Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community
SOLVED

Mitre link from Sentinel into Service Now

Iron Contributor

Hi all 

 

I am wondering before I start work on it whether anyone has built or is looking to build Mitre framework correlation of Tactics and Techniques from Sentinel into SIR ServiceNow.   I can see how it is possible to map out the Tactics that flow through into Sentinel - however the Techniques (such as phishing (Technique) sits behind the Initial Access (Tactic).  Wanting to be able to just do this at that high level so it hit and correlates to the Category and Sub-Category in SIR ServiceNow.   I can see how the Mitre workbook looks up against the populating github page - but trying to populate the techniques looks to be slightly more complicated with initial thoughts being a look up against something - pull the rule name and cross link that.  Any thoughts or ideas always welcome.   Thanks 

2 Replies
best response confirmed by wootts (Iron Contributor)
Solution
You can extend the Workbook query to also lookup the Techniques as well as the Tactics per Rule.

let SentinelGithub = (externaldata(MITREMatrix: string, Tactic: string, TechniqueId:string, TechniqueName:string, Platform: string , DetectionType: string , DetectionService: string , DetectionId: string, DetectionName: string, DetectionDescription: string, ConnectorId: string, DataTypes: string, Query: string , QueryFrequency: string , QueryPeriod:string , TriggerOperator: string, TriggerThreshold: string, DetectionSeverity: string, DetctionUrl: string, IngestedDate: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/MITRE%20ATT%26CK/AzureSe..."]
);
SentinelGithub
| where isnotempty(Tactic)
| summarize make_set(TechniqueId), make_set(Tactic) by DetectionName, DetectionDescription, DataTypes, Query, DetctionUrl
Clive - thanks for taking the time to reply ... will have a look at this now - have a great day
1 best response

Accepted Solutions
best response confirmed by wootts (Iron Contributor)
Solution
You can extend the Workbook query to also lookup the Techniques as well as the Tactics per Rule.

let SentinelGithub = (externaldata(MITREMatrix: string, Tactic: string, TechniqueId:string, TechniqueName:string, Platform: string , DetectionType: string , DetectionService: string , DetectionId: string, DetectionName: string, DetectionDescription: string, ConnectorId: string, DataTypes: string, Query: string , QueryFrequency: string , QueryPeriod:string , TriggerOperator: string, TriggerThreshold: string, DetectionSeverity: string, DetctionUrl: string, IngestedDate: string )
[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/MITRE%20ATT%26CK/AzureSe..."]
);
SentinelGithub
| where isnotempty(Tactic)
| summarize make_set(TechniqueId), make_set(Tactic) by DetectionName, DetectionDescription, DataTypes, Query, DetctionUrl

View solution in original post