Fix some ATT&CK verbiage and trademark (elastic#866)

* Fix some MITRE verbiage and trademark * Add note to CHANGELOG * Consistency with 'a MITRE ATT&CK tactic' * Remove Matrix since that refers to the visualization
kgeller · Jun 9, 2020 · cfc53cb · cfc53cb
1 parent 994f777
commit cfc53cb
Show file tree

Hide file tree

Showing 8 changed files with 103 additions and 119 deletions.
diff --git a/CHANGELOG.next.md b/CHANGELOG.next.md
@@ -30,6 +30,7 @@ Thanks, you're awesome :-) -->
 * Remove misleading pluralization in the description of `user.id`, it should
   contain one ID, not many. #801
 * Clarified misleading wording about multiple IPs in src/dst or cli/srv. #804
+* Improved verbiage about the MITRE ATT&CK® framework. #866
 
 #### Deprecated
 

diff --git a/code/go/ecs/threat.go b/code/go/ecs/threat.go
diff --git a/docs/field-details.asciidoc b/docs/field-details.asciidoc
@@ -5621,7 +5621,7 @@ example: `co.uk`
 [[ecs-threat]]
 === Threat Fields
 
-Fields to classify events and alerts according to a threat taxonomy such as the Mitre ATT&CK framework.
+Fields to classify events and alerts according to a threat taxonomy such as the MITRE ATT&CK® framework.
 
 These fields are for users to classify alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to capture the high level category of the threat (e.g. "impact"). The threat.technique.* fields are meant to capture which kind of approach is used by this detected threat, to accomplish the goal (e.g. "endpoint denial of service").
 
@@ -5647,7 +5647,7 @@ example: `MITRE ATT&CK`
 // ===============================================================
 
 | threat.tactic.id
-| The id of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
+| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
 
 type: keyword
 
@@ -5663,7 +5663,7 @@ example: `TA0040`
 // ===============================================================
 
 | threat.tactic.name
-| Name of the type of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
+| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)
 
 type: keyword
 
@@ -5679,7 +5679,7 @@ example: `impact`
 // ===============================================================
 
 | threat.tactic.reference
-| The reference url of tactic used by this threat. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
+| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
 
 type: keyword
 
@@ -5695,7 +5695,7 @@ example: `https://attack.mitre.org/tactics/TA0040/`
 // ===============================================================
 
 | threat.technique.id
-| The id of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ )
+| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
 
 type: keyword
 
@@ -5711,7 +5711,7 @@ example: `T1499`
 // ===============================================================
 
 | threat.technique.name
-| The name of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ )
+| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
 
 type: keyword
 
@@ -5726,14 +5726,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `endpoint denial of service`
+example: `Endpoint Denial of Service`
 
 | extended
 
 // ===============================================================
 
 | threat.technique.reference
-| The reference url of technique used by this tactic. You can use the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/ )
+| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ )
 
 type: keyword
 

diff --git a/generated/beats/fields.ecs.yml b/generated/beats/fields.ecs.yml
@@ -4383,14 +4383,13 @@
   - name: threat
     title: Threat
     group: 2
-    description: 'Fields to classify events and alerts according to a threat taxonomy
-      such as the Mitre ATT&CK framework.
-
-      These fields are for users to classify alerts from all of their sources (e.g.
-      IDS, NGFW, etc.) within a common taxonomy. The threat.tactic.* are meant to
-      capture the high level category of the threat (e.g. "impact"). The threat.technique.*
-      fields are meant to capture which kind of approach is used by this detected
-      threat, to accomplish the goal (e.g. "endpoint denial of service").'
+    description: "Fields to classify events and alerts according to a threat taxonomy\
+      \ such as the MITRE ATT&CK\xAE framework.\nThese fields are for users to classify\
+      \ alerts from all of their sources (e.g. IDS, NGFW, etc.) within a common taxonomy.\
+      \ The threat.tactic.* are meant to capture the high level category of the threat\
+      \ (e.g. \"impact\"). The threat.technique.* fields are meant to capture which\
+      \ kind of approach is used by this detected threat, to accomplish the goal (e.g.\
+      \ \"endpoint denial of service\")."
     type: group
     fields:
     - name: framework
@@ -4406,33 +4405,30 @@
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The id of tactic used by this threat. You can use the Mitre ATT&CK
-        Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/
-        )
+      description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
+        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )"
       example: TA0040
     - name: tactic.name
       level: extended
       type: keyword
       ignore_above: 1024
-      description: Name of the type of tactic used by this threat. You can use the
-        Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/
-        )
+      description: "Name of the type of tactic used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)"
       example: impact
     - name: tactic.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The reference url of tactic used by this threat. You can use the
-        Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/
-        )
+      description: "The reference url of tactic used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\
+        \ )"
       example: https://attack.mitre.org/tactics/TA0040/
     - name: technique.id
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The id of technique used by this tactic. You can use the Mitre
-        ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/
-        )
+      description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
+        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
       example: T1499
     - name: technique.name
       level: extended
@@ -4443,17 +4439,16 @@
         type: text
         norms: false
         default_field: false
-      description: The name of technique used by this tactic. You can use the Mitre
-        ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/
-        )
-      example: endpoint denial of service
+      description: "The name of technique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
+      example: Endpoint Denial of Service
     - name: technique.reference
       level: extended
       type: keyword
       ignore_above: 1024
-      description: The reference url of technique used by this tactic. You can use
-        the Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/
-        )
+      description: "The reference url of technique used by this threat. You can use\
+        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\
+        \ )"
       example: https://attack.mitre.org/techniques/T1499/
   - name: tls
     title: TLS

diff --git a/generated/csv/fields.csv b/generated/csv/fields.csv
@@ -519,11 +519,11 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.6.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
 1.6.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id.
 1.6.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic.
-1.6.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic url reference.
+1.6.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference.
 1.6.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id.
-1.6.0-dev,true,threat,threat.technique.name,keyword,extended,array,endpoint denial of service,Threat technique name.
-1.6.0-dev,true,threat,threat.technique.name.text,text,extended,,endpoint denial of service,Threat technique name.
-1.6.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique reference.
+1.6.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name.
+1.6.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name.
+1.6.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference.
 1.6.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 1.6.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client. This is usually mutually-exclusive of `client.certificate_chain` since this value also exists in that list.
 1.6.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client. This is usually mutually-exclusive of `client.certificate` since that value should be the first certificate in the chain.

diff --git a/generated/ecs/ecs_flat.yml b/generated/ecs/ecs_flat.yml
@@ -6697,9 +6697,8 @@ threat.framework:
   type: keyword
 threat.tactic.id:
   dashed_name: threat-tactic-id
-  description: The id of tactic used by this threat. You can use the Mitre ATT&CK
-    Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/
-    )
+  description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
+    \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )"
   example: TA0040
   flat_name: threat.tactic.id
   ignore_above: 1024
@@ -6711,9 +6710,8 @@ threat.tactic.id:
   type: keyword
 threat.tactic.name:
   dashed_name: threat-tactic-name
-  description: Name of the type of tactic used by this threat. You can use the Mitre
-    ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/
-    )
+  description: "Name of the type of tactic used by this threat. You can use a MITRE\
+    \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)"
   example: impact
   flat_name: threat.tactic.name
   ignore_above: 1024
@@ -6725,23 +6723,22 @@ threat.tactic.name:
   type: keyword
 threat.tactic.reference:
   dashed_name: threat-tactic-reference
-  description: The reference url of tactic used by this threat. You can use the Mitre
-    ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/tactics/TA0040/
-    )
+  description: "The reference url of tactic used by this threat. You can use a MITRE\
+    \ ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\
+    \ )"
   example: https://attack.mitre.org/tactics/TA0040/
   flat_name: threat.tactic.reference
   ignore_above: 1024
   level: extended
   name: tactic.reference
   normalize:
   - array
-  short: Threat tactic url reference.
+  short: Threat tactic URL reference.
   type: keyword
 threat.technique.id:
   dashed_name: threat-technique-id
-  description: The id of technique used by this tactic. You can use the Mitre ATT&CK
-    Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/
-    )
+  description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
+    \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
   example: T1499
   flat_name: threat.technique.id
   ignore_above: 1024
@@ -6753,10 +6750,9 @@ threat.technique.id:
   type: keyword
 threat.technique.name:
   dashed_name: threat-technique-name
-  description: The name of technique used by this tactic. You can use the Mitre ATT&CK
-    Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/
-    )
-  example: endpoint denial of service
+  description: "The name of technique used by this threat. You can use a MITRE ATT&CK\xAE\
+    \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
+  example: Endpoint Denial of Service
   flat_name: threat.technique.name
   ignore_above: 1024
   level: extended
@@ -6772,17 +6768,17 @@ threat.technique.name:
   type: keyword
 threat.technique.reference:
   dashed_name: threat-technique-reference
-  description: The reference url of technique used by this tactic. You can use the
-    Mitre ATT&CK Matrix Tactic categorization, for example. (ex. https://attack.mitre.org/techniques/T1499/
-    )
+  description: "The reference url of technique used by this threat. You can use a\
+    \ MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\
+    \ )"
   example: https://attack.mitre.org/techniques/T1499/
   flat_name: threat.technique.reference
   ignore_above: 1024
   level: extended
   name: technique.reference
   normalize:
   - array
-  short: Threat technique reference.
+  short: Threat technique URL reference.
   type: keyword
 tls.cipher:
   dashed_name: tls-cipher