Associate MITRE-ATT&CK information with security incidents

Release version: Zurich

Updated July 31, 2025

2 minutes to read

Associate the MITRE-ATT&CK tactics and techniques to the security incident for better security incident and threat analysis.

Before you begin

Role required: sn_si.analyst

About this task

Add the MITRE-ATT&CK tactics and techniques information to the security incident so that you can correlate your security incident and threat information for better analysis. For example, your organization may be receiving tactics, techniques, and procedures (TTP)-related information from your third-party sources, such as Threat Intelligence reports or other sources outside of the Security Incident Response. You then add this information back to SIR for better correlation and threat analysis.

You can choose to roll up the MITRE-ATT&CK information automatically from the threat lookup auto-extraction results, from observables, or from a child security incident to a security incident. For automatic roll up to security incidents, enable the system property. Alternatively, you can roll up the information manually for each individual threat lookup or observable.

Procedure

Navigate to All > Security Incidents > Show All Incidents.
Select the security incident that you want to enrich with the MITRE-ATT&CK information.
Click the Associate MITRE ATT&CK Technique related link.
The Associate MITRE ATT&CK Technique pane appears.
This illustration shows how to navigate to the related list and look for Associate MITRE-ATT&CK Technique, review the source Enterprise ATT&CK, add a tactic Impact, and add a technique System Shutdown/Reboot.
Select Source.

Note:
Only the collections and matrices that have been activated appear in the source list.

The tactics and techniques that are associated with the source are available for selection. You can also associate multiple sources.
Select the Tactic and Techniques.
Optional: Review the information based on the relevance with the security incident and do the following:
- To completely remove the association, click the bin icon. Clicking this icon deletes the source and its associated tactics and techniques.
- To remove a tactic, click the minus icon next to the tactic.
- To remove a technique, click the x icon next to the technique.
Click Save.

Result

The MITRE-ATT&CK information is associated with the security incident. You can now view the associated information in the MITRE ATT&CK Card.

Associate MITRE-ATT&CK information with closed security incidents

You can now associate MITRE-ATT&CK tactics and techniques to the closed security incidents for better security incident and threat analysis.

Using the MITRE-ATT&CK Card to see related information in a security incident

You can use the MITRE-ATT&CK card to see the MITRE-ATT&CK related information in a security incident.

After the information is rolled up from a threat lookup, an observable, or a SIEM integration, it is added to the security incident. Then, the aggregated information is presented in the MITRE-ATT&CK Card. The MITRE ATT&CK Card provides two views:

Navigator view: This view, which is similar to the MITRE-ATT&CK navigator, shows all the techniques that have been manually added or rolled up from the observable or threat lookup tables. Show origin of techniques displays the source of the technique if it has been manually rolled up or through a Source. Show ID displays the technique ID.
The following illustration shows how to navigate to the MITRE ATT&CK Card navigator view. By clicking any of the available links, the information opens in the Threat Intelligence module.
List view: This view shows the data in a list or table format. You can see all the data that is spread across different tables and groups in this view.
The following illustration shows how to navigate to the MITRE ATT&CK Card list view. By clicking any of the available links, the information opens in the Threat Intelligence module.