Create and map detection rules
Create detection rules and map them against the tactics and techniques. With this mapping, you can see the coverage for the detection rules in your organization.
始める前に
- sn_ti.admin, sn_si.admin: create, write, delete access
- sn_ti.read: read access
このタスクについて
Detection rule mapping enables your organization to see which detection rules are available to identify specific techniques.
The primary purpose of the mapping is to provide visibility if your organization has the necessary detection rules to identify when an alert or event is triggered as a result of an attack by an adversary using a specific technique.
For example, view the following illustration that shows a list of the detection rules mapped to various techniques. You can also view this information in the MITRE-ATT&CK navigator.
If you do not intend to use the base system SIEM auto-extraction rules, then enable the automatic rollup of MITRE-ATT&CK TTPs based on the detection rule mapping. You can populate the alert or event rule that triggers the security incident in the Alert Rule name field. You can also populate the Alert Rule name field by using SIEM integration, email parsing, manual creation, etc. For more information, see Rollup MITRE-ATT&CK information from detection rules.
The detection rules feature has been updated to include mapping a single tactic to multiple techniques. Previously, you could map a single tactic with a single technique. If you are upgrading the Threat Intelligence plugin from version 12.0.4 to a higher version, then review the following points before using the detection rules in MITRE-ATT&CK module.
- You find multiple records merged into a single record if the fields - rule name, alert sensor, source, category, subcategory, and MITRE-ATT&CK tactic are common.
- The old records are marked as true in the deprecated column and false in the active column.
- The new merged records are available for use and are marked as false in the deprecated column and true in the active column.
- After you verify the upgrade, and view that all your detection rules are successfully migrated, you can delete the old records that are marked as true in the deprecated column.
手順
-
Use one of the following methods to create your detection rule:
Method 1: Manually create detection rules.
- Click New and on the form, fill in the
fields.
表 : 1. Detection Rules - MITRE-ATT&CK Mapping Field Description Rule Name Detection rule's name. MITRE-ATT&CK Tactic Relevant MITRE-ATT&CK tactic. MITRE-ATT&CK Techniques Relevant MITRE-ATT&CK technique. You can select multiple techniques for a single tactic. Source Source of the security incident, such as email, firewall, network monitoring, and so on. Alert Sensor Security integration through which you ingest the alert or event data such as CarbonBlack, CrowdStrike, McAfee, and so on. Subcategory Subcategory that further defines the issue. Category Category that identifies the type of security issue. MITRE-ATT&CK Technique Relevant MITRE-ATT&CK technique. You can select multiple techniques for a single tactic. Security Incident Count The number of security incidents that the techniques are appended to. This count appears when you have enabled the roll up of MITRE-ATT&CK information automatically from alert rules to security incidents. Deprecated The detection rule mapping is deprecated. Active Option to specify if the detection rule is active and deployed in your environment. - Click Submit.
- Right-click the Rule Name column header.
- From the list, click Import.
- Click Create Excel template.
- Click Download after the export completes. An
excel template with the filename
sn_ti_alert_rules_mitre_attack_technique_mapping is downloaded to your
computer.
In the following illustration, you see how to export the excel template, fill the details in the spreadsheet, upload the file, preview the fields, and import it back to the ServiceNow AI Platform.
- Open the spreadsheet, select the second sheet tab, and review what you
entered. On the form, fill in the fields and then, save your file.
表 : 2. Import template Field Description Rule Name Detection rule name. Active Option to specify if the detection rule is active and deployed in your environment. Alert Sensor Security integration through which you ingest the alert or event data such as CarbonBlack, CrowdStrike, McAfee, and so on. Category Category that identifies the type of security issue. Comments Description about the detection rule. Deprecated The detection rule mapping is deprecated. MITRE-ATT&CK Technique IDs MITRE-ATT&CK technique ID, such as T1546.008, for Accessibility Features. MITRE-ATT&CK Tactic ID MITRE-ATT&CK tactic ID, such as TA0003, for Persistence. Security Incident Count The number of security incidents that the techniques are appended to. This count appears when you have enabled the roll up of MITRE-ATT&CK information automatically from alert rules to security incidents and the detection rule is active. Source Source of the security incident, such as email, firewall, network monitoring, and so on. Subcategory Subcategory that further defines the issue. MITRE-ATT&CK Tactic Relevant MITRE-ATT&CK tactic. MITRE-ATT&CK Technique Relevant MITRE-ATT&CK technique. The following illustration shows the spreadsheet template. The required fields are highlighted in red - Rule Name, MITRE-ATT&CK Tactic ID, and MITRE-ATT&CK Technique ID.
- Click Choose file and select the spreadsheet on your computer.
- Click Upload.
- Click Preview Imported Data.
- Preview the mappings and click Complete
Import.
The following illustration shows how to upload the spreadsheet, preview the data, review any errors, and complete the detection rule mapping import process.
- Click New and on the form, fill in the
fields.