Find your people. Pick a challenge. Ship something real. The CreatorCon Hackathon is coming to the Community Pavilion for one epic night. Every skill level, every role welcome. Join us on May 5th and learn more here.

What do you use for Categories?

Martin Dewit
Kilo Sage

‎11-15-2023 07:19 AM

My team and I are looking to revamp our categories from the current OOB ones and looking for recommendations or what others are using. I know there are already several OOB Categories with subcategories. We have discussed the possibility of using the MITRE Tactics as the categories, but a security incident could have several Tactics. In the future we do plan on mapping flow or process playbook triggers to these categories as well.

0 Helpfuls
  • 991 Views
2 REPLIES 2

Tim Boswell
ServiceNow Employee

‎11-15-2023 02:57 PM

Hello, I would recommend against using MITRE TTPs; as you said one incident can have multiple tactics, but also MITRE does update those, adds new ones, etc. I would consider looking at various standards and agencies like NIST, CISA/US-CERT, GCHQ, AUSCERT, FIRST.org, SANS, etc.  Especially if you are required to report declared incidents to CISA or other agencies, you might want to consider matching their categories.

0 Helpfuls

Tim Boswell
ServiceNow Employee

‎11-15-2023 03:03 PM

Also, take a look at MITRE's  "11 Strategies of a World-Class Cybersecurity Operations Center", specifically page 129.

https://www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-opera...

0 Helpfuls