescription, DataTypes, Query, DetctionUrl
Clive - thanks for taking the time to reply ... will have a look at this now - have a great day