Roll up of MITRE technique associations

  • Release version: Xanadu
  • Updated November 4, 2024
  • 1 minute to read

    • Roll up of MITRE technique associations from observables, indicators, objects, and security incidents which are linked or unlinked from a case record.

    Before you begin

    Note:
    • Roll up of MITRE technique associations for security incidents will roll up the MITRE technique associated data from security incidents to the case management in TISC.
    • By default this property sn_sec_tisc.auto_rollup_mitre_data is enabled for the MITRE Technique(s), to be rolled up to case(s) from the associated objects or security incidents automatically.
    • If you want to perform on demand roll up of MITRE technique associations then navigate to the more actions within the Case form view and select Roll Up MITRE Techniques option. This operation will happen asynchronously and you can verify the Activity Stream section for the updates on the roll up activity.
    Role required: sn_sec_tisc.analyst

    About this task

    • Whenever any entity such as an observable or indicator is linked to any case, then all the MITRE technique associations that are present for that entity are automatically rolled up to the case.
    • Whenever any entity such as an observable or indicator is unlinked and removed from the case, then all the MITRE technique associations which are rolled up from the case that are present for that entity will be removed automatically and rolled up to the case.

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Click the Threat Analyst Workbench icon.
    3. Go to Case Management > All Cases.
      All the cases are displayed.
    4. Open any case.
    5. Go to Artifacts tab.
    6. Select Observables from the artifacts related list.
    7. Select the Link button.
    8. Select the observables that you may want to link to the case.
    9. Click Link to link the observables.
      After you link the observables to a case then the MITRE techniques associated for that particular observable are automatically rolled up and the MITRE techniques list count under the artifacts section is automatically updated.
    10. Click Unlink to unlink the observables from the case.
      After you unlink the observables to a case then the MITRE techniques associated for that particular observable are automatically removed and the MITRE techniques list count under the artifacts section is automatically updated.