View extracted MITRE ATT&CK Techniques

  • Release version: Zurich
  • Updated March 5, 2026
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of View extracted MITRE ATT&CK Techniques

    This feature enables ServiceNow customers to automatically extract and associate MITRE ATT&CK techniques from various data sources within the Threat Intelligence Security Center workspace. It processes entity source records, such as observables, objects, and RSS feeds, to identify relevant MITRE ATT&CK techniques and link them for detailed threat analysis. This capability requires no specific user role and is included in the Zurich release.

    Show full answer Show less

    How Extraction Works

    • Extraction rules are applied when an entity source record (e.g., observable or object) is created, targeting applicable fields except for date, number fields, Usage category, and Attack phases.
    • Extracted MITRE techniques are linked to the specific entity source record, then de-duplicated and aggregated to the parent entity record.
    • For threat lookups and observable enrichment, extraction occurs on the raw data payload when enrichment results are generated.
    • For RSS feeds, extraction rules run whenever a feed record is created or updated, applying similar field restrictions.

    Viewing Extracted MITRE ATT&CK Techniques

    • For Observables/Objects: Navigate to Threat Intel Library > Observables, select a record, then access the MITRE Techniques section under Related Records to see extracted techniques.
    • For RSS Feeds: Navigate to Threat Intel Library > RSS Feeds, select a feed, and view MITRE Techniques under Related Records for associated techniques.
    • Clicking a MITRE technique ID reveals detailed technique association records, including all source entities contributing to the extraction.

    Troubleshooting and Additional Details

    • Technique associations consolidate multiple sources of the same tactic and technique to avoid duplicates, listing all sources involved.
    • To trace extraction origins, users can view the responsible extraction rules via the Technique Source Relations section; ensure the Extraction Rule column is visible.
    • If no tactic ID is identified during extraction, techniques are associated with all tactics linked to that technique in the MITRE repository; if tactic IDs are present, associations are limited to those specific tactics.

    Benefits for ServiceNow Customers

    This functionality streamlines the integration of MITRE ATT&CK framework insights into threat intelligence workflows, enhancing visibility into adversary tactics and techniques linked to threat data. It supports efficient threat analysis by automatically correlating relevant MITRE techniques to observables, objects, and feeds, aiding in prioritization and response strategies.

    MITRE ATT&CK Technique Extraction method describes how the extraction methods are performed and associated techniques are verified for observables, objects, and RSS feeds.

    You must have access to the Threat Intelligence Security Center workspace. Role required: none.

    About MITRE ATT&CK technique extraction:

    • The extraction rules for data sources (threat lookups are not applicable) are processed whenever an entity (for example, observable source or object source) source record gets created.
    • The rules are applicable for any fields within the entity source record (except date, number fields, and Usage category and Attack phases).
    • The extracted MITRE techniques are associated to the corresponding entity record and you view the records in the MITRE techniques related list in the Related Records tab.
      Note:
      The MITRE techniques are first extracted and associated to the entity source record then the techniques associations are de-duplicated and aggregated to the parent entity record.

    The extraction rules for threat lookups or observable enrichment are processed whenever the threat lookup observable enrichment result or observable enrichment record is record is created for any observable for which Run threat lookup or Run observable enrichment action is triggered and the extraction is performed only on the raw data (raw_data field) payload which is available in the threat lookup result or observable enrichment record.

    Viewing MITRE ATT&CK techniques

    1. View MITRE ATT&CK techniques for Observables/ Objects
    2. Navigate to Workspaces > Threat Intelligence Security Center > Threat Intel Library > Observables.
    3. Select any Observable record.
    4. Go to Related Records tab.
    5. Select MITRE Techniques section to view the extracted MITRE ATT&CK techniques.
    6. Click on the MITRE technique ID to view the MITRE technique association record. The Sources column displays all the sources (separated by a comma if there are one or more sources) which are associated to the entity source record on which the MITRE extraction is performed.
      Note:
      If the same tactic and technique IDs are extracted from multiple sources then only one tactic and technique association record is displayed and the Sources column displays all the extracted sources.
    7. For troubleshooting, you can view the MITRE Extraction rule which was responsible for extraction of the tactic and technique associations by navigating to the Technique Source Relations.
      Note:
      Make sure to add the Extraction Rule column using the List Actions icon in case if you don't see the Extraction Rule column.
    8. View MITRE ATT&CK techniques for RSS feeds
    9. Navigate to Workspaces > Threat Intelligence Security Center > Threat Intel Library > RSS Feeds > All RSS Feeds
      • Whenever an RSS feed record is created or updated, the MITRE ATT&CK technique extraction rules are processed.
      • The rules are applicable for any fields within the RSS feed record (except date, number fields, and Attack phases).
      • The extracted MITRE techniques are associated to the corresponding RSS feed record and you can view these records in the MITRE techniques related records list in the Related Records section.
    10. Select any RSS feed record.
    11. Go to Related Records tab.
    12. Select MITRE Techniques to view the extracted MITRE ATT&CK techniques.
    13. Click on the MITRE technique ID to view the MITRE technique association record.
    14. For troubleshooting, you can view the MITRE Extraction rule which was responsible for extraction of the tactic and technique associations.
    Note:
    • If there is no tactic ID present in the extracted entity (observable or object) source or threat lookup result for any MITRE ATT&CK technique, then the technique associations are created for all the tactics that are associated to the corresponding technique in the MITRE repository.
    • If there is any tactic ID present in the extracted entity (observable or object) source or threat lookup result for any MITRE ATT&CK technique, then the technique associations is specifically created only for all that extracted tactic(s) that are associated to the corresponding technique in the MITRE repository.