Is your feature request related to a problem? Please describe.
At the moment, TRaDE manages a local version of the MITRE ATT&CK matrix based on the available enterprise version. This is downloaded and stored locally within the repository so that rules are properly matched to the latest updates. However, this is not the Kibana ATT&CK version can diverge if an issue is not opened to update on their end. As a result, some features may not work properly such as references to techniques or the ATT&CK matrix coverage map.
Describe the solution you'd like
Implement a workflow where any time a PR is opened and the etc/attack-v*.json.gz file pattern is included in the diff, create an issue to Kibana to update theirs as well.
Starting Point:
name: Check MITRE ATT&CK Version Updates Are Synced
on:
pull_request:
paths:
- 'detection_rules/etc/attack-v*.json.gz'
jobs:
create_issue:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Extract version from file name
id: extract_version
run: |
FILENAME=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} | grep 'detection_rules/etc/attack-v.*.json.gz')
VERSION=$(echo $FILENAME | grep -o 'v[^.]*')
echo "::set-output name=version::$VERSION"
- name: Create issue in elastic/kibana repository
run: |
ISSUE_TITLE="Update MITRE ATT&CK to ${{ steps.extract_version.outputs.version }}"
ISSUE_BODY="The detection rules MITRE ATT&CK version has been updated to ${{ steps.extract_version.outputs.version }}. Please update the MITRE ATT&CK version in Kibana accordingly."
curl -X POST \
-H "Authorization: token ${{ secrets.YOUR_GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/elastic/kibana/issues \
-d '{
"title": "'"$ISSUE_TITLE"'",
"body": "'"$ISSUE_BODY"'"
}'
env:
YOUR_GITHUB_TOKEN: ${{ secrets.YOUR_GITHUB_TOKEN }}
Is your feature request related to a problem? Please describe.
At the moment, TRaDE manages a local version of the MITRE ATT&CK matrix based on the available enterprise version. This is downloaded and stored locally within the repository so that rules are properly matched to the latest updates. However, this is not the Kibana ATT&CK version can diverge if an issue is not opened to update on their end. As a result, some features may not work properly such as references to techniques or the ATT&CK matrix coverage map.
Describe the solution you'd like
Implement a workflow where any time a PR is opened and the
etc/attack-v*.json.gzfile pattern is included in the diff, create an issue to Kibana to update theirs as well.Starting Point: