Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community

Mitre link from Sentinel into Service Now

Iron Contributor

Hi all 


I am wondering before I start work on it whether anyone has built or is looking to build Mitre framework correlation of Tactics and Techniques from Sentinel into SIR ServiceNow.   I can see how it is possible to map out the Tactics that flow through into Sentinel - however the Techniques (such as phishing (Technique) sits behind the Initial Access (Tactic).  Wanting to be able to just do this at that high level so it hit and correlates to the Category and Sub-Category in SIR ServiceNow.   I can see how the Mitre workbook looks up against the populating github page - but trying to populate the techniques looks to be slightly more complicated with initial thoughts being a look up against something - pull the rule name and cross link that.  Any thoughts or ideas always welcome.   Thanks 

2 Replies
best response confirmed by wootts (Iron Contributor)
You can extend the Workbook query to also lookup the Techniques as well as the Tactics per Rule.

let SentinelGithub = (externaldata(MITREMatrix: string, Tactic: string, TechniqueId:string, TechniqueName:string, Platform: string , DetectionType: string , DetectionService: string , DetectionId: string, DetectionName: string, DetectionDescription: string, ConnectorId: string, DataTypes: string, Query: string , QueryFrequency: string , QueryPeriod:string , TriggerOperator: string, TriggerThreshold: string, DetectionSeverity: string, DetctionUrl: string, IngestedDate: string )
| where isnotempty(Tactic)
| summarize make_set(TechniqueId), make_set(Tactic) by DetectionName, DetectionDescription, DataTypes, Query, DetctionUrl
Clive - thanks for taking the time to reply ... will have a look at this now - have a great day