Create and map detection rules
-
- UpdatedFeb 1, 2024
- 5 minutes to read
- Washington DC
- Threat Intelligence
Create detection rules and map them against the tactics and techniques. With this mapping, you can see the coverage for the detection rules in your organization.
Before you begin
- sn_ti.admin, sn_si.admin: create, write, delete access
- sn_ti.read: read access
About this task
Detection rule mapping enables your organization to see which detection rules are available to identify specific techniques.
The primary purpose of the mapping is to provide visibility if your organization has the necessary detection rules to identify when an alert or event is triggered as a result of an attack by an adversary using a specific technique.
For example, view the following illustration that shows a list of the detection rules mapped to various techniques. You can also view this information in the MITRE-ATT&CK navigator.
If you do not intend to use the base system SIEM auto-extraction rules, then enable the automatic rollup of MITRE-ATT&CK TTPs based on the detection rule mapping. You can populate the alert or event rule that triggers the security incident in the Alert Rule name field. You can also populate the Alert Rule name field by using SIEM integration, email parsing, manual creation, etc. For more information, see Rollup MITRE-ATT&CK information from detection rules.
The detection rules feature has been updated to include mapping a single tactic to multiple techniques. Previously, you could map a single tactic with a single technique. If you are upgrading the Threat Intelligence plugin from version 12.0.4 to a higher version, then review the following points before using the detection rules in MITRE-ATT&CK module.
- You find multiple records merged into a single record if the fields - rule name, alert sensor, source, category, subcategory, and MITRE-ATT&CK tactic are common.
- The old records are marked as true in the deprecated column and false in the active column.
- The new merged records are available for use and are marked as false in the deprecated column and true in the active column.
- After you verify the upgrade, and view that all your detection rules are successfully migrated, you can delete the old records that are marked as true in the deprecated column.
Procedure
Related Content
- Get started with MITRE-ATT&CK framework
Review the following information before you start setting up your MITRE-ATT&CK framework.
- Understand the MITRE to STIX data model
Review the terminology used by MITRE and STIX to efficiently use and understand the MITRE-ATT&CK framework in the ServiceNow AI Platform.
- Domain separation and MITRE-ATT&CK
This domain separation overview pertains to MITRE-ATT&CK. Domain separation allows you to separate data, processes, and administrative tasks into logical groupings called domains. You can then control several aspects of this separation, including which users can see and access data.
- Set up the MITRE-ATT&CK framework
Activate the MITRE-ATT&CK profile, and set up a scheduled job so that you can set up MITRE-ATT&CK collections for threat detection in your organization.
- Manage matrices
Manage the matrices that have been imported from the MITRE TAXII collections. Matrices are a collection of tactics and techniques. You can view the matrices to review if your collections are available in the MITRE-ATT&CK repository.
- Manage techniques
Manage the techniques that have been imported from the MITRE TAXII collections. The techniques contain various ways attackers have developed to employ a given tactic. You can review and deactivate techniques that are not relevant to your organization. In STIX, techniques are known as attack patterns.
- Manage mitigations
Manage the mitigations that have been imported from the MITRE TAXII collections. Mitigations enable you to prevent an adversary from successfully executing techniques or sub-techniques against your organization. In STIX, mitigations are known as course of actions.
- Manage groups
Manage the groups that have been imported from the MITRE TAXII collections. Groups are sets of related intrusion activity that are tracked by a common name in the security community. Analysts track clusters of activities using various terms such as threat groups, activity groups, threat actors, intrusion sets, and campaigns. In STIX, groups are known as intrusion sets.
- Manage malware
Manage the malware information that you imported from the MITRE TAXII collections. Malware is a type of TTP that represents malicious code. It refers to a program that is covertly inserted into a system. The intent of a malware is to compromise the confidentiality, integrity, or availability of the victim's data, applications, or operating system (OS).
- Manage tools
Manage the tools information that you imported from the MITRE TAXII collections. Tools are legitimate software that are used by threat actors to perform attacks.
- Manage MITRE relationships
Manage the MITRE relationships information that you imported from the MITRE TAXII collections.
- Manage CVE and technique mapping
Manage the CVE and technique information that is mapped after you import the MITRE TAXII collections.
- Extend the MITRE-ATT&CK data
Extend the MITRE-ATT&CK repository data in the ServiceNow AI Platform by enriching it.
- Define the data source and detection tool mapping
Define the data source and detection tool mapping for MITRE-ATT&CK tactics and techniques. The data source mapping provides you with insight into the relevance and availability of the data sources and the detection tools for monitoring the data sources in your environment.
- Define the data source and data component mapping
Use the Data Component Mapping if you are using the latest TAXII collections, and you want to maintain a relationship between the data sources, data components, and the various techniques. Map the data sources with the additional context of data components that provides an extra sublayer of context to data sources that enable you to understand adversary behaviors in MITRE-ATT&CK better.
- Define the technique detection coverage
Define the technique detection coverage that your organization must measure and detect specific adversary techniques.
- Map your technique detection coverage to a technique
Map your overall technique detection coverage with the technique that enables your organization to detect specific adversary techniques.
- Define the mitigation coverage
Define the mitigation coverage for each mitigation that is associated with a technique so that you gain visibility into how well your organization can prevent the attacks that happen due to a particular technique.
- Map your mitigation coverage to a technique
Map your mitigation coverage with the technique that enables you to detect your organization's overall mitigation strategy.
- Auto-extract technique rules for importing MITRE-ATT&CK information
Use the base system auto-extraction rules to import the MITRE-ATT&CK information from any existing third-party integrations.
- Review threat group and MITRE-ATT&CK techniques mapping
Review the threat group and techniques object to object relationship mapping information that is imported from the MITRE TAXII collections. This mapping enables you to view the technique group and the corresponding technique mapping.
- Threat group to technique heatmap definition
Define the threat group to technique heatmap definition so that on the heatmap you can measure and detect the attack patterns that threat groups are using to attack your organization. The probability of an attack using a particular technique increases when you have a high number of attackers.
- Review the MITRE-ATT&CK system properties
Review the MITRE-ATT&CK system property values.