Get started with MITRE-ATT&CK framework

Release version:
Yokohama
Xanadu
Washington DC
Vancouver
UpdatedJan 30, 2025
1 minute read

Yokohama
Threat Intelligence

Review the following information before you start setting up your MITRE-ATT&CK framework.

Table 1. Checklist
Setup task	Description
Verify that you have assigned the required ServiceNow AI Platform, Threat Intelligence, and Security Incident Response roles.	The following roles are used across the MITRE-ATT&CK features: The administrator (admin) installs the applications from the ServiceNow Store and assigns the security incident administrator (sn_si.admin) and threat intelligence administrator (sn_ti.admin) roles. sn_ti.admin sn_si.admin sn_si.analyst sn_ti.read sn_ti.write sn_ti.mitre_analyst - The MITRE analyst role has been introduced to allow cross-navigation for the MITRE features between Security Incident Response and Threat Intelligence Support Common. With this role, you can view both the Threat Intelligence MITRE module and the Security Incident Response module in read-only mode. sn_si.read For more information, see Setup Threat Intelligence.
Verify that the ServiceNow core applications that are required to support the MITRE-ATT&CK module are installed and activated.	Verify that the following Security Operations applications are installed and activated from the ServiceNow Store. If not installed, install and activate one application at a time in the following order to ensure a smooth installation. Threat Intelligence Support Common UI Components (sn_ti_seismic) - Version 1.0 or higher Threat Intelligence Support Common - Version 12.0 or higher Threat Intelligence - Version 12.0 or higher Security Incident Response - Version 12.0 or higher For more information on setting up your ServiceNow AI Platform instance for the integration, see get entitlement for a Security Operations product or application and activate a ServiceNow Store application.
Domain separation	Verify the domain separation section if you intend to separate data, processes, and administrative tasks.

Related Content

Understand the MITRE to STIX data model
Review the terminology used by MITRE and STIX to efficiently use and understand the MITRE-ATT&CK framework in the ServiceNow AI Platform.
Domain separation and MITRE-ATT&CK
This domain separation overview pertains to MITRE-ATT&CK. Domain separation allows you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.
Set up the MITRE-ATT&CK framework
Activate the MITRE-ATT&CK profile, and set up a scheduled job so that you can set up MITRE-ATT&CK collections for threat detection in your organization.
Manage matrices
Manage the matrices that have been imported from the MITRE TAXII collections. Matrices are a collection of tactics and techniques. You can view the matrices to review if your collections are available in the MITRE-ATT&CK repository.
Manage techniques
Manage the techniques that have been imported from the MITRE TAXII collections. The techniques contain various ways attackers have developed to employ a given tactic. You can review and deactivate techniques that are not relevant to your organization. In STIX, techniques are known as attack patterns.
Manage mitigations
Manage the mitigations that have been imported from the MITRE TAXII collections. Mitigations enable you to prevent an adversary from successfully executing techniques or sub-techniques against your organization. In STIX, mitigations are known as course of actions.
Manage groups
Manage the groups that have been imported from the MITRE TAXII collections. Groups are sets of related intrusion activity that are tracked by a common name in the security community. Analysts track clusters of activities using various terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. In STIX, groups are known as intrusion sets.
Manage malware
Manage the malware information that you imported from the MITRE TAXII collections. Malware is a type of TTP that represents malicious code. It refers to a program that is covertly inserted into a system. The intent of a malware is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS).
Manage tools
Manage the tools information that you imported from the MITRE TAXII collections. Tools are legitimate software that are used by threat actors to perform attacks.
Manage MITRE relationships
Manage the MITRE relationships information that you imported from the MITRE TAXII collections.
Manage CVE and technique mapping
Manage the CVE and technique information that is mapped after you import the MITRE TAXII collections.
Extend the MITRE-ATT&CK data
Extend the MITRE-ATT&CK repository data in the ServiceNow AI Platform by enriching it.
Define the data source and detection tool mapping
Define the data source and detection tool mapping for MITRE-ATT&CK tactics and techniques. The data source mapping provides you with insight into the relevance and availability of the data sources and the detection tools for monitoring the data sources in your environment.
Define the data source and data component mapping
Use the Data Component Mapping if you are using the latest TAXII collections, and you want to maintain a relationship between the data sources, data components, and the various techniques. Map the data sources with the additional context of data components that provides an extra sublayer of context to data sources that enable you to understand adversary behaviors in MITRE-ATT&CK better.
Define the technique detection coverage
Define the technique detection coverage that your organization must measure and detect specific adversary techniques.
Map your technique detection coverage to a technique
Map your overall technique detection coverage with the technique that enables your organization to detect specific adversary techniques.
Define the mitigation coverage
Define the mitigation coverage for each mitigation that is associated with a technique so that you gain visibility into how well your organization can prevent the attacks that happen due to a particular technique.
Map your mitigation coverage to a technique
Map your mitigation coverage with the technique that enables you to detect your organization's overall mitigation strategy.
Create and map detection rules
Create detection rules and map them against the tactics and techniques. With this mapping, you can see the coverage for the detection rules in your organization.
Auto-extract technique rules for importing MITRE-ATT&CK information
Use the base system auto-extraction rules to import the MITRE-ATT&CK information from any existing third-party integrations.
Review threat group and MITRE-ATT&CK techniques mapping
Review the threat group and techniques object to object relationship mapping information that is imported from the MITRE TAXII collections. This mapping enables you to view the technique group and the corresponding technique mapping.
Threat group to technique heatmap definition
Define the threat group to technique heatmap definition so that on the heatmap you can measure and detect the attack patterns that threat groups are using to attack your organization. The probability of an attack using a particular technique increases when you have a high number of attackers.
Review the MITRE-ATT&CK system properties
Review the MITRE-ATT&CK system property values.

Was this topic helpful?

Yes No

Yokohama Security Management

Filters

Versions

Products

Get started with MITRE-ATT&CK framework

Table of contents

Get started with MITRE-ATT&CK framework

Related Content

Log in to get a better experience

Please let us know how to improve this content

Save as PDF

Please let us know how to improve this content