Roll up MITRE-ATT&CK information using MISP enrichment results

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • Roll up the MISP enrichment results manually if you haven't enabled the automatic rollup of MISP information.

    Before you begin

    Role required: sn_si.analyst

    About this task

    Use the base system auto-extraction rules to import the MITRE-ATT&CK information from the MISP integration. The MISP integration for Security Operations introduces two base system MITRE-ATT&CK technique extraction rules for MISP - MISP galaxies and MISP tags. For more information on auto-extraction rules in MITRE-ATT&CK, see auto-extract technique rules for importing MITRE-ATT&CK information.

    If you have enabled automatic rollup of MITRE-ATT&CK information using MISP enrichment results to a security incident, the information is automatically rolled up. If you have not enabled automatic rollup, you can do this task manually.

    Procedure

    1. Navigate to All > Security Incidents > Show All Incidents.
    2. Select the security incident that you want to enrich with the MITRE-ATT&CK information.
    3. Click Show All Related Lists and the MISP Enrichment Results tab.
    4. Select the observable and from the Actions menu, click Roll up MITRE ATT&CK Information to SI.
      You can select multiple observables and then roll up the information.
    5. To confirm the changes, click Reload.
      The following example shows how to select an observable and roll up the MISP enrichment results to the security incident.
      Figure 1. Roll up MITRE information to a security incident
      Roll up MITRE information to a security incident.

    Result

    You can view the MITRE-ATT&CK Card to confirm that the MISP Enrichment Results have been rolled up to the security incident.