To manually create a Service Incident using MITRE TTP Classifications, perform the following procedure.

Procedure

  1. Log in to your ServiceNow instance.
  2. Go to VMware Carbon Black Cloud > Alerts.
  3. Select alerts that are Alert Type CB_ANALYTICS.
  4. View the Threat Indicator > TTPS field in the alert to check whether the alert has MITRE TTP values. If it does not, the MITRE ATT&CK Technique field in the Incident will not be populated.
  5. In the upper right corner of the page, click the Create Security Incident button.
  6. After the Security Incident is created, check its MITRE ATT&CK Technique value. This value has a comma-separated list of all the TTPs that are part of this Security Incident.
    • MITRE ATT&CK Technique displays the MITRE TTP ID and MITRE TTP name from the linked alerts.
    • These values can be visualized in the matrix under the MITRE ATT&CK tab on the Security Incident page.
    • If the Security Incident has multiple alerts, it has multiple MITRE TTPs values.