Investigation canvas and MITRE ATT&CK

  • Release version: Xanadu
  • Updated November 5, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Investigation Canvas and MITRE ATT&CK

    The investigation canvas provides a visual representation of MITRE ATT&CK techniques and sub-techniques associated with nodes in the canvas, allowing security analysts to effectively assess threats. This functionality is available to users with the rolesnsectisc.analyst.

    Show full answer Show less

    Key Features

    • Access the investigation canvas via Workspaces > Threat Intelligence Security Center and navigate to Case Management > All Cases.
    • Select a case and utilize the Investigation Canvas tab to explore the MITRE ATT&CK framework.
    • Resize panels to view the MITRE ATT&CK matrix and select the desired matrix from the drop-down list.
    • View tactics, techniques, and sub-techniques associated with each node by clicking on specific nodes within the canvas.
    • Utilize View Controls to display MITRE IDs, sub-techniques, or only associated techniques for selected nodes.
    • The framework refreshes automatically when nodes are added or removed, or can be manually refreshed using the refresh icon.
    • Create and save filters for Tactics, Techniques, and Procedures (TTPs) related to specific adversaries with MITRE filters.

    Key Outcomes

    By leveraging the investigation canvas and MITRE ATT&CK framework, ServiceNow customers can:

    • Gain a comprehensive overview of threat tactics and techniques relevant to ongoing investigations.
    • Quickly identify and analyze associated techniques, enhancing the ability to respond to security incidents.
    • Utilize filtering options to streamline investigations and focus on specific adversary tactics.

    In the investigation canvas, view the MITRE ATT&CK techniques and sub-techniques which are associated to all the nodes in the canvas.

    Important:
    In the framework, the techniques and sub-techniques that are associated with the nodes in the canvas are highlighted.

    Role required: sn_sec_tisc.analyst

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Click the Threat Analyst Workbench icon.
    3. Go to Case Management > All Cases. All the cases are displayed.
    4. Select any case.
    5. Go to Investigation Canvas tab.
    6. On the investigation canvas, use the Resizeable panels divider handle to drag to view the MITRE ATT&CK framework.
    7. Select the required MITRE ATT&CK matrix from the Matrix drop-down list. The MITRE ATT&CK Framework shows different levels of tactics and techniques association.
      • The top row displays all the tactics that are present in the selected Matrix. By default, all the tactics display the count of the total techniques and sub-techniques present for that corresponding tactics. You can use the Refresh icon to reload the MITRE ATT&CK framework and view the latest associations.
      • Under each tactic, the framework displays all the techniques that are present as a relationship to that corresponding tactic.
      • The framework displays the sub-techniques that are present under each technique. Expand each technique to view the sub-techniques.
    8. View the MITRE ATT&CK techniques and sub-techniques related to all the nodes (entities) in the canvas.
    9. Click on one or more node(s) to view the associated MITRE ATT&CK techniques and sub-techniques related to those selected node(s) in the canvas.
    10. Use View Controls to view the associated MITRE ATT&CK techniques and sub-techniques of the selected node(s). From the controls lists:
      • Select Show ID to view the techniques and sub-techniques MITRE IDs.
      • Select Show Sub Techniques to view all the sub-techniques. When you select this option, all the techniques are shown in the expanded view. The expanded view of the technique shows all the sub-techniques that are present for that corresponding technique.
      • Select Show Only Associated Techniques to view only MITRE techniques that are associated to the nodes in the canvas. When you select this option, each tactic shows the total number of associated techniques and sub-techniques.
    11. Click on the pop out icon to view the MITRE ATT&CK Framework in a larger space.
    Important:
    • Whenever you add or remove a node, the MITRE ATT&CK framework gets refreshed automatically and you can also use the refresh icon to do a manual refresh.
    • Whenever you filter the specific types of nodes, even then the MITRE ATT&CK framework gets refreshed.