Auto-extract technique rules for importing MITRE-ATT&CK information

Xanadu Security Management

Release

xanadu

ft:locale

en-US

ft:publication_title

Xanadu Security Management

ft:clusterId

security

bundleId

security

workflow

Technology

Auto-extract technique rules for importing MITRE-ATT&CK information

Release version: Xanadu

Updated August 1, 2024

3 minutes to read

Use the base system auto-extraction rules to import the MITRE-ATT&CK information from any existing third-party integrations.

Use threat-lookup auto-extraction rules

Use the threat lookup auto-extraction rules to import the MITRE-ATT&CK information from any existing Threat Intelligence third-party integrations.

Before you begin

Role required:

sn_ti.admin, sn_si.admin: create, write, delete access
sn_ti.read: read access

About this task

When any Threat Intelligence integration, such as Sandbox or a TIP, supports the MITRE-ATT&CK framework and if the MITRE-ATT&CK information is parsed at each integration level, then the information is displayed in each threat lookup result record. However, not all Threat Intelligence integrations parse the MITRE-ATT&CK information. The threat lookup global auto-extraction rule can extract MITRE-ATT&CK information from all Threat Intelligence integrations.

You can choose to roll up the MITRE-ATT&CK information automatically from the threat lookup results to a security incident. For automatic rollup of threat lookup results to security incidents, enable the system property. Alternatively, you can rollup the information manually for each individual threat lookup.

The base system Threat Intelligence automatically extracts the MITRE-ATT&CK information from the third-party integrations raw payload to the threat lookup result record, if the Threat Intelligence integration provides you with MITRE-ATT&CK information like the technique or tactic.

If the MITRE-ATT&CK information is not available in the raw payload field of the threat lookup record, then you must define your own rule for auto-extraction from the third-party integration.

Procedure

Navigate to All > Threat Intelligence > MITRE ATT&CK Administration > Technique Extraction Rule.
Click New.

On the form, fill in the fields.

Table 1. Technique Extraction Rule form
Field	Description
Name	Auto-extraction rule name.
Rule Type	Auto-extraction rule type. Select Threat Lookup.
Ignore Auto-Extraction	Setting that by default, is cleared. This setting enables automatic extraction of MITRE-ATT&CK techniques.
Source Engine	Source engine.
Global	Source engine setting. When you set the source engine to Global, the extraction runs on all threat lookup integration results.
Description	Description of the auto-extraction rule.
Process Method	Regex or a script method that you specify to link the technique information from the raw payload.
Regex Extraction	Option that you specify for the Target Field when using the regex extraction method. Regex is the default.
Script Extraction	Process that you select when running a script. The script reviews the following: threatLookupResultSysId:sys_id of the threat lookup result record sourceName: Name of the threat lookup source.
Tactic Extraction	Option that you specify to extract tactic related information from the raw payload. If a payload contains specific tactic and technique related information, you can extract and append the information to the security incident.

Click Submit.

Use SIEM auto-extraction rules

Use the SIEM auto-extraction rules to import the MITRE-ATT&CK information from any existing Security Operations SIEM third-party integrations.

Before you begin

Role required:

sn_ti.admin, sn_si.admin: create, write, delete access
sn_ti.read: read access

About this task

The technique extraction rule is available for all base system Security Operations SIEM integrations such as Splunk, IBM QRadar, and ArcSight integrations. When the ServiceNow AI Platform ingests alert or event data from these SIEM integrations and they contain MITRE-ATT&CK information, the ServiceNow AI Platform processes the raw payload and auto-extracts the MITRE-ATT&CK information.

If your ServiceNow AI Platform contains base system SIEM integrations, that means that the technique extraction rules are already created in the MITRE-ATT&CK module. You should review and modify the rules as needed.

Enable either the SIEM auto-extraction rule or the alert rule at a time.

Procedure

Navigate to All > Threat Intelligence > MITRE ATT&CK Administration > Technique Extraction Rule.
Click New.

On the form, fill in the fields.

Table 2. Technique Extraction Rule form
Field	Description
Name	Auto-extraction rule name.
Rule Type	Auto-extraction rule type. Select SIEM.
Ignore Auto-Extraction	Setting that by default is cleared. This setting enables automatic extraction of MITRE-ATT&CK techniques.
Import Table	Import table that is automatically mapped for base system SIEM integrations. Review this field for other SIEM integrations for the MITRE-ATT&CK information and map accordingly.
Import Field	Import field that is automatically mapped for base system SIEM integrations. Review this field for other SIEM integrations for the MITRE-ATT&CK information and map accordingly.
Description	Auto-extraction rule.
Process Method	Regex or a script method that you specify to link the technique information from the raw payload.
Regex Extraction	Option that you specify for the Target Field when using the regex method. Regex extraction is the default process method.
Script Extraction	Script process method that you use if you want to customize how the MITRE-ATT&CK information is extracted.
Tactic Extraction	Option that you specify to extract tactic related information from the raw payload. If a payload contains specific tactic and technique related information, you can extract and append the information to the security incident.

In the following illustration, you see an example of the Splunk Enterprise SIEM technique extraction rule in the form view. This rule is similar to all the other SIEM technique extraction rules.

Click Submit.