TISC Threat Intel Library does not populate MITRE ATT&CK data when Legacy Threat Intelligence TAXII collections are used - Support and Troubleshooting

TISC Threat Intel Library does not populate MITRE ATT&CK data when Legacy Threat Intelligence TAXII collections are used Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The Threat Intelligence Security Center (TISC) Threat Intel Library does not display any MITRE ATT&CK data in the MITRE ATT&CK Repository section, even when the Legacy Threat Intelligence (TI) module is configured and successfully importing MITRE data into legacy TI tables.

Symptoms .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The MITRE ATT&CK Repository section in the TISC Threat Intel Library shows 0 records across Matrices, Techniques, Mitigations, Groups, and related object types Legacy TI tables (such as sn_ti_stix2_attack_pattern and sn_ti_stix2_matrix ) contain MITRE ATT&CK records imported through TAXII profiles and collections TAXII collection import jobs run to completion against the Legacy TI pipeline but data does not appear in TISC workspaces The TISC Data Migration job ("Migrate recent objects") completes with 0 MITRE records processed In environments where the TISC plugin has been reinstalled or upgraded, the TISC MITRE feed data sources ( sn_sec_tisc_feed_data_source ) may have duplicate records — typically one set with an older creation date and one with a newer creation date Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All currently supported releases.

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } This behavior is by design. The Legacy Threat Intelligence module and the Threat Intelligence Security Center are separate applications with independent data pipelines:

Legacy TI uses TAXII profiles and collections to import STIX2 data into the sn_ti_stix2_* tables. TISC uses its own feed data source framework ( sn_sec_tisc_feed_data_source ) to import MITRE ATT&CK data into its own dedicated MITRE ATT&CK Repository tables. The two pipelines do not share tables for MITRE ATT&CK data. Data imported through the Legacy TI module does not automatically appear in the TISC Threat Intel Library. The TISC Data Migration utility is designed to migrate other object types (indicators, observables, cases) and does not cover MITRE ATT&CK objects.

When the TISC application is reinstalled or upgraded, duplicate sn_sec_tisc_feed_data_source records and duplicate scheduled jobs ( sys_trigger ) can be created. Running both sets concurrently can produce parsing errors and import timeouts.

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } To populate MITRE ATT&CK data in the TISC Threat Intel Library, enable and execute the TISC-specific MITRE feed data sources. Repeat the steps below for each MITRE collection (Enterprise ATT&CK, ICS ATT&CK, Mobile ATT&CK).

In the application navigator, go to the TISC feed data source list by navigating to /sn_sec_tisc_feed_data_source_list.do on your instance. Filter the list by Name contains MITRE to display the TISC MITRE feed data sources. Identify the correct record for each collection. If duplicate records exist for the same collection, compare the Created date and select the newer record. The older duplicate can be removed after the import is confirmed working. Open the selected feed data source record. Set Status to Enabled and save the record. Alternatively, run the following background script in the Global application scope (Scripts - Background), replacing the placeholder with the sys_id of the newer duplicate record: var gr = new GlideRecord('sn_sec_tisc_feed_data_source'); gr.get(' '); if (gr.isValidRecord()) { gr.setValue('status', 'enabled'); gr.update(); gs.info('Enabled: ' + gr.getValue('name') + ' | Status: ' + gr.getValue('status')); } 6. From the feed data source record, click Execute Now to trigger the import.

7. Verify the data populates in the TISC Threat Intel Library under the MITRE ATT&CK Repository section. After a successful Enterprise ATT&CK import, the Matrices and Techniques counts should be non-zero (for example, 1 matrix and approximately 835 techniques for Enterprise ATT&CK).

8. Repeat steps 3–7 for the remaining TISC MITRE feed data sources (ICS ATT&CK and Mobile ATT&CK).

9. After confirming all three collections are populating correctly, optionally clean up the older duplicate sn_sec_tisc_feed_data_source records and any duplicate scheduled jobs.

Related Links .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Documentation