MITRE ATT&CK Technique Extraction Rules

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:11分

    • Extract MITRE techniques automatically from observables or objects ingested from various data sources and also extract MITRE techniques from threat lookup results on observable record.

    始める前に

    Role required: sn_sec_tisc.admin

    注:
    Make sure to verify that the MITRE ATT&CK repository data available in the instance that you are using. If the data is not available then the application will not perform the extraction.

    手順

    1. Navigate to All > Threat Intelligence Security Center > Administration.
    2. Go to Rules Engine > MITRE ATT&CK Technique Extraction Rules.
      The MITRE ATT&CK Technique Extraction Rules page displays.
    3. Click New.
      FieldDescription
      Name Enter a name for the MITRE ATT&CK Technique Extraction rule.
      Description Enter a description for the MITRE ATT&CK Technique Extraction rule.
      Integration Type Indicates the MITRE ATT&CK Technique Extraction rule for the Data Sources or Threat Lookup Results. Select the list of data sources from the lookup.

      Following are the options available for Data Sources:

      • Data Sources - All: which means that the rule is applicable for all the type of data sources such as Threat Intel Feeds, Import Intelligence records, API Sources (for example, observables created from API), Sent from SIR (observables that are sent from SIR) and various entities that are manually created by the users in the Threat Intelligence library.
      • Data Sources - Threat Intel Feeds: This corresponds to the extraction rules that are only applicable for threat intelligence feeds.
      • Data Sources - API Sources: This corresponds to the extraction rules that are only applicable for API Sources.
      • Threat Lookup integrations: for this type of option, the extraction rule is applicable to all threat lookup integrations such as Virustotal.
        注:
        • When you select this option, you must enter the vendor name for the threat lookup. The vendor names are automatically populated only when the threat lookup integrations are installed from ServiceNow store.
        • For the threat intelligence data sources, the extraction rules are only supported for STIX, MISP, and Custom Feed types.
      • Observable Enrichment integrations: for this type of option, the extraction rule is applicable to all observable enrichment integrations.
      Threat Feed Type Following are the options available for Threat Feed Type:
      • STIX(TAXII/HTTPS): Option to filter the threat feeds of the STIX TAXII or HTTPS feed type and select the associated feeds from the lookup.
      • MISP: Option to filter the threat feeds of the MISP feed type and select the associated feeds by searching using the lookup icon.
      • Custom feed: Option to filter the threat feeds of the custom feed type and select the associated feeds by searching using the lookup icon.
      Feeds Select one or more threat feed integrations for the selected feed type.
      注:
      If this field is left blank then all the threat feed integrations for the selected feed type will be automatically considered for the extraction.
      Method to extract MITRE ATT&CK tactics and techniques Option to select the extract MITRE ATT&CK tactics and techniques method. The two available methods are:
      1. Use Regex
      2. Use Script
      Extraction Method - Use Regex This method uses a regular expression that allows the threat analysts to define a pattern with a sequence of characters to perform extraction method.
      Tactic Regex Option to provide regular expression for the extraction of MITRE ATT&CK tactic ID(s).
      Technique Regex Option to provide regular expression for the extraction of MITRE ATT&CK technique ID(s).
      Extraction Method - Use script This method uses a script format to perform the extraction on the observable source or object source or indicator source or threat lookup results.
      注:
      • This script method can be used to extract MITRE tactics and techniques from entity source record and link the tactics and techniques to the entity source record itself.
      • This script method can be used to extract MITRE tactics and techniques from threat lookup results and link the tactics and techniques to the entity record.
      The sample script is shown below for your reference:
      (function process(lookupResultRawData, recordGr, ruleGr, lookupResultGr) {
/*********************************
 
* - threatLookupResult: The raw data of the threat lookup result  in stringified JSON format.
* - recordGr: The GlideRecord of the observable record.
* - ruleGr: GlideRecord of matched MITRE extraction rule
*
* Once you extracted MITRE tactic IDs and technique IDs,
* then you can use this method to link the tactics and techniques to the observable record.
  **********************************/  
var utils = new MITREExtractionUtils();
var parsedRawData =JSON.parse(lookupResultRawData);
var mitreDataField = parsedRawData.mitre_data; 
var response = utils.extractMITREDataUsingRegex(mitreDataField,'TA[0-9][0-9][0-9][0-9]','T[0-9][0-9][0-9][0-9].[0-9][0-9][0-9]|T[0-9][0-9][0-9][0-9]');
utils.addTacticTechniquesForLookup(response.tacticIds, response.techniqueIds, recordGr, ruleGr.getUniqueValue(), lookupResultGr);
 
})(lookupResultRawData, recordGr, ruleGr, lookupResultGr);
 
Here is a sample script example for the extraction rule for threat lookup integrations where the script logic is parsing the threat lookup raw payload and performing the extraction only on a specific field inside the raw payload and associates the extracted tactics/techniques to the observable record.
    4. Click Enable to enable the MITRE ATT&CK Technique Extraction rule after you create a new rule.
      If you don't enable the MITRE ATT&CK Technique Extraction rule then the rule will not be applied to the record.
      注:
      1. Data sources: Whenever you enable the extraction rule, the combination of data sources and integration type should not be matching any of the existing enabled extraction rules, and if so then the application will display an error message for you to modify the existing combinations and re enable the rule.
      2. Threat Lookup: Whenever you enable the extraction rule, the vendor name should not be matching any of the existing enabled extraction rules, and if so then the application will display an error message for you to modify the vendor name and re enable the rule.
      3. A sample MITRE ATT&CK Technique Extraction rules are provisioned for the users in the base system and these rules will be in disabled state by default and you must enable and activate the rule.
        Field Description
        Generic Rule for data sources ingestion This is a generic rule for ingestion from all types of data sources including Import Intelligence and manual creation.
        Generic Rule for Threat Lookup This is a generic rule for any threat lookup integrations.
        Generic Rule for Observable Enrichment Integrations This is a generic rule for any Observable enrichment integrations.
    5. Click Duplicate to create a copy of the extraction rule.
    6. Click Disable to disable the extraction rule.
      注:
      Once it is disabled the rule will no longer be considered for the extraction of MITRE data.
    7. Click Save.
    8. Click Delete if you wish to delete any MITRE ATT&CK Technique Extraction rule.