[FR] Update ATT&CK Package to v12.1#2422
Merged
terrancedejesus merged 6 commits intomainfrom Dec 16, 2022
Merged
Conversation
terrancedejesus
commented
Dec 12, 2022
|
|
||
|
|
||
| @attack_group.command('update-rules') | ||
| @multi_collection |
Contributor
Author
There was a problem hiding this comment.
We load and loop over all rules and check for necessary updates, starting at L1236 so this is not necessary.
Contributor
There was a problem hiding this comment.
I see you added the ability to get the rule collection, but I think the purpose of the decorator was to get a RuleCollection by file, directory or a list of IDs. Whereas the logic now just gets all the rules within our collection. I agree with this decision, but just wanted to be clear that the multi_collection did serve a difference purpose/feature.
terrancedejesus
commented
Dec 12, 2022
| new_data = dataclasses.replace(rule.contents.data, threat=valid_threat) | ||
| new_contents = dataclasses.replace(rule.contents, data=new_data, metadata=new_meta) | ||
| new_rule = TOMLRule(contents=new_contents) | ||
| new_rule = TOMLRule(contents=new_contents, path=rule.path) |
Contributor
Author
There was a problem hiding this comment.
If path is not given the variable will be blank in the new TOMLRule object so we must pass the path of the original rule to overwrite.
Contributor
There was a problem hiding this comment.
TBD, im not sure how this worked prior to this addition. I too saw it error during testing without the path specified.
Mikaayenson
approved these changes
Dec 15, 2022
Contributor
Mikaayenson
left a comment
There was a problem hiding this comment.
Great work 🎊
I checked out 9cf62d69 and ran the command python -m detection_rules dev attack update-rules and the rules updated as expected.
output
(detection_dev) ➜ detection-rules git:(9cf62d69) ✗ python -m detection_rules dev attack update-rules
Loaded config file: /Users/stryker/workspace/Elastic/detection-rules/.detection-rules-cfg.json
█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄
█ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄
█▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█
'WebServer Access Logs Deleted' requires update - technique name change
'Tampering of Bash Command-Line History' requires update - technique name change
'Timestomping using Touch Command' requires update - technique name change
'AWS CloudTrail Log Created' requires update - technique name change
'AWS S3 Bucket Configuration Deletion' requires update - technique name change
'AWS CloudTrail Log Updated' requires update - technique name change
'Azure Event Hub Authorization Rule Created or Updated' requires update - technique name change
'GCP Pub/Sub Subscription Creation' requires update - technique name change
'GCP Pub/Sub Topic Creation' requires update - technique name change
'File Deletion via Shred' requires update - technique name change
'System Log File Deletion' requires update - technique name change
'Clearing Windows Console History' requires update - technique name change
'Clearing Windows Event Logs' requires update - technique name change
'Windows Event Logs Cleared' requires update - technique name change
'Delete Volume USN Journal with Fsutil' requires update - technique name change
'Disable Windows Event and Security Logs Using Built-in Tools' requires update - technique name change
'Process Termination followed by Deletion' requires update - technique name change
'Potential Secure File Deletion via SDelete Utility' requires update - technique name change
Finished - 18 rules updated!
- I agree with the decision to default the rules collection instead of the multi_collection given the utility of these attack commands. 👍
- A couple nits/questions, not worth blocking.
Comment on lines
+67
to
+75
| tags = [ | ||
| "Elastic", | ||
| "Host", | ||
| "Windows", | ||
| "Threat Detection", | ||
| "Defense Evasion", | ||
| "Investigation Guide", | ||
| "Elastic Endgame", | ||
| ] |
Contributor
There was a problem hiding this comment.
Nit: I wish the toml_save didn't update other things like tags and references. 🤷
|
|
||
|
|
||
| @attack_group.command('update-rules') | ||
| @multi_collection |
Contributor
There was a problem hiding this comment.
I see you added the ability to get the rule collection, but I think the purpose of the decorator was to get a RuleCollection by file, directory or a list of IDs. Whereas the logic now just gets all the rules within our collection. I agree with this decision, but just wanted to be clear that the multi_collection did serve a difference purpose/feature.
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Contributor
|
Just as a note, the output for me on the commit test only has 18 rule updates vs the 19 rule updates shown. However, I do not think this is an issue with the code as the missing rule from the output, OutputOther checks: Output |
eric-forte-elastic
approved these changes
Dec 16, 2022
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 16, 2022
* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_persistence_temp_scheduled_task.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (selectively cherry picked from commit ae4e59e)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 16, 2022
* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_persistence_temp_scheduled_task.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (selectively cherry picked from commit ae4e59e)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 16, 2022
* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_persistence_temp_scheduled_task.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (selectively cherry picked from commit ae4e59e)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 16, 2022
* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Removed changes from: - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_persistence_temp_scheduled_task.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml (selectively cherry picked from commit ae4e59e)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 16, 2022
* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit ae4e59e)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 16, 2022
* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit ae4e59e)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 16, 2022
* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit ae4e59e)
protectionsmachine
pushed a commit
that referenced
this pull request
Dec 16, 2022
* initial update to v12.1 attack package * added additional click echo output * addressed flake errors * updated rules with refreshed att&ck data * Update detection_rules/devtools.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit ae4e59e)
terrancedejesus
added a commit
that referenced
this pull request
Dec 16, 2022
terrancedejesus
added a commit
that referenced
this pull request
Dec 16, 2022
terrancedejesus
added a commit
that referenced
this pull request
Dec 16, 2022
terrancedejesus
added a commit
that referenced
this pull request
Dec 16, 2022
1 task
spong
added a commit
to elastic/kibana
that referenced
this pull request
Feb 23, 2023
#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in #137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2023
elastic#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in elastic#137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) (cherry picked from commit bbfa43a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2023
elastic#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in elastic#137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) (cherry picked from commit bbfa43a)
kibanamachine
added a commit
to elastic/kibana
that referenced
this pull request
Feb 23, 2023
…o v12.1 (#151931) (#152006) # Backport This will backport the following commits from `main` to `8.6`: - [[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)](#151931) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"spong@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-02-23T15:26:00Z","message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Feature:Detection Rules","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rules","v8.6.0","v8.7.0","v8.8.0"],"number":151931,"url":"https://github.com/elastic/kibana/pull/151931","mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}},"sourceBranch":"main","suggestedTargetBranches":["8.6","8.7"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/151931","number":151931,"mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}}]}] BACKPORT--> Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
kibanamachine
added a commit
to elastic/kibana
that referenced
this pull request
Feb 23, 2023
…o v12.1 (#151931) (#152007) # Backport This will backport the following commits from `main` to `8.7`: - [[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)](#151931) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"spong@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-02-23T15:26:00Z","message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Feature:Detection Rules","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rules","v8.6.0","v8.7.0","v8.8.0"],"number":151931,"url":"https://github.com/elastic/kibana/pull/151931","mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}},"sourceBranch":"main","suggestedTargetBranches":["8.6","8.7"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/151931","number":151931,"mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}}]}] BACKPORT--> Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Latest release of ATT&CK is v12.1, whereas our current package is v11.3.
Reference: https://github.com/mitre/cti/tags
This PR also makes adjustments to code relied on by the CLI commands in the
attackclick group ofdevtools.py.@multi_collectiondecorator fromupdate-rulescommand (Logic updates all rules, no need to specify rule specifics)Testing
refresh-data- Should pull v12.1 package and remove 11.3 (already done)refresh-redirect-mappings- Should update custom technique changes mapping fileupdate-rulesiterates all rules and checks for technique ID or name changes, adjusts and overwrites path to existing ruleOutput from
update-rules(should be able to replicate by checking out commit - 9cf62d6 and running command):