MITRE attack and defend technique graph

Release version: Australia

Updated March 12, 2026

3 minutes to read

Summarize

Summarized using AI

Summary of MITRE attack and defend technique graph

The MITRE attack and defend technique graph offers security analysts an interactive, hierarchical visualization of the relationships between attack techniques, defense techniques, and related artifacts within a Security Incident Response (SIR) record. This graph aids analysts in comprehensively understanding the attack and defense landscape for a security incident. The feature is visible only when MITRE attack and defend technique data has been ingested into the system, otherwise the tab remains hidden in the SIR workspace.

Show full answer Show less

Graph Structure

SIR node (root): Represents the central Security Incident Response record.
Attack technique nodes: Represent specific attack methods at the first or second hierarchical level.
Defend technique nodes: Represent defensive measures also at the first or second level.
Artifact nodes: Represent artifacts related to defend techniques at the second or third level.
Nodes at the same level may have cross-references, creating edges linking multiple parent nodes.

Available Actions

At the SIR node level:

Show or associate attack and defend techniques via modal windows.

At attack technique nodes:

View details, show related defend techniques, hide nodes temporarily, and restore hidden nodes.

At defend technique nodes:

View details, show associated defend artifacts (with shared artifacts represented as single nodes linked to multiple techniques), hide and restore nodes.

Graph-level actions include:

Save: Preserve the current graph view including node visibility, expanded sections, and layout preferences for return visits.
Refresh: Update the graph with latest backend data, maintaining saved view structure.
Find on map: Search and highlight specific nodes by name for easier navigation in complex graphs.
Show hidden nodes: Restore any temporarily hidden nodes.

Associating Techniques

Analysts can associate new attack or defend techniques to the SIR record through a modal window that allows technique selection, saving to create the association, or canceling. Newly associated nodes appear at the graph’s end and can be located using the Find on map feature. This interface aligns with existing MITRE-ATT&CK technique functionality.

Node Relationships and Edges

Edges represent direct associations between parent and child nodes.
Shared defend artifacts connected to multiple defend techniques appear as single nodes with multiple edges.
Cross-level references connect nodes at the same hierarchical level.
Edge labels indicate relationship types based on MITRE-ATT&CK data.

Practical Value for ServiceNow Customers

This graph empowers security analysts using ServiceNow Security Incident Response to visualize and manage the complex interplay between attack methods and defensive strategies within incidents. It streamlines investigation by allowing interactive exploration, efficient association of techniques, and preservation of customized views. Integration with MITRE-ATT&CK data ensures standardized and detailed context, facilitating informed decision-making and enhanced incident response workflows.

The MITRE attack and defend technique graph provides security analysts with an interactive, node-based visualization of attack techniques, defense techniques, and associated artifacts for a security incident.

MITRE attack and defend technique graph Overview

The MITRE attack and defend technique graph enables analysts to explore relationships between security threats and defensive measures, helping them understand the complete attack and defense landscape for an incident. The graph uses a hierarchical structure with the SIR record as the root node, branching out to display attack techniques, defend techniques, and their associated artifacts.

Analysts can interact with nodes to view details, establish associations, and manage the visibility of information based on their investigation needs. The visualization only appears when MITRE attack and defend technique data has been ingested into the system. Without ingested data, the MITRE attack and defend technique tab remains hidden from the SIR workspace.

Graph structure

The graph consists of the following node types arranged in a hierarchical structure:

SIR node (root): The central node representing the Security Incident Response record.
Attack technique nodes: First or second-level nodes representing specific attack methods.
Defend technique nodes: First or second-level nodes representing defensive measures.
Artifact nodes: Second or third level nodes representing specific artifacts related to defend techniques.

Nodes at the same hierarchical level can have cross-references, creating connecting edges when the same node relates to multiple parent nodes.

Available actions

The graph provides different actions depending on the node type being interacted with.

SIR node actions

Show attack technique: Display all attack techniques associated with the SIR.
Show defend technique: Display all defend techniques associated with the SIR.
Associate attack technique: Open a modal window to associate new attack techniques with the SIR.
Associate defend technique: Open a modal window to associate new defend techniques with the SIR.

Attack technique node actions

Show details: Opens a panel displaying the details of the selected node.
Show defend techniques: Display all defend techniques associated with this specific attack technique.
Hide node: Temporarily remove a node from the graph view. A Show hidden nodes option becomes available to restore hidden nodes.

Defend technique node actions

Show details: Opens a panel displaying the details of the selected node.
Show defend artifacts: Display all artifacts associated with the selected defend technique. Artifacts shared across multiple defend techniques appear as a single node with multiple connecting edges. Edge labels indicate the relationship between the defend technique and artifact.
Hide node: Temporarily remove the defend technique node from the graph view. A Show hidden nodes option becomes available to restore hidden nodes.

Graph-level actions

Save: Preserve the current graph view state. Saved views persist when users return to the tab. Includes node visibility, expanded sections, and layout preferences.
Refresh: Update the graph with the latest data from the backend. Updates node labels if names have changed, removes associations that have been deleted from the backend, and displays newly associated techniques not currently visible in the graph. Maintains the saved view structure while refreshing the data.
Find on map: Search for specific nodes by name. Highlights and centers the selected node in the graph. Useful for locating nodes in complex graphs with many techniques.
Show hidden nodes: Restore all nodes that have been hidden from view.

Association actions

When associating attack or defend techniques:

Select technique: Choose from available techniques in the modal window.
Save association: Confirm and create the association. Newly associated nodes appear at the end of the graph. Use the Find on map function to locate newly added nodes.
Cancel: Close the modal without creating an association.

The association modal uses the same interface experience as the MITRE-ATT&CK technique functionality.

Node relationships and edges

The graph displays relationships between nodes using connecting lines (edges):

Direct associations: Lines connect parent nodes to their directly associated child nodes.
Shared relationships: When a defend artifact relates to multiple defend techniques, a single artifact node connects to multiple parent nodes via separate edges.
Cross-level references: When nodes at the same hierarchical level share relationships, connecting lines appear between them.
Edge labels: Labels on the edges between defend techniques and artifacts indicate the relationship type (sourced from MITRE-ATT&CK data).