From ab9d6cbfb654cc1f5e7753bebd9888759237da86 Mon Sep 17 00:00:00 2001
From: Davis Plumlee <davis.plumlee@elastic.co>
Date: Mon, 11 Aug 2025 18:36:52 -0400
Subject: [PATCH 1/7] updates docs

---
 solutions/security/detect-and-alert/mitre-attandckr-coverage.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
index 620a1eae42..f2ecd31ea7 100644
--- a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
+++ b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
@@ -20,7 +20,7 @@ Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cel
 To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to **MITRE ATT&CK® coverage**.
 
 ::::{note}
-This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following [MITRE ATT&CK® version](https://attack.mitre.org/resources/updates/updates-april-2024) used by {{elastic-sec}}: `v16.1`. Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map.
+This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following [MITRE ATT&CK® version](https://attack.mitre.org/resources/updates/updates-april-2025) used by {{elastic-sec}}: `v17.1`. Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map.
 
 You can map custom rules to tactics in **Advanced settings** when creating or editing a rule.
 

From eed605a2e95ce4ef9c65575ecff5eec11eb4542e Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Wed, 13 Aug 2025 14:47:33 -0400
Subject: [PATCH 2/7] Adds version table

---
 .../detect-and-alert/mitre-attandckr-coverage.md   | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
index f2ecd31ea7..ac9dd93b86 100644
--- a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
+++ b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
@@ -20,10 +20,10 @@ Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cel
 To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to **MITRE ATT&CK® coverage**.
 
 ::::{note}
-This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following [MITRE ATT&CK® version](https://attack.mitre.org/resources/updates/updates-april-2025) used by {{elastic-sec}}: `v17.1`. Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map.
+This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to [MITRE ATT&CK® versions](https://attack.mitre.org/resources/updates/) used by {{elastic-sec}}. 
 
-You can map custom rules to tactics in **Advanced settings** when creating or editing a rule.
 
+Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map. You can map custom rules to tactics in **Advanced settings** when creating or editing a rule.
 ::::
 
 
@@ -32,6 +32,16 @@ You can map custom rules to tactics in **Advanced settings** when creating or ed
 :screenshot:
 :::
 
+Refer to the following table to find the MITRE ATT&CK® version that's mapped to your version of {{elastic-sec}}. 
+
+| MITRE ATT\&CK® version | {{elastic-sec}} version |
+| :---- | :---- |
+| [**v16.1**](https://attack.mitre.org/resources/updates/updates-october-2024/) | **9.0.0, 9.1.0** |
+| [**v17.1**](https://attack.mitre.org/resources/updates/updates-april-2025/) | **9.2.0** |
+
+::::{note}
+{{serverless-short}} always uses the latest MITRE ATT&CK® versions that's been mapped to {{elastic-sec}}.
+::::
 
 ## Filter rules [security-rules-coverage-filter-rules]
 

From f7477829fedcc9bacea67936ff00002b53007c32 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Tue, 2 Sep 2025 13:52:52 -0400
Subject: [PATCH 3/7] Update
 solutions/security/detect-and-alert/mitre-attandckr-coverage.md

---
 solutions/security/detect-and-alert/mitre-attandckr-coverage.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
index ac9dd93b86..c6837a9920 100644
--- a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
+++ b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
@@ -36,7 +36,7 @@ Refer to the following table to find the MITRE ATT&CK® version that's mapped to
 
 | MITRE ATT\&CK® version | {{elastic-sec}} version |
 | :---- | :---- |
-| [**v16.1**](https://attack.mitre.org/resources/updates/updates-october-2024/) | **9.0.0, 9.1.0** |
+| [**v16.1**](https://attack.mitre.org/resources/updates/updates-october-2024/) | **9.0.0-9.0.6**, **9.1.0-9.1.2** |
 | [**v17.1**](https://attack.mitre.org/resources/updates/updates-april-2025/) | **9.2.0** |
 
 ::::{note}

From ef89970f9c1fa2b53fd5b6fe07b678b2e67897cb Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Date: Tue, 2 Sep 2025 13:52:59 -0400
Subject: [PATCH 4/7] Update
 solutions/security/detect-and-alert/mitre-attandckr-coverage.md

---
 solutions/security/detect-and-alert/mitre-attandckr-coverage.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
index c6837a9920..4398749001 100644
--- a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
+++ b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
@@ -37,7 +37,7 @@ Refer to the following table to find the MITRE ATT&CK® version that's mapped to
 | MITRE ATT\&CK® version | {{elastic-sec}} version |
 | :---- | :---- |
 | [**v16.1**](https://attack.mitre.org/resources/updates/updates-october-2024/) | **9.0.0-9.0.6**, **9.1.0-9.1.2** |
-| [**v17.1**](https://attack.mitre.org/resources/updates/updates-april-2025/) | **9.2.0** |
+| [**v17.1**](https://attack.mitre.org/resources/updates/updates-april-2025/) | **9.1.3+** |
 
 ::::{note}
 {{serverless-short}} always uses the latest MITRE ATT&CK® versions that's been mapped to {{elastic-sec}}.

From 48cf9c49e0551044c6a3940d0dca1025aa6c9541 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 2 Sep 2025 14:15:47 -0400
Subject: [PATCH 5/7] Another version

---
 .../security/detect-and-alert/mitre-attandckr-coverage.md     | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
index 4398749001..93dd6baf69 100644
--- a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
+++ b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
@@ -36,8 +36,8 @@ Refer to the following table to find the MITRE ATT&CK® version that's mapped to
 
 | MITRE ATT\&CK® version | {{elastic-sec}} version |
 | :---- | :---- |
-| [**v16.1**](https://attack.mitre.org/resources/updates/updates-october-2024/) | **9.0.0-9.0.6**, **9.1.0-9.1.2** |
-| [**v17.1**](https://attack.mitre.org/resources/updates/updates-april-2025/) | **9.1.3+** |
+| [v16.1](https://attack.mitre.org/resources/updates/updates-october-2024/) | • {applies_to}`stack: ga 9.0.0-9.0.6` <br> • {applies_to}`stack: ga 9.1.0-9.1.3`|
+| [v17.1](https://attack.mitre.org/resources/updates/updates-april-2025/) |  • {applies_to}`stack: ga 9.2.0`  <br> • {applies_to}`serverless: `|
 
 ::::{note}
 {{serverless-short}} always uses the latest MITRE ATT&CK® versions that's been mapped to {{elastic-sec}}.

From 8d756412a022aba1e7a955ac8d7b484cff6d172b Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 2 Sep 2025 15:35:35 -0400
Subject: [PATCH 6/7] Input from shaina

---
 .../security/detect-and-alert/mitre-attandckr-coverage.md  | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
index 93dd6baf69..728fdabd9b 100644
--- a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
+++ b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
@@ -36,12 +36,9 @@ Refer to the following table to find the MITRE ATT&CK® version that's mapped to
 
 | MITRE ATT\&CK® version | {{elastic-sec}} version |
 | :---- | :---- |
-| [v16.1](https://attack.mitre.org/resources/updates/updates-october-2024/) | • {applies_to}`stack: ga 9.0.0-9.0.6` <br> • {applies_to}`stack: ga 9.1.0-9.1.3`|
-| [v17.1](https://attack.mitre.org/resources/updates/updates-april-2025/) |  • {applies_to}`stack: ga 9.2.0`  <br> • {applies_to}`serverless: `|
+| [v16.1](https://attack.mitre.org/resources/updates/updates-october-2024/) | • {{stack}} 9.0.0-9.0.6 <br> • {{stack}} 9.1.0-9.1.3|
+| [v17.1](https://attack.mitre.org/resources/updates/updates-april-2025/) | • {applies_to}`stack: ga 9.2.0` <br> • {{serverless-short}} |
 
-::::{note}
-{{serverless-short}} always uses the latest MITRE ATT&CK® versions that's been mapped to {{elastic-sec}}.
-::::
 
 ## Filter rules [security-rules-coverage-filter-rules]
 

From 26971069e5ef4b72451c0e27ecf70779731e8966 Mon Sep 17 00:00:00 2001
From: Nastasha Solomon <nastasha.solomon@elastic.co>
Date: Tue, 2 Sep 2025 15:44:44 -0400
Subject: [PATCH 7/7] removing var

---
 solutions/security/detect-and-alert/mitre-attandckr-coverage.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
index 728fdabd9b..e5233a18ac 100644
--- a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
+++ b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
@@ -36,7 +36,7 @@ Refer to the following table to find the MITRE ATT&CK® version that's mapped to
 
 | MITRE ATT\&CK® version | {{elastic-sec}} version |
 | :---- | :---- |
-| [v16.1](https://attack.mitre.org/resources/updates/updates-october-2024/) | • {{stack}} 9.0.0-9.0.6 <br> • {{stack}} 9.1.0-9.1.3|
+| [v16.1](https://attack.mitre.org/resources/updates/updates-october-2024/) | • 9.0.0-9.0.6 <br> • 9.1.0-9.1.3|
 | [v17.1](https://attack.mitre.org/resources/updates/updates-april-2025/) | • {applies_to}`stack: ga 9.2.0` <br> • {{serverless-short}} |