Extend the MITRE-ATT&CK data
Extend the MITRE-ATT&CK repository data in the ServiceNow AI Platform by enriching it.
Before you begin
- sn_ti.admin: delete access
- sn_ti.read: read access
- sn_ti.write: create, write access
About this task
You can extend the Malware, Group, Mitigation, and Tool objects to a technique in the MITRE-ATT&CK repository.
You can create a new object and establish a relationship between a technique and the new object in the MITRE ATT&CK Repository module, but you can't define the relationship type in this module. For more information about defining relationship types, see object to object relationships. To define a relationship type, navigate to the module.
If you map the relationship type between an existing technique and an existing object, then you must define the technique as the target object and the object as the source object. To do so, navigate to the module.
You can create a group and associate it with an attack pattern, but in the MITRE ATT&CK Repository, you can only establish the relationship between the group and the attack pattern. To define the object-to-object relationship type, you must do so in the IoC Repository.
Procedure
-
Click a techniques or sub-technique to view all the associated information with
this technique.
In the following illustration, you can see that the Botnet (T1584.005) technique is not associated with any group. If you have additional information about a technique or sub-technique, you can enrich it by adding or modifying the information.
-
Click a related list to enrich its data to associate it with a new group.
In the following illustration, a group, Custom1, has been associated with the Botnet sub-technique.