Manage techniques

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • Manage the techniques that have been imported from the MITRE TAXII collections. The techniques contain various ways attackers have developed to employ a given tactic. You can review and deactivate techniques that are not relevant to your organization. In STIX, techniques are known as attack patterns.

    Before you begin

    Role required:
    • sn_ti.admin: delete access
    • sn_si.admin: create, write, delete access
    • sn_ti.read: read access
    • sn_ti.write: create, write access

    Procedure

    1. Navigate to All > Threat Intelligence > MITRE ATT&CK Repository > Techniques.
      View the list of techniques and sub-techniques.
      The list of techniques and subtechniques are now listed.
    2. To review and deactivate techniques that are not relevant to your organization, go to the list view for the selected technique, and under the Active column, update the setting to false, and save the setting.
      Deactivate the techniques that aren't used by the other objects in the MITRE-ATT&CK repository.
    3. To prioritize a technique, assign a priority in the Relevant Priority (Custom) field.
      The base system relevant priority is set to none. The Relevant Priority (Custom) field is not imported from the MITRE-ATT&CK TAXII collections but a custom field introduced in the ServiceNow AI Platform. You can use the relevant priority information to filter and prioritize techniques in the dashboards, during the data source mapping, or when analyzing the heat map.
    4. Click a technique to view all the associated information with this technique.

      In the following illustration, you can view the details for each Account Access Removal technique, its ID, source, and other related information.

      View the attack pattern technique and it's related information.
      Note:
      The Data Source: Data Component element introduced by MITRE replaces the previous Data Source field. Data component provides an extra sublayer of context to the data sources. If your MITRE-ATT&CK repository contains the old TAXII collections, then you can view the Data Source field. Otherwise, you can view the data sources with the additional context of data components in the Data Source: Data Component field. You can view the new data component field only when the source is Enterprise ATT&CK. For more information, see data component mapping.
    5. To view how these objects are related, click Show Relationships.

    What to do next

    You can extend the information in some of these related list objects. For example, you can add new information for Group, Mitigation, and External References.