Investigation canvas and MITRE ATT&CK

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Investigation canvas and MITRE ATT&CK

    The Investigation Canvas in ServiceNow’s Threat Intelligence Security Center integrates the MITRE ATT&CK framework, enabling security analysts to view tactics, techniques, and sub-techniques associated with entities (nodes) in an investigation case. This feature helps analysts understand adversary behaviors and map investigation data to standardized threat intelligence patterns.

    Show full answer Show less

    Access to this feature requires the snsectisc.analyst role. Analysts navigate through Workspaces > Threat Intelligence Security Center, open the Threat Analyst Workbench, and select a case under Case Management to access the Investigation Canvas tab.

    Key Features

    • Dynamic MITRE ATT&CK Framework View: The canvas displays the selected MITRE ATT&CK matrix with tactics shown across the top and associated techniques and sub-techniques listed beneath each tactic.
    • Interactive Node Association: Clicking on one or more nodes in the canvas highlights the specific MITRE techniques and sub-techniques linked to those entities, allowing focused threat analysis.
    • Resizable Panels and Pop-Out View: Users can adjust the view size for better visibility or open the MITRE framework in a larger pop-out window for detailed examination.
    • View Controls: Analysts can toggle options to show technique IDs, expand all sub-techniques, or filter to display only techniques associated with the selected nodes, enhancing customization and clarity.
    • Automatic and Manual Refresh: The framework auto-refreshes when nodes are added, removed, or filtered, with an option for manual refresh ensuring the latest associations are displayed.
    • Investigation Canvas MITRE Filters: Users can create and save filters based on Tactics, Techniques, and Procedures (TTPs), tailored to specific adversaries or MITRE technique attributes, facilitating targeted investigations.

    Practical Benefits for ServiceNow Customers

    • Quickly map investigation elements to the MITRE ATT&CK framework, improving threat understanding and prioritization.
    • Identify relevant adversary behaviors and techniques linked to investigation nodes, streamlining analysis and response.
    • Customize views and filters to focus on the most pertinent threat intelligence data for cases.
    • Leverage up-to-date, automatically refreshed MITRE associations to maintain current situational awareness.

    In the investigation canvas, view the MITRE ATT&CK techniques and sub-techniques which are associated to all the nodes in the canvas.

    Important:
    In the framework, the techniques and sub-techniques that are associated with the nodes in the canvas are highlighted.

    Role required: sn_sec_tisc.analyst

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Click the Threat Analyst Workbench icon.
    3. Go to Case Management > All Cases. All the cases are displayed.
    4. Select any case.
    5. Go to Investigation Canvas tab.
    6. On the investigation canvas, use the Resizeable panels divider handle to drag to view the MITRE ATT&CK framework.
    7. Select the required MITRE ATT&CK matrix from the Matrix drop-down list. The MITRE ATT&CK Framework shows different levels of tactics and techniques association.
      • The top row displays all the tactics that are present in the selected Matrix. By default, all the tactics display the count of the total techniques and sub-techniques present for that corresponding tactics. You can use the Refresh icon to reload the MITRE ATT&CK framework and view the latest associations.
      • Under each tactic, the framework displays all the techniques that are present as a relationship to that corresponding tactic.
      • The framework displays the sub-techniques that are present under each technique. Expand each technique to view the sub-techniques.
    8. View the MITRE ATT&CK techniques and sub-techniques related to all the nodes (entities) in the canvas.
    9. Click on one or more node(s) to view the associated MITRE ATT&CK techniques and sub-techniques related to those selected node(s) in the canvas.
    10. Use View Controls to view the associated MITRE ATT&CK techniques and sub-techniques of the selected node(s). From the controls lists:
      • Select Show ID to view the techniques and sub-techniques MITRE IDs.
      • Select Show Sub Techniques to view all the sub-techniques. When you select this option, all the techniques are shown in the expanded view. The expanded view of the technique shows all the sub-techniques that are present for that corresponding technique.
      • Select Show Only Associated Techniques to view only MITRE techniques that are associated to the nodes in the canvas. When you select this option, each tactic shows the total number of associated techniques and sub-techniques.
    11. Click on the pop out icon to view the MITRE ATT&CK Framework in a larger space.
    Important:
    • Whenever you add or remove a node, the MITRE ATT&CK framework gets refreshed automatically and you can also use the refresh icon to do a manual refresh.
    • Whenever you filter the specific types of nodes, even then the MITRE ATT&CK framework gets refreshed.