Create detection rules and map them against the tactics and techniques. With this mapping, you can see the coverage for the detection rules in your organization.

Before you begin

Role required:
  • sn_ti.admin, sn_si.admin: create, write, delete access
  • sn_ti.read: read access

About this task

Detection rule mapping enables your organization to see which detection rules are available to identify specific techniques.

The primary purpose of the mapping is to provide visibility if your organization has the necessary detection rules to identify when an alert or event is triggered as a result of an attack by an adversary using a specific technique.

For example, view the following illustration that shows a list of the detection rules mapped to various techniques. You can also view this information in the MITRE-ATT&CK navigator.

MITRE ATT&CK detection rules.

If you do not intend to use the base system SIEM auto-extraction rules, then enable the automatic rollup of MITRE-ATT&CK TTPs based on the detection rule mapping. You can populate the alert or event rule that triggers the security incident in the Alert Rule name field. You can also populate the Alert Rule name field by using SIEM integration, email parsing, manual creation, etc. For more information, see Rollup MITRE-ATT&CK information from detection rules.

Note:

The detection rules feature has been updated to include mapping a single tactic to multiple techniques. Previously, you could map a single tactic with a single technique. If you are upgrading the Threat Intelligence plugin from version 12.0.4 to a higher version, then review the following points before using the detection rules in MITRE-ATT&CK module.

  • You find multiple records merged into a single record if the fields - rule name, alert sensor, source, category, subcategory, and MITRE-ATT&CK tactic are common.
  • The old records are marked as true in the deprecated column and false in the active column.
  • The new merged records are available for use and are marked as false in the deprecated column and true in the active column.
  • After you verify the upgrade, and view that all your detection rules are successfully migrated, you can delete the old records that are marked as true in the deprecated column.

Procedure

  1. Navigate to All > Threat Intelligence > MITRE ATT&CK Administration > Detection Rules - MITRE ATT&CK Mappings.
  2. Use one of the following methods to create your detection rule:
    Method 1: Manually create detection rules.
    1. Click New and on the form, fill in the fields.

      Detection Rules example.

    2. Click Submit.
    Method 2: Import and create detection rules.
    1. Right-click the Rule Name column header.
    2. From the list, click Import.
    3. Click Create Excel template.
    4. Click Download after the export completes. An excel template with the filename sn_ti_alert_rules_mitre_attack_technique_mapping is downloaded to your computer.

      In the following illustration, you see how to export the excel template, fill the details in the spreadsheet, upload the file, preview the fields, and import it back to the ServiceNow AI Platform.

      MITRE download import template.
    5. Open the spreadsheet, select the second sheet tab, and review what you entered. On the form, fill in the fields and then, save your file.

      The following illustration shows the spreadsheet template. The required fields are highlighted in red - Rule Name, MITRE-ATT&CK Tactic ID, and MITRE-ATT&CK Technique ID.

      Update the mapping details in the spreadsheet template.

    6. Click Choose file and select the spreadsheet on your computer.
    7. Click Upload.
    8. Click Preview Imported Data.
    9. Preview the mappings and click Complete Import.

      The following illustration shows how to upload the spreadsheet, preview the data, review any errors, and complete the detection rule mapping import process.

      Upload the spreadsheet to complete the detection rule mapping.