Using the Threat Intelligence plugin, TTPs from Carbon Black Cloud alerts are enriched and visualized in ServiceNow Security incident tickets using the MITRE ATT&CK framework.

The Threat Intelligence plugin and MITRE TTP Classification is only available when using the ServiceNow SecOps module.

Before you can perform a MITRE TTP classification on a Security Incident, you must install and configure the Threat Intelligence plugin. See Install the Threat Intelligence Plugin and Configure the Threat Intelligence Plugin for MITRE.

MITRE TTP classification is compatible with alerts whose Alert Type is CB_ANALYTICS.

• When a Security Incident is created from an alert which has Alert Type of CB_ANALYTICS, MITRE TTPs from the Alert’s Threat Indicators field are mapped to Security Incident’s MITRE ATT&CK Technique field. If there are multiple TTP values, they are mapped as a list separated by commas.
• MITRE TTP Classification works on Security Incidents that are both manually and automatically created.
• If field mappings are included in the Configuration Profile for the MITRE Fields, then they are overridden according to the MITRE TTP that is present in corresponding Alerts. See Configuring a ServiceNow Configuration Profile and Configure Alert Field Mapping for ITSM and SecOps Apps.