[Security][Detections] Support many -> many threat techniques #69166
Labels
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
Right now, techniques and techniques are related as a parent-child. For each tactic, list all of the techniques.
This doesn't exactly map to how MITRE ATT&CK approaches it, since a single technique can be used in multiple tactics. If we line up a little better, we can make the mappings more clear and more concise.
I&A would love to map this way. Also, there are use cases for linking to an ATT&CK tactic, without having any particular techniques. We don't have any practical cases for referencing a technique without a tactic, so it's not a full decoupling.
Ideally, we would be able to build a mapping like this (verbose example to cover many use cases)
This would correspond to a
threat
like this:cc @elastic/security-intelligence-analytics
The text was updated successfully, but these errors were encountered: