View extracted MITRE ATT&CK Techniques
MITRE ATT&CK Technique Extraction method describes how the extraction methods are performed and associated techniques are verified for observables, objects, and RSS feeds.
View MITRE ATT&CK techniques for Observables/ Objects
- The extraction rules for data sources (threat lookups are not applicable) are processed whenever an entity (for example, observable source or object source) source record gets created.
- The rules are applicable for any fields within the entity source record (except date, number fields, and Usage category and Attack phases).
- The extracted MITRE techniques are associated to the corresponding entity record and you view the records in the MITRE techniques related list in the Related Records tab.注:The MITRE techniques are first extracted and associated to the entity source record then the techniques associations are de-duplicated and aggregated to the parent entity record.
To view the techniques for observables and objects:
- Navigate to
- Select any Observable record.
- Go to Related Records tab.
- Select MITRE Techniques section to view the extracted MITRE ATT&CK techniques.
- Click on the MITRE technique ID to view the MITRE technique association record. The Sources column displays all the sources (separated by a comma if there are one or more sources) which are associated to
the entity source record on which the MITRE extraction is performed.注:If the same tactic and technique IDs are extracted from multiple sources then only one tactic and technique association record is displayed and the Sources column displays all the extracted sources.
- For troubleshooting, you can view the MITRE Extraction rule which was responsible for extraction of the tactic and technique associations by navigating to the Technique Source Relations.注:Make sure to add the Extraction Rule column using the List Actions icon in case if you don't see the Extraction Rule column.
The extraction rules for threat lookups or observable enrichment are processed whenever the threat lookup observable enrichment result or observable enrichment record is record is created for any observable for which Run threat lookup or Run observable enrichment action is triggered and the extraction is performed only on the raw data (raw_data field) payload which is available in the threat lookup result or observable enrichment record.
View MITRE ATT&CK techniques for RSS feeds
- Whenever an RSS feed record is created or updated, the MITRE ATT&CK technique extraction rules are processed.
- The rules are applicable for any fields within the RSS feed record (except date, number fields, and Attack phases).
- The extracted MITRE techniques are associated to the corresponding RSS feed record and you can view these records in the MITRE techniques related records list in the Related Records section.
- Navigate to
- Select any RSS feed record.
- Go to Related Records tab.
- Select MITRE Techniques to view the extracted MITRE ATT&CK techniques.
- Click on the MITRE technique ID to view the MITRE technique association record.
- For troubleshooting, you can view the MITRE Extraction rule which was responsible for extraction of the tactic and technique associations.
注:
- If there is no tactic ID present in the extracted entity (observable or object) source or threat lookup result for any MITRE ATT&CK technique, then the technique associations are created for all the tactics that are associated to the corresponding technique in the MITRE repository.
- If there is any tactic ID present in the extracted entity (observable or object) source or threat lookup result for any MITRE ATT&CK technique, then the technique associations is specifically created only for all that extracted tactic(s) that are associated to the corresponding technique in the MITRE repository.