Import MITRE Tactics and Techniques as Service-Now Security Tag Groups and Tags [Updated for v9 MITRE changes]
- Pulls down the latest framework from https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json.
- Uses the Service-Now API to import MITRE Tactics as "Security Tag Groups"
- Names these groups based on the TA#### name schema. i.e. "[TA0002] - Execution".
- Associates each Technique per Tactic as a "Security Tag" under the "Tag Groups".
- Techniques named similarly via the T#### name schema. i.e "[T1078] - Valid Accounts".
- Rerunning the script will update any existing Tactic/Techniques built by the script with the latest info from MITRE json.
- Script will now only attempt an update to SNow instance object when a tactic/technique is changed (Faster)
- Script will also disabled any tags (techniques) listed as revoked in the MITRE JSON.
- This requires Security Incident Operations/Security Incident Response installed in your Service-Now instance.
Script needs minor changes for your Service-Now instance
- Change line 6 '$global:SNInstncAPI = "CHANGME" #YOUR INSTANCE HERE' to your instance short name: The [MYINSTANCE] in [MYINSTANCE].service-now.com
- Script asks for credentials with access to your instance, this should be an account allowed to add/remove tags.
- Script verbosity is muted by default.
- This can be disabled by setting the variable '$global:mute' on line 39 to $false
- Script now produces a simple HTML report upon completion that can be used as a change/validation artifact.
- This can be disabled by setting the variable '$global:report' on line 40 to $false
