Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Update MITRE ATT&CK mappings to the next version #166152

Open
6 tasks
approksiu opened this issue Sep 11, 2023 · 5 comments
Open
6 tasks

[Security Solution] Update MITRE ATT&CK mappings to the next version #166152

approksiu opened this issue Sep 11, 2023 · 5 comments
Labels
8.18 candidate enhancement New value added to drive a business result Feature:Rule Management Security Solution Detection Rule Management area Feature:Rule MITRE ATT&CK® Security Solution Detection Rules MITRE ATT&CK® features Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.10.3 v8.11.0 v8.14.0 v8.15.0

Comments

@approksiu
Copy link

approksiu commented Sep 11, 2023
edited by joepeeples
Loading

Related to: elastic/detection-rules#3100

Summary

This is a recurring ticket. We take it into work every release cycle. We don't close it, instead, we update its description.

Next version to update to: TBD
Last version updated to: v15.1 (changelog)

History of version updates:

Acceptance Criteria

Test Criteria

  • Verify that new techniques (see the changelog link above) are available for mapping on the Rule Creation page under "Advanced settings"
  • Verify that new techniques are available on the MITRE ATT&CK coverage page
@botelastic botelastic bot added the needs-team Issues missing a team label label Sep 11, 2023
@banderror banderror changed the title [Security Solution][Detections] Update MITRE ATT&CK mappings to v13.1 [Security Solution] Update MITRE ATT&CK model to the next version Sep 12, 2023
@banderror banderror changed the title [Security Solution] Update MITRE ATT&CK model to the next version [Security Solution] Update MITRE ATT&CK mappings to the next version Sep 12, 2023
@banderror banderror added enhancement New value added to drive a business result Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Feature:Rule Management Security Solution Detection Rule Management area Team:Detection Rule Management Security Detection Rule Management Team 8.11 candidate v8.11.0 and removed needs-team Issues missing a team label labels Sep 12, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

This was referenced Sep 12, 2023
Closed
Merged
@dplumlee dplumlee mentioned this issue Sep 14, 2023
Merged
5 tasks
@banderror banderror added v8.10.3 and removed v8.10.1 labels Sep 20, 2023
@nastasha-solomon nastasha-solomon mentioned this issue Oct 5, 2023
Closed
4 tasks
@ghost
Copy link

ghost commented Oct 6, 2023

Hi @MadameSheema

we have validated this ticket and found the expected checkpoint are working correctly on 8.10.3 and below are observations.

New Techniques Tactics Tactics Availability under Advanced settings of Rule creation Tactics Availability under MITRE ATT&CK coverage page
Acquire Access (v1.0) Resource Development  ✅  ✅
Acquire Infrastructure: Malvertising (v1.0) Resource Development  ✅  ✅
Cloud Administration Command (v1.0) Execution  ✅  ✅
Command and Scripting Interpreter: Cloud API (v1.0) Execution  ✅  ✅
Device Driver Discovery (v1.0) Discovery  ✅  ✅
Exfiltration Over Web Service: Exfiltration to Text Storage Sites (v1.0) Exfiltration  ✅  ✅
Impair Defenses: Spoof Security Alerting (v1.0) Defense Evasion  ✅  ✅
Masquerading: Masquerade File Type (v1.0) Defense Evasion  ✅   ✅
Modify Authentication Process: Network Provider DLL (v1.0) Credential Access, Defense Evasion, Persistence  ✅  ✅
Obfuscated Files or Information: Command Obfuscation (v1.0) Defense Evasion  ✅  ✅
Obfuscated Files or Information: Fileless Storage (v1.0) Defense Evasion  ✅   ✅
Remote Services: Cloud Services (v1.0) Lateral Movement  ✅  ✅
Unsecured Credentials: Chat Messages (v1.0) Credential Access  ✅  ✅

Screen-Shoot

Untitled

image

@dplumlee
Copy link
Contributor

dplumlee commented Dec 7, 2023

#171680 ticket for v14.0 update

This was referenced Jan 2, 2024
Merged
Closed
dplumlee added a commit that referenced this issue Apr 5, 2024
@dplumlee @kibanamachine
[Security Solution] Updates MITRE ATT&CK framework to v14.1 (#174120)
1f2a3f0 
**Resolves: #171680

## Summary

Addresses: #166152 for `8.14.0`
and #171680

[Flaky test runner result
(internal)](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5147)

Updates MITRE ATT&CK mappings to `v14.1`. Last update was to `v13.1` in
#166536.

To update,  I modified 


https://github.com/elastic/kibana/blob/b0c6cc9777d220b3823ab9b1bbe08c5056f7016e/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22

to point to the `ATT&CK-v14.1` tag.

Then ran `yarn extract-mitre-attacks` from the root `security_solution`
plugin directory, and then `node scripts/i18n_check.js --fix` from
Kibana root to regen the i18n files.

## Acceptance Criteria

- [x] User can map and use new MITRE techniques in Security Solution
- [ ] The user-facing documentation is updated with the new version -
Ticket [here](elastic/security-docs#4550)
- [ ] [MITRE ATT&CK®
coverage](https://www.elastic.co/guide/en/security/master/rules-coverage.html)
page

## Test Criteria

- [x] Verify that new techniques (see the changelog link above) are
available for mapping on the Rule Creation page under "Advanced
settings"
- [x] Verify that new techniques are available on the MITRE ATT&CK
coverage page


### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Kibana Machine <[email protected]>
This was referenced May 15, 2024
Merged
Closed
dplumlee added a commit that referenced this issue May 30, 2024
@dplumlee @kibanamachine
[Security Solution] Updates MITRE ATT&CK framework to v15.1 (#183463)
dff2754 
## Summary

Addresses: #166152 for `8.15.0`

[Flaky test runner result
(internal)](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5996)

Updates MITRE ATT&CK mappings to `v15.1`. Last update was to `v14.1` in
#174120.

To update,  I modified 


https://github.com/elastic/kibana/blob/44e38acd71a7a64fb0df08f01ff9abfada1fec1c/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22

to point to the `ATT&CK-v15.1` tag.

Then ran `yarn extract-mitre-attacks` from the root `security_solution`
plugin directory, and then `node scripts/i18n_check.js --fix` from
Kibana root to regen the i18n files.

## Acceptance Criteria

- [x] User can map and use new MITRE techniques in Security Solution
- [ ] The user-facing documentation is updated with the new version
(elastic/security-docs#5222)
- [ ] [MITRE ATT&CK®
coverage](https://www.elastic.co/guide/en/security/master/rules-coverage.html)
page

## Test Criteria

- [x] Verify that new techniques (see the changelog link above) are
available for mapping on the Rule Creation page under "Advanced
settings"
- [x] Verify that new techniques are available on the MITRE ATT&CK
coverage page


### For maintainers

- [ ] This was checked for breaking API changes and was [labeled
appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process)

---------

Co-authored-by: Kibana Machine <[email protected]>
@joepeeples
Copy link
Contributor

joepeeples commented Jun 3, 2024
edited
Loading

Updating the docs 📚

The MITRE ATT&CK® version that our current detection rules support is referenced in both classic/stateful and serverless docs. Whenever Elastic changes the supported version of MITRE ATT&CK, we also need to update this information in the docs:

Currently there are separate source files for the classic/stateful docs and serverless docs, so you’ll need to update this info in two different files:

The version number and URL are located within the note at the top of the page.

In most cases, you can open a single PR to update both classic & serverless docs. The Security Docs team will automatically be added as a reviewer for the PR, and they can take care of any additional labeling, final approval, merging, and backporting.

@joepeeples joepeeples mentioned this issue Jun 3, 2024
Merged
@banderror banderror added 8.18 candidate Feature:Rule MITRE ATT&CK® Security Solution Detection Rules MITRE ATT&CK® features and removed 8.17 candidate labels Nov 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
8.18 candidate enhancement New value added to drive a business result Feature:Rule Management Security Solution Detection Rule Management area Feature:Rule MITRE ATT&CK® Security Solution Detection Rules MITRE ATT&CK® features Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.10.3 v8.11.0 v8.14.0 v8.15.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@banderror @elasticmachine @approksiu @dplumlee @joepeeples