cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Mitre link from Sentinel into Service Now

wootts
Iron Contributor

‎Jul 13 2021 11:27 AM

‎Jul 13 2021 11:27 AM

Mitre link from Sentinel into Service Now

Hi all 

 

I am wondering before I start work on it whether anyone has built or is looking to build Mitre framework correlation of Tactics and Techniques from Sentinel into SIR ServiceNow.   I can see how it is possible to map out the Tactics that flow through into Sentinel - however the Techniques (such as phishing (Technique) sits behind the Initial Access (Tactic).  Wanting to be able to just do this at that high level so it hit and correlates to the Category and Sub-Category in SIR ServiceNow.   I can see how the Mitre workbook looks up against the populating github page - but trying to populate the techniques looks to be slightly more complicated with initial thoughts being a look up against something - pull the rule name and cross link that.  Any thoughts or ideas always welcome.   Thanks 

668 Views
0 Likes
2 Replies
Reply
2 Replies
best response confirmed by wootts (Iron Contributor)
CliveWatson

‎Jul 14 2021 12:53 AM

‎Jul 14 2021 12:53 AM

Solution

Re: Mitre link from Sentinel into Service Now

You can extend the Workbook query to also lookup the Techniques as well as the Tactics per Rule.

let SentinelGithub = (externaldata(MITREMatrix: string, Tactic: string, TechniqueId:string, TechniqueName:string, Platform: string , DetectionType: string , DetectionService: string , DetectionId: string, DetectionName: string, DetectionDescription: string, ConnectorId: string, DataTypes: string, Query: string , QueryFrequency: string , QueryPeriod:string , TriggerOperator: string, TriggerThreshold: string, DetectionSeverity: string, DetctionUrl: string, IngestedDate: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/MITRE%20ATT%26CK/AzureSe..."]
);
SentinelGithub
| where isnotempty(Tactic)
| summarize make_set(TechniqueId), make_set(Tactic) by DetectionName, DetectionDescription, DataTypes, Query, DetctionUrl
1 Like
Reply
wootts

‎Jul 14 2021 01:18 AM

‎Jul 14 2021 01:18 AM

Re: Mitre link from Sentinel into Service Now

Clive - thanks for taking the time to reply ... will have a look at this now - have a great day
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by wootts (Iron Contributor)
CliveWatson

‎Jul 14 2021 12:53 AM

‎Jul 14 2021 12:53 AM

Solution

Re: Mitre link from Sentinel into Service Now

You can extend the Workbook query to also lookup the Techniques as well as the Tactics per Rule.

let SentinelGithub = (externaldata(MITREMatrix: string, Tactic: string, TechniqueId:string, TechniqueName:string, Platform: string , DetectionType: string , DetectionService: string , DetectionId: string, DetectionName: string, DetectionDescription: string, ConnectorId: string, DataTypes: string, Query: string , QueryFrequency: string , QueryPeriod:string , TriggerOperator: string, TriggerThreshold: string, DetectionSeverity: string, DetctionUrl: string, IngestedDate: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/MITRE%20ATT%26CK/AzureSe..."]
);
SentinelGithub
| where isnotempty(Tactic)
| summarize make_set(TechniqueId), make_set(Tactic) by DetectionName, DetectionDescription, DataTypes, Query, DetctionUrl

View solution in original post

1 Like
Reply