Auto-extract technique rules for importing MITRE-ATT&CK information
Use the base system auto-extraction rules to import the MITRE-ATT&CK information from any existing third-party integrations.
Use threat-lookup auto-extraction rules
Use the threat lookup auto-extraction rules to import the MITRE-ATT&CK information from any existing Threat Intelligence third-party integrations.
Avant de commencer
- sn_ti.admin, sn_si.admin: create, write, delete access
- sn_ti.read: read access
Pourquoi et quand exécuter cette tâche
When any Threat Intelligence integration, such as Sandbox or a TIP, supports the MITRE-ATT&CK framework and if the MITRE-ATT&CK information is parsed at each integration level, then the information is displayed in each threat lookup result record. However, not all Threat Intelligence integrations parse the MITRE-ATT&CK information. The threat lookup global auto-extraction rule can extract MITRE-ATT&CK information from all Threat Intelligence integrations.
You can choose to roll up the MITRE-ATT&CK information automatically from the threat lookup results to a security incident. For automatic rollup of threat lookup results to security incidents, enable the system property. Alternatively, you can rollup the information manually for each individual threat lookup.
The base system Threat Intelligence automatically extracts the MITRE-ATT&CK information from the third-party integrations raw payload to the threat lookup result record, if the Threat Intelligence integration provides you with MITRE-ATT&CK information like the technique or tactic.
If the MITRE-ATT&CK information is not available in the raw payload field of the threat lookup record, then you must define your own rule for auto-extraction from the third-party integration.
Procédure
Use SIEM auto-extraction rules
Use the SIEM auto-extraction rules to import the MITRE-ATT&CK information from any existing Security Operations SIEM third-party integrations.
Avant de commencer
- sn_ti.admin, sn_si.admin: create, write, delete access
- sn_ti.read: read access
Pourquoi et quand exécuter cette tâche
If your ServiceNow AI Platform contains base system SIEM integrations, that means that the technique extraction rules are already created in the MITRE-ATT&CK module. You should review and modify the rules as needed.
Enable either the SIEM auto-extraction rule or the alert rule at a time.
Procédure
-
On the form, fill in the fields.
Tableau 2. Technique Extraction Rule form Field Description Name Auto-extraction rule name. Rule Type Auto-extraction rule type. Select SIEM. Ignore Auto-Extraction Setting that by default is cleared. This setting enables automatic extraction of MITRE-ATT&CK techniques. Import Table Import table that is automatically mapped for base system SIEM integrations. Review this field for other SIEM integrations for the MITRE-ATT&CK information and map accordingly. Import Field Import field that is automatically mapped for base system SIEM integrations. Review this field for other SIEM integrations for the MITRE-ATT&CK information and map accordingly. Description Auto-extraction rule. Process Method Regex or a script method that you specify to link the technique information from the raw payload. Regex Extraction Option that you specify for the Target Field when using the regex method. Regex extraction is the default process method. Script Extraction Script process method that you use if you want to customize how the MITRE-ATT&CK information is extracted. Tactic Extraction Option that you specify to extract tactic related information from the raw payload. If a payload contains specific tactic and technique related information, you can extract and append the information to the security incident. In the following illustration, you see an example of the Splunk Enterprise SIEM technique extraction rule in the form view. This rule is similar to all the other SIEM technique extraction rules.