Detection Rules - MITRE ATT&CK Mappings - Manually Created SIR - Support and Troubleshooting

Detection Rules - MITRE ATT&CK Mappings - Manually Created SIR Issue Rules that have been defined in " Detection Rules - MITRE ATT&CK Mappings" are not mapping the MITRE tactic/technique to manually created security incident records.

Steps to reproduce:

1. In the filter navigator search on Detection Rules - MITRE ATT&CK Mappings > Create a new rule

2. Navigate to sn_si_incident and create a new security incident record, using the category/subcategory defined in the rule

Resolution The MITRE ATT&CK detection rule mappings are designed to apply to SIR records that are ingested by SIEM auto-extraction. Manually created SIR records will need to be mapped to the MITRE tactic/technique manually using the related link on the SIR record.

https://docs.servicenow.com/bundle/quebec-security-management/page/product/threat-intelligence/task/create-detection-rules.html

The documentation has a visualization of the use case for the detection rules here: https://docs.servicenow.com/bundle/quebec-security-management/page/product/threat-intelligence/concept/mitre-att-ck-heatmap-and-navigator.html#mitre-att-ck-heatmap-and-navigator