Join the #BuildWithBuildAgent Challenge! Get recognized, earn exclusive swag, and inspire the ServiceNow Community with what you can build using Build Agent.  Join the Challenge.

What do you use for Categories?

Martin Dewit
Kilo Sage

‎11-15-2023 07:19 AM

My team and I are looking to revamp our categories from the current OOB ones and looking for recommendations or what others are using. I know there are already several OOB Categories with subcategories. We have discussed the possibility of using the MITRE Tactics as the categories, but a security incident could have several Tactics. In the future we do plan on mapping flow or process playbook triggers to these categories as well.

0 Helpfuls
  • 619 Views
2 REPLIES 2

Tim Boswell
ServiceNow Employee
ServiceNow Employee

‎11-15-2023 02:57 PM

Hello, I would recommend against using MITRE TTPs; as you said one incident can have multiple tactics, but also MITRE does update those, adds new ones, etc. I would consider looking at various standards and agencies like NIST, CISA/US-CERT, GCHQ, AUSCERT, FIRST.org, SANS, etc.  Especially if you are required to report declared incidents to CISA or other agencies, you might want to consider matching their categories.

0 Helpfuls

Tim Boswell
ServiceNow Employee
ServiceNow Employee

‎11-15-2023 03:03 PM

Also, take a look at MITRE's  "11 Strategies of a World-Class Cybersecurity Operations Center", specifically page 129.

https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-opera...

0 Helpfuls