MITRE ATT&CK Technique Extraction method

  • Release version: Washingtondc
  • Updated October 21, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of MITRE ATT&CK Technique Extraction Method

    The MITRE ATT&CK Technique Extraction method outlines the process for extracting techniques associated with entity records in ServiceNow. This method is crucial for threat intelligence, allowing for accurate identification and tracking of attack techniques linked to various entities.

    Show full answer Show less

    Key Features

    • Extraction Rules: These rules apply to various fields within the entity source record, excluding date and number fields, as well as Usage category and Attack phases.
    • Viewing Techniques: Users can navigate to the Threat Intel Library to view MITRE techniques linked to any observable or object record in the Related Records tab.
    • De-duplication: Extracted techniques are aggregated to prevent duplication, ensuring clarity in tracking associated tactics and techniques.
    • Tactic and Technique Associations: For techniques extracted from multiple sources, only one association is displayed, consolidating the Sources column for ease of reference.
    • Troubleshooting: Users can identify the extraction rules responsible for specific associations by accessing the Technique Source Relations.

    Key Outcomes

    By utilizing the MITRE ATT&CK Technique Extraction method, ServiceNow customers can:

    • Streamline the identification of threats linked to specific techniques and tactics.
    • Enhance threat intelligence capabilities through accurate data extraction and association.
    • Manage and view threat information effectively, aiding in timely response and mitigation strategies.

    MITRE ATT&CK Technique Extraction method describes how the extraction methods are performed and associated techniques are verified.

    1. The extraction rules for data sources (threat lookups are not applicable) are processed whenever an entity (for example, observable source or object source) source record gets created.
    2. The rules are applicable for any fields within the entity source record (except date, number fields, and Usage category and Attack phases).
    3. The extracted MITRE techniques are associated to the corresponding entity record and you view the records in the MITRE techniques related list in the Related Records tab.
      Note:
      The MITRE techniques are first extracted and associated to the entity source record then the techniques associations are de-duplicated and aggregated to the parent entity record.

    View MITRE techniques

    1. Navigate to Threat Intel Libraryany entity (observable or object) record using the .
    2. Click on the Related Records tab.
    3. Select MITRE Techniques and view the associated techniques which are extracted.
    4. Click on the MITRE technique ID to view and access the MITRE technique association record. The Sources column displays all the sources (also separated by a comma if there are one or more sources) which are associated to the entity source record on which the MITRE extraction is performed.
      Note:
      If the same tactic and technique IDs are extracted from multiple sources then only one tactic and technique association record is displayed and the Sources column displays all the extracted sources.
    5. For troubleshooting, you can view the MITRE Extraction rule which was responsible for extraction of the tactic and technique associations by navigating to the Technique Source Relations.
      Note:
      Make sure to add the Extraction Rule column using the List Actions icon in case if you don't see the Extraction Rule column.
    The extraction rules for threat lookups are processed whenever the threat lookup result record is created for any observable for which Run threat lookup action is triggered and the extraction is performed only on the raw data (raw_data field) payload which is available in the threat lookup result record.
    Note:
    • If there is no tactic ID present in the extracted entity (observable or object) source or threat lookup result for any MITRE ATT&CK technique, then the technique associations are created for all the tactics that are associated to the corresponding technique in the MITRE repository.
    • If there is any tactic ID present in the extracted entity (observable or object) source or threat lookup result for any MITRE ATT&CK technique, then the technique associations is specifically created only for all that extracted tactic(s) that are associated to the corresponding technique in the MITRE repository.