Investigation canvas and MITRE ATT&CK

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • In the Investigation Canvas, you can view the MITRE ATT&CK techniques and sub-techniques associated with all nodes currently present on the canvas.

    Before you begin

    Role required: sn_sec_tisc.analyst

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
    2. Select the Threat Analyst Workbench icon.
    3. Go to Case Management > All Cases.
    4. Open any case.
    5. Go to Investigation Canvas tab.
    6. On the investigation canvas, use the Resizeable panels divider handle to drag to view the MITRE ATT&CK framework.
    7. Select the required MITRE ATT&CK matrix from the Matrix drop-down list.

      Investigation Canvas MITRE Framework.

      The MITRE ATT&CK Framework shows different levels of tactics and techniques association.
      1. The top row displays all the tactics present in the selected MITRE ATT&CK matrix.
      2. By default, each tactic shows the count of total techniques and sub-techniques associated with it.
      3. Use the Refresh icon to reload the MITRE ATT&CK framework and view the latest technique-tactic associations.
      4. View the MITRE ATT&CK techniques and sub-techniques related to all the nodes (entities) in the canvas.
      5. Click on one or more node(s) to view the associated MITRE ATT&CK techniques and sub-techniques related to those selected node(s) in the canvas.
        Important:
        In the framework, the techniques and sub-techniques that are associated with the nodes in the canvas are highlighted.
    8. Select Filters to enable you to create and save filters for TTPs associated with specific adversaries and other MITRE technique attributes.
      For more information on the MITRE Filtering options, see Investigation Canvas MITRE Filters.
    9. Use View Controls for advanced filtering options.
      Once you select the appropriate filter, it will display only the MITRE ATT&CK techniques and sub-techniques associated with the selected node(s). The options in the View Controls list are:
      • Show ID: Displays the unique technique ID (for example T1059) on each card for easy reference.
      • Show Sub Techniques: Displays the sub-techniques. This option automatically expands the parent technique cards to display their sub-techniques, without requiring manual expansion.
      • Select Show Only Associated Techniques: Displays only the techniques that are currently linked to nodes on the investigation canvas, hiding any irrelevant techniques even if they meet the filter criteria. When this option is selected, each tactic displays the total count of associated techniques and sub-techniques currently linked to the canvas.
    10. Click on the pop out icon to view the MITRE ATT&CK Framework in a larger space.
      Important:
      • Whenever you add or remove a node, the MITRE ATT&CK framework refreshes automatically. You can also use the refresh icon to perform a manual refresh at any time.
      • Whenever you filter specific types of nodes, the MITRE ATT&CK framework refreshes automatically to reflect the changes.