[Security Solution][Detections] Update the MITRE ATT&CK model to v11.3 #137122
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
banderror
added
release_note:skip
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
banderror
commented
Jul 25, 2022
| .filter( | ||
| (obj) => | ||
| obj.type === 'attack-pattern' && | ||
| (obj.x_mitre_is_subtechnique === false || obj.x_mitre_is_subtechnique === undefined) |
There was a problem hiding this comment.
This script didn't work out of the box and I have to add this condition to it:
|| obj.x_mitre_is_subtechnique === undefined
because it looks like the official metadata has been changed since we used the script last time, and now a lot of techniques don't have x_mitre_is_subtechnique field in them.
banderror
commented
Jul 25, 2022
| const tactic = tactics.find( | ||
| (tactic) => tactic.name === startCase(camelCase(technique.tactics[0])) | ||
| ); | ||
| const tactic = tacticsData.find((tactic) => tactic.shortName === technique.tactics[0]); |
There was a problem hiding this comment.
Instead of finding the parent tactic by doing text transformations:
const tactic = tactics.find(
(tactic) => tactic.name === startCase(camelCase(technique.tactics[0]))
);we can leverage the tactic's short name that's available in the source json metadata.
I think this is a more robust way to do that.
banderror
force-pushed
the
update-mitre-attack-model
branch
from
658267f to
1bda53f
Compare
banderror
changed the title
💚 Build Succeeded
Metrics [docs]Async chunks
History
To update your PR or re-run it, just comment with: cc @banderror |
xcrzx
approved these changes
Jul 26, 2022
Comment on lines
+19
to
+21
| // Every release we should update the version of MITRE ATT&CK content and regenerate the model in our code. | ||
| // This version must correspond to the one used for prebuilt rules in https://github.com/elastic/detection-rules. | ||
| // This version is basically a tag on https://github.com/mitre/cti/tags, or can be a branch name like `master`. |
There was a problem hiding this comment.
Thanks for clarifying that 👍
vitaliidm
reviewed
Jul 26, 2022
There was a problem hiding this comment.
thanks @banderror for improving extract script
Left a couple of comments
| const tactics = mitreData | ||
| .filter((obj) => obj.type === 'x-mitre-tactic') | ||
| .reduce((acc, item) => { | ||
| const { id, reference } = getIdReference(item.external_references); |
There was a problem hiding this comment.
if id and reference are empty. Do we still want to add item in tactics array?
There was a problem hiding this comment.
No, I don't think we want it. I have a bunch of concerns about reliability of this script. But I don't want to make any further changes in this PR to not accidentally break anything. Opening a ticket for follow-up changes would be a better option IMHO.
Comment on lines
+121
to
127
| let tactics = []; | ||
| const { id, reference } = getIdReference(item.external_references); | ||
| if (item.kill_chain_phases != null && item.kill_chain_phases.length > 0) { | ||
| item.kill_chain_phases.forEach((tactic) => { | ||
| tactics = [...tactics, tactic.phase_name]; | ||
| }); | ||
| } |
There was a problem hiding this comment.
looks like can be extracted to another method, as it identical to this
There was a problem hiding this comment.
Let's address it as part of a follow-up ticket. I can create one.
Comment on lines
+88
to
+89
| .filter((obj) => obj.type === 'x-mitre-tactic') | ||
| .reduce((acc, item) => { |
There was a problem hiding this comment.
nit: by moving filter condition inside reduce, could save one traverse through tactics
There was a problem hiding this comment.
Let's address it as part of a follow-up ticket.
terrancedejesus
approved these changes
Jul 27, 2022
1 task
spong
added a commit
that referenced
this pull request
Feb 23, 2023
#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in #137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2023
elastic#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in elastic#137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) (cherry picked from commit bbfa43a)
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this pull request
Feb 23, 2023
elastic#151931) ## Summary Updates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo update here: elastic/detection-rules#2422. Last update was to `v11.3` in elastic#137122. To update, I modified https://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22 to point to the `ATT&CK-v12.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ### Checklist - [X] Any text added follows [EUI's writing guidelines](https://elastic.github.io/eui/#/guidelines/writing), uses sentence case text and includes [i18n support](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md) (cherry picked from commit bbfa43a)
kibanamachine
referenced
this pull request
Feb 23, 2023
…o v12.1 (#151931) (#152006) # Backport This will backport the following commits from `main` to `8.6`: - [[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)](#151931) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-02-23T15:26:00Z","message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Feature:Detection Rules","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rules","v8.6.0","v8.7.0","v8.8.0"],"number":151931,"url":"https://github.com/elastic/kibana/pull/151931","mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}},"sourceBranch":"main","suggestedTargetBranches":["8.6","8.7"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/151931","number":151931,"mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}}]}] BACKPORT--> Co-authored-by: Garrett Spong <[email protected]>
kibanamachine
referenced
this pull request
Feb 23, 2023
…o v12.1 (#151931) (#152007) # Backport This will backport the following commits from `main` to `8.7`: - [[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)](#151931) <!--- Backport version: 8.9.7 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Garrett Spong","email":"[email protected]"},"sourceCommit":{"committedDate":"2023-02-23T15:26:00Z","message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba","branchLabelMapping":{"^v8.8.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","Feature:Detection Rules","Team:Detections and Resp","Team: SecuritySolution","Team:Detection Rules","v8.6.0","v8.7.0","v8.8.0"],"number":151931,"url":"https://github.com/elastic/kibana/pull/151931","mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}},"sourceBranch":"main","suggestedTargetBranches":["8.6","8.7"],"targetPullRequestStates":[{"branch":"8.6","label":"v8.6.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.7","label":"v8.7.0","labelRegex":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v8.8.0","labelRegex":"^v8.8.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/151931","number":151931,"mergeCommit":{"message":"[Security Solution][Detections] Updates MITRE ATT&CK mappings to v12.1 (#151931)\n\n## Summary\r\n\r\nUpdates MITRE ATT&CK mappings to `v12.1`, see `detection-rules` repo\r\nupdate here: elastic/detection-rules#2422. Last\r\nupdate was to `v11.3` in https://github.com/elastic/kibana/pull/137122.\r\n\r\nTo update, I modified \r\n\r\n\r\nhttps://github.com/elastic/kibana/blob/1a19148c1818b9af3b7735a0b6001bbb6bd8d7ba/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L22\r\nto point to the `ATT&CK-v12.1` tag.\r\n\r\nThen ran `yarn extract-mitre-attacks` from the root `security_solution`\r\nplugin directory, and then `node scripts/i18n_check.js --fix` from\r\nKibana root to regen the i18n files.\r\n\r\n### Checklist\r\n\r\n- [X] Any text added follows [EUI's writing\r\nguidelines](https://elastic.github.io/eui/#/guidelines/writing), uses\r\nsentence case text and includes [i18n\r\nsupport](https://github.com/elastic/kibana/blob/master/packages/kbn-i18n/README.md)","sha":"bbfa43ae58f9d2d94a124b932a26cdd6e8167aba"}}]}] BACKPORT--> Co-authored-by: Garrett Spong <[email protected]>
6 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related to: elastic/detection-rules#2073 (comment), #89876
Summary
Here we regenerate the MITRE ATT&CK model in the code based on the official MITRE content:
ATT&CK-v11.3(see [Rule Tuning] Missing MITRE ATT&CK Mappings detection-rules#2073 (comment))https://raw.githubusercontent.com/mitre/cti/ATT&CK-v11.3/enterprise-attack/enterprise-attack.jsoncontentAlso, this PR fixes the model regeneration script (check the comment below).