Define an attack pattern

Release version: Zurich

Updated July 31, 2025

4 minutes to read

Define an attack pattern to help threat analysts categorize the attacks.

Before you begin

Role required: sn_sec_tisc.analyst

Navigate to Workspaces > Threat Intelligence Security Center.
Click on Threat Intel Library icon on the workspace.
Go to Attack Pattern.
Click New.

Note:
Whenever you create new object records for observables, indicators, entities or objects a source record is created and a prompt message is displayed that the new object record is created and then the user is redirected to the aggregated record.

On the form, fill in the fields.

Table 1. Attack Pattern Details view
Field	Description
ID	Unique ID for an attack pattern.
Name	Enter a name for this attack pattern.
Description	Enter a description for an attack pattern.
Aliases	Alternative names to identify this attack pattern. Note: To add new alias which is not existing in the application click on the Add New Aliases icon which is available within the Alias field itself.
Attack Phase	Represents attack phase in a kill chain such as LM, MITRE ATT&CK.
Permissions Required	Select the required permissions for this attack pattern.
TLP	TLP is used to ensure that sensitive information is shared with the appropriate audience. It employs four colors (White, Green, Amber, and Red) to indicate different degrees of sensitivity.
Confidence	Enter the confidence for this attack pattern mode. The confidence property identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100.
Source	Specifies the threat source from which this object record is created.
Revoked	Indicates that the revoked objects are no longer considered valid by the object creator.
Prevent System Updates	Setting this flag to true will prevent system from overriding values of fields on record.

Important:

After you create a new object record, Prevent System Updates check box is displayed.

Select this check box to prevent any updates from the system after the observable or indicator or STIX objects records are created.

Table 2. Insights
Field	Description
Notes	Add any additional notes for an attack pattern.

Table 3. Additional Information
Field	Description
Additional Context	Add any additional context for this attack pattern.
Spec Version	The version of the STIX specification used to represent this object, attack pattern. The value of this property must be 2.1 for STIX Objects defined according to this specification.
Lang	This property identifies the language of the text content in this object.
Created	Specifies the time when the record is created in the system.
Updated	Specifies the time when the record is modified in the system.
Extensions	Indicates the extensions of attack pattern.
Processing Status	Represents the processing status of this object, attack pattern.

Click Save.
After you save, a prompt message is displayed indicating that A new observable record is created. Click Continue to edit the record and create new relationships.

Click Continue.

Important:

After you create a new observable record, Prevent System Updates check box is displayed.

Select this check box to prevent any updates from the system after the observable or indicator or STIX objects records are created.

Table 4. Tags&Taxonomies
Field	Description
Tags
Select Tags	Select the tags that are associated with an observable.
Add Tags	Add new tags.
Taxonomies
Select Taxonomy	Select a Taxonomy that is associated with an attack pattern.
Add Taxonomy Values	Add Taxonomy values that are associated with an attack pattern.

You can now click any of the following related lists to view additional information about objects associated with the attack pattern.

Table 5. Related Records
Field	Description
External References	Lists external references which refer to non-STIX information. This property is used to provide one or more external object identifiers.
Campaigns	Lists campaigns associated with this object.
Identities	List of identities associated with this object.
Indicators	Lists related Indicators of Compromise (IoC) that have been identified by the threat source associated with this object.
Intrusion Set	Lists a set of adversarial behaviors and resources with common properties associated with this object.
Locations	Lists locations that provide geographic context to this object.
Malware	Lists malicious code associated with this object.
Threat Actors	Lists individuals, groups, or organizations who act with malicious intent associated with this object.
Tools	Lists legitimate software that is used by threat actors to perform attacks associated with this object.
Vulnerabilities	Lists a weakness or defect in a software or hardware that attackers exploit which is associated with this object.

Note:

You can link and unlink the related records associated with this object. For more information, see Link Threat Intel Related Records.
The various SDOs within the TI library also contains the potential relationships. To establish a relationships between any two objects, you use the Potential Relationships link from the Threat Intel Library to confirm the relationships between the objects. For more information, see Confirm object-object potential relationships.
Also, use the Related Records section from the objects form view to confirm the relationships between two Objects using the Potential Relationships section available on the form view. For more information on see, Confirm Potential Relationships from Related Records.
You can add objects to cases. For more information, see Add to Case.