Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Align Sentinel incident taxonomy with ENISA

Iron Contributor

Hi,

I'm starting now to work with Microsoft Sentinel, and quite like it. Before we can do a more complete implementation and go into production with it, one of the things that I would like is to align incidents with the incident taxonomy suggested by ENISA, which is here:

https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy/at_download/full...

 

Has anyone found a way to define the taxonomy in Sentinel according to ENISA taxonomy?

 

Thanks

4 Replies

Hi @dmarquesgn,

 

interesting question, given that Sentinel's contextualization is heavily based on MITRE ATT&CK framework (amongst some other categories as well), I believe you could achieve what you ask through Tags. Unfortunately, it is not possible through Analytics > Rules upon creation of an incident to automatically assign a tag, but you may create Automation rules (Automation > Create > Automation rule) and based on the analytic rule name, you could automatically assign your custom tags to incidents.

 

Taking it one step further, you may search for Tags of your incidents based on the Incidents blade in Sentinel but you may also use KQL to search for your Tagged security incidents by @Clive_Watson: > https://techcommunity.microsoft.com/t5/microsoft-sentinel/what-s-new-tags-column-is-now-available-in....

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

@cyb3rmik3 

Thanks for the input. I've also thought about tags as an option, but also thought that being ENISA well known in Europe, that Sentinel might had already some way to fit into their taxonomy.

And if there any possible way to automate the creation of tags according to the MITRE ATT&CK framework already stated in each incident?

 

Thanks

@dmarquesgn hello,

 

you can follow the exact same method as I described earlier but choose "Tactic" as a condition to your automation rules, to assign your custom tags.

 

cyb3rmik3_0-1685771892854.png

 

If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like

@cyb3rmik3 

Hi,

I'll go on and want to try the Tags in order to achieve what I need.

Now I want to start by creating my tags. Where do I have an option to see all tags and create some new tags?

Thanks