Define the data source and data component mapping

Release version:
Yokohama
Xanadu
Washington DC
Vancouver
UpdatedJan 30, 2025
3 minutes to read

Yokohama
Threat Intelligence

Use the Data Component Mapping if you are using the latest TAXII collections, and you want to maintain a relationship between the data sources, data components, and the various techniques. Map the data sources with the additional context of data components that provides an extra sublayer of context to data sources that enable you to understand adversary behaviors in MITRE-ATT&CK better.

Before you begin

Role required:

sn_ti.admin, sn_si.admin: write, delete access
sn_ti.read: read access

About this task

Mapping the data sources and data components provides visibility into the data sources or components and the techniques that are relevant for your organization.

For example, if your organization focuses on 7 techniques, you may need 5 data sources and 10 data components to monitor these sources. Your evaluation of internal tools reveals that your organization doesn’t have two data sources and four data components. This mapping exercise provides visibility into the data sources, components, & techniques, their relevance to your organization, and to identify the gaps in coverage. You can thus focus your investment on the right data sources and alert sensors to detect and mitigate adversary threats.

The MITRE-ATT&CK framework contains an updated structure for the data sources - Data Source: Data Component. This new form of data source provides an extra context to the data sources. The data source object features the name of the data source as well as key details about the collected data (file, process, network traffic, and so on) and specific values or properties required to detect adversary behaviors.

The following illustration shows the MITRE-ATT&CK STIX™ structure representation for data sources and data components. You can see both the data sources and data components captured as custom STIX™ objects. The illustration shows that each data source contains one or more data components, and each data component detects one or more techniques.

This image shows the general structure of data sources and data components. — Figure 1. General structure of data sources and data components

You can continue using the Data Source Mapping if your MITRE-ATT&CK repository contains the old TAXII collections, and you’ve mapped your data sources to various techniques. However, use the Data Component Mapping if you’re using the latest TAXII collections, and you want to maintain a relationship between the data sources, data components, and the various techniques.

Procedure

Navigate to All > Threat Intelligence > MITRE ATT&CK Administration > Data Component Mapping.

The following illustration shows the list of tactics, IDs, techniques along with the data sources and data components based on your collection updates.

The following illustration shows the list of tactics, techniques, IDs, along with the data sources and data components that have been populated based on your collection updates.

Search:


Field	Description
Tactic	Adversary’s objective or the reason for performing an action.
ID	Technique’s unique identity.
Technique	How an adversary achieves a tactical objective by performing an action.
Data Source	Data source that is associated with the technique.
Data Component	Data component that is associated with the data source. A data component can only have one parent data source.
Data Component Revoked	Identifies if the data component has been revoked in the MITRE-ATT&CK knowledge base.
Detection Tool	Tool that supplements the data source by detecting the techniques that are used. The detection tool is mapped with the alert sensor in SIR.
Comment	Description about the data source and data component mapping.
Revoked	Identifies if the data component to technique mapping is revoked by MITRE-ATT&CK.

Review the listed data sources and data components and modify the values based on your environment.
Follow these steps to add a data component.
1. Navigate to Threat Intelligence > MITRE ATT&CK Administration > Techniques.
2. Click a technique that you want to modify the data source: data component information.
3. Unlock Data Source: Data Component.
4. Use the lookup list to select MITRE-ATT&CK data components.
5. Lock Data Source: Data Component.
6. Click Update.
In the following illustration, you see how to add data components.

Related Content

Get started with MITRE-ATT&CK framework
Review the following information before you start setting up your MITRE-ATT&CK framework.
Understand the MITRE to STIX data model
Review the terminology used by MITRE and STIX to efficiently use and understand the MITRE-ATT&CK framework in the ServiceNow AI Platform.
Domain separation and MITRE-ATT&CK
This domain separation overview pertains to MITRE-ATT&CK. Domain separation allows you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.
Set up the MITRE-ATT&CK framework
Activate the MITRE-ATT&CK profile, and set up a scheduled job so that you can set up MITRE-ATT&CK collections for threat detection in your organization.
Manage matrices
Manage the matrices that have been imported from the MITRE TAXII collections. Matrices are a collection of tactics and techniques. You can view the matrices to review if your collections are available in the MITRE-ATT&CK repository.
Manage techniques
Manage the techniques that have been imported from the MITRE TAXII collections. The techniques contain various ways attackers have developed to employ a given tactic. You can review and deactivate techniques that are not relevant to your organization. In STIX, techniques are known as attack patterns.
Manage mitigations
Manage the mitigations that have been imported from the MITRE TAXII collections. Mitigations enable you to prevent an adversary from successfully executing techniques or sub-techniques against your organization. In STIX, mitigations are known as course of actions.
Manage groups
Manage the groups that have been imported from the MITRE TAXII collections. Groups are sets of related intrusion activity that are tracked by a common name in the security community. Analysts track clusters of activities using various terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. In STIX, groups are known as intrusion sets.
Manage malware
Manage the malware information that you imported from the MITRE TAXII collections. Malware is a type of TTP that represents malicious code. It refers to a program that is covertly inserted into a system. The intent of a malware is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS).
Manage tools
Manage the tools information that you imported from the MITRE TAXII collections. Tools are legitimate software that are used by threat actors to perform attacks.
Manage MITRE relationships
Manage the MITRE relationships information that you imported from the MITRE TAXII collections.
Manage CVE and technique mapping
Manage the CVE and technique information that is mapped after you import the MITRE TAXII collections.
Extend the MITRE-ATT&CK data
Extend the MITRE-ATT&CK repository data in the ServiceNow AI Platform by enriching it.
Define the data source and detection tool mapping
Define the data source and detection tool mapping for MITRE-ATT&CK tactics and techniques. The data source mapping provides you with insight into the relevance and availability of the data sources and the detection tools for monitoring the data sources in your environment.
Define the technique detection coverage
Define the technique detection coverage that your organization must measure and detect specific adversary techniques.
Map your technique detection coverage to a technique
Map your overall technique detection coverage with the technique that enables your organization to detect specific adversary techniques.
Define the mitigation coverage
Define the mitigation coverage for each mitigation that is associated with a technique so that you gain visibility into how well your organization can prevent the attacks that happen due to a particular technique.
Map your mitigation coverage to a technique
Map your mitigation coverage with the technique that enables you to detect your organization's overall mitigation strategy.
Create and map detection rules
Create detection rules and map them against the tactics and techniques. With this mapping, you can see the coverage for the detection rules in your organization.
Auto-extract technique rules for importing MITRE-ATT&CK information
Use the base system auto-extraction rules to import the MITRE-ATT&CK information from any existing third-party integrations.
Review threat group and MITRE-ATT&CK techniques mapping
Review the threat group and techniques object to object relationship mapping information that is imported from the MITRE TAXII collections. This mapping enables you to view the technique group and the corresponding technique mapping.
Threat group to technique heatmap definition
Define the threat group to technique heatmap definition so that on the heatmap you can measure and detect the attack patterns that threat groups are using to attack your organization. The probability of an attack using a particular technique increases when you have a high number of attackers.
Review the MITRE-ATT&CK system properties
Review the MITRE-ATT&CK system property values.

Was this topic helpful?

Yes No

Yokohama Security Management

Filters

Versions

Products