[Security Solution][Detections] Update the MITRE ATT&CK model to v11.3#137122
Merged
banderror merged 3 commits intoelastic:mainfrom Jul 27, 2022
Merged
[Security Solution][Detections] Update the MITRE ATT&CK model to v11.3#137122banderror merged 3 commits intoelastic:mainfrom
banderror merged 3 commits intoelastic:mainfrom
Conversation
Contributor
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Contributor
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
banderror
commented
Jul 25, 2022
Contributor
Author
There was a problem hiding this comment.
This script didn't work out of the box and I have to add this condition to it:
|| obj.x_mitre_is_subtechnique === undefined
because it looks like the official metadata has been changed since we used the script last time, and now a lot of techniques don't have x_mitre_is_subtechnique field in them.
banderror
commented
Jul 25, 2022
Contributor
Author
There was a problem hiding this comment.
Instead of finding the parent tactic by doing text transformations:
const tactic = tactics.find(
(tactic) => tactic.name === startCase(camelCase(technique.tactics[0]))
);we can leverage the tactic's short name that's available in the source json metadata.
I think this is a more robust way to do that.
658267f to
1bda53f
Compare
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @banderror |
xcrzx
approved these changes
Jul 26, 2022
Comment on lines
+19
to
+21
| // Every release we should update the version of MITRE ATT&CK content and regenerate the model in our code. | ||
| // This version must correspond to the one used for prebuilt rules in https://github.com/elastic/detection-rules. | ||
| // This version is basically a tag on https://github.com/mitre/cti/tags, or can be a branch name like `master`. |
Contributor
There was a problem hiding this comment.
Thanks for clarifying that 👍
Contributor
Author
vitaliidm
reviewed
Jul 26, 2022
Contributor
vitaliidm
left a comment
There was a problem hiding this comment.
thanks @banderror for improving extract script
Left a couple of comments
| const tactics = mitreData | ||
| .filter((obj) => obj.type === 'x-mitre-tactic') | ||
| .reduce((acc, item) => { | ||
| const { id, reference } = getIdReference(item.external_references); |
Contributor
There was a problem hiding this comment.
if id and reference are empty. Do we still want to add item in tactics array?
Contributor
Author
There was a problem hiding this comment.
No, I don't think we want it. I have a bunch of concerns about reliability of this script. But I don't want to make any further changes in this PR to not accidentally break anything. Opening a ticket for follow-up changes would be a better option IMHO.
Comment on lines
+121
to
127
| let tactics = []; | ||
| const { id, reference } = getIdReference(item.external_references); | ||
| if (item.kill_chain_phases != null && item.kill_chain_phases.length > 0) { | ||
| item.kill_chain_phases.forEach((tactic) => { | ||
| tactics = [...tactics, tactic.phase_name]; | ||
| }); | ||
| } |
Contributor
There was a problem hiding this comment.
looks like can be extracted to another method, as it identical to this
Contributor
Author
There was a problem hiding this comment.
Let's address it as part of a follow-up ticket. I can create one.
Comment on lines
+88
to
+89
| .filter((obj) => obj.type === 'x-mitre-tactic') | ||
| .reduce((acc, item) => { |
Contributor
There was a problem hiding this comment.
nit: by moving filter condition inside reduce, could save one traverse through tactics
Contributor
Author
There was a problem hiding this comment.
Let's address it as part of a follow-up ticket.
terrancedejesus
approved these changes
Jul 27, 2022
Contributor
terrancedejesus
left a comment
There was a problem hiding this comment.
Great work and thank you for being so swift!
1 task
spong
added a commit
that referenced
this pull request
Feb 23, 2023
#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in #137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2023
elastic#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in elastic#137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) (cherry picked from commit bbfa43a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2023
elastic#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in elastic#137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) (cherry picked from commit bbfa43a)
kibanamachine
referenced
this pull request
Feb 23, 2023
…o v12.1 (#151931) (#152006) # Backport This will backport the following commits from `main` to `8.6`: - [[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)](#151931) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"spong@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-02-23T15:26:00Z","message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Feature:Detection Rules","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rules","v8.6.0","v8.7.0","v8.8.0"],"number":151931,"url":"https://github.com/elastic/kibana/pull/151931","mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}},"sourceBranch":"main","suggestedTargetBranches":["8.6","8.7"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/151931","number":151931,"mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}}]}] BACKPORT--> Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
kibanamachine
referenced
this pull request
Feb 23, 2023
…o v12.1 (#151931) (#152007) # Backport This will backport the following commits from `main` to `8.7`: - [[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)](#151931) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"spong@users.noreply.github.com"},"sourceCommit":{"committedDate":"2023-02-23T15:26:00Z","message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Feature:Detection Rules","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rules","v8.6.0","v8.7.0","v8.8.0"],"number":151931,"url":"https://github.com/elastic/kibana/pull/151931","mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}},"sourceBranch":"main","suggestedTargetBranches":["8.6","8.7"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/151931","number":151931,"mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}}]}] BACKPORT--> Co-authored-by: Garrett Spong <spong@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related to: elastic/detection-rules#2073 (comment), #89876
Summary
Here we regenerate the MITRE ATT&CK model in the code based on the official MITRE content:
ATT&CK-v11.3(see [Rule Tuning] Missing MITRE ATT&CK Mappings detection-rules#2073 (comment))https://raw.githubusercontent.com/mitre/cti/ATT&CK-v11.3/enterprise-attack/enterprise-attack.jsoncontentAlso, this PR fixes the model regeneration script (check the comment below).