Associate MITRE-ATT&CK information with observables

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Associate MITRE-ATT&CK tactics and techniques to an observable for better security incident and threat analysis at a granular level.

    Before you begin

    Role required: sn_si.analyst

    About this task

    Some SIEMs may provide MITRE-ATT&CK information with events, alerts, or observables. To associate the MITRE-ATT&CK information at a granular level, you can add the information with an observable.

    You can choose to roll up the MITRE-ATT&CK information automatically from the observables to a security incident. For automatic rollup of observables to security incidents, enable the system property. Alternatively, you can roll up the information manually for each observable.

    Procedure

    1. Navigate to All > Security Incidents > Show All Incidents.
    2. Select the security incident that you want to enrich with the MITRE-ATT&CK information.
    3. Click Show All Related Lists and the Associated Observables tab.
    4. Point to the observable that you want to associate, right-click, and select Associate MITRE ATT&CK Technique.

      In the following illustration, you can see how to navigate from the related list to Associate MITRE ATT&CK Technique, review the source, and add a tactic and technique.

      Associate MITRE ATT&CK information with an observable.
    5. In the source lists, review the Source.
      Note:
      Only the collections and matrices that have been activated appear in the source list.
    6. Review the Tactic and Techniques, and add or remove them based on the relevance with the observable.
    7. Click Save.
      The tactics and techniques that you have added appear in the MITRE-ATT&CK Information column in the observables related list.
    8. Select the observable and then from the Actions menu, click Roll up MITRE ATT&CK Information to SI.
      If you have enabled automatic roll up of MITRE-ATT&CK information from observables to security incident, then the information is automatically rolled up. If you have not enabled automatic rollup,you need to do this manually.

      The following illustration shows how to select an observable and roll up the MITRE-ATT&CK information to a security incident.

      Manually roll up MITRE ATT&CK information from observable to security incident.
    9. To see an aggregated view of the techniques that are associated with the observables, select two or more observables from the list and then from the Actions menu on the selected rows list, click the Show MITRE ATT&CK Information.

    Result

    An aggregated view of the MITRE ATT&CK information for the selected observables is displayed.