Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security][Detections] Support threat subtechniques #75771

Closed
rw-access opened this issue Aug 24, 2020 · 4 comments
Closed

[Security][Detections] Support threat subtechniques #75771

rw-access opened this issue Aug 24, 2020 · 4 comments
Assignees
@dplumlee
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.11.0

Comments

@rw-access
Copy link
Contributor

Related/blocked by #69166
Related to elastic/ecs#867

i’m looking at ATT&CK subtechniques.
I think the best approach for ECS and SIEM is to nest subtechnique under threat.technique. then it’d be threat.technique.subtechnique

currently our schema for looks like this

"threat": [
  {
    "tactic": {
      "id": "TAXXX",
      "name": "Some Tactic",
      "reference": "https://attack.mitre.org/TAXXX"
    },
    "technique": [
      {
        "id": "TXXX",
        "name": "Some Technique",
        "reference": "https://attack.mitre.org/TXXX"
      },
  },
]

and #69166 will allow many-many for tactic-techniques:

"threat": [
  {
    "tactic": [
      {
        "id": "TAXXX",
        "name": "Some Tactic",
        "reference": "https://attack.mitre.org/TAXXX"
      },
    ],
    "technique": [
      {
        "id": "TXXX",
        "name": "Some Technique",
        "reference": "https://attack.mitre.org/TXXX"
      },
  },
]

We still need to add subtechniques, which should be optional. Unlike tactics and techniques, there is a strict one -> many relationship for techniques -> subtechniques. I think the most natural solution is this:

"threat": [
  {
    "tactic": [
      {
  {
    "tactic": [
      {
        "id": "TAXXX",
        "name": "Some Tactic",
        "reference": "https://attack.mitre.org/TAXXX"
      },
    ],
    "technique": [
      {
        "id": "TXXX",
        "name": "Some Technique",
        "reference": "https://attack.mitre.org/TXXX"
        "subtechnique": [
          {
            "id": "TXXX.YYY",
            "name": "Some subtechnique,
            "reference": "https://attack.mitre.org/TXXX/YYY"
          },
        ]
      },
  },
]

This translates very nicely to the UI, and we can add a bulleted list of subtechnique under the techniques

  • Tactic [, Tactic]
    • Technique
      • Subtechnique
    • Technique
  • Tactic
@rw-access rw-access added Team:SIEM Feature:Detection Rules Security Solution rules and Detection Engine labels Aug 24, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

This was referenced Aug 24, 2020
Closed
Closed
@dontcallmesherryli
Copy link

Created ticket for app update to support subtechniques: https://github.com/elastic/security-team/issues/279

@rw-access rw-access mentioned this issue Sep 24, 2020
Merged
@rw-access rw-access added v7.11.0 and removed v7.10.0 labels Sep 30, 2020
@peluja1012 peluja1012 assigned dplumlee and unassigned spong Oct 19, 2020
@spong spong mentioned this issue Oct 21, 2020
Merged
spong added a commit that referenced this issue Oct 21, 2020
@spong
[Security Solution][Detections] Updates generated tactics and techniq…
bd1ddcd 
…ues (#81270)

Fixes the `extract-mitre-attacks` script and generates `v6.3` tactics and techniques. Will move to `7.x` as part of the structural changes to support sub-technique in #75771.
spong added a commit to spong/kibana that referenced this issue Oct 21, 2020
@spong
[Security Solution][Detections] Updates generated tactics and techniq…
9df3ec1 
…ues (elastic#81270)

Fixes the `extract-mitre-attacks` script and generates `v6.3` tactics and techniques. Will move to `7.x` as part of the structural changes to support sub-technique in elastic#75771.
spong added a commit to spong/kibana that referenced this issue Oct 21, 2020
@spong
[Security Solution][Detections] Updates generated tactics and techniq…
46ba35b 
…ues (elastic#81270)

Fixes the `extract-mitre-attacks` script and generates `v6.3` tactics and techniques. Will move to `7.x` as part of the structural changes to support sub-technique in elastic#75771.
spong added a commit that referenced this issue Oct 21, 2020
@spong
[Security Solution][Detections] Updates generated tactics and techniq…
bfa1ec2 
…ues (#81270) (#81358)

Fixes the `extract-mitre-attacks` script and generates `v6.3` tactics and techniques. Will move to `7.x` as part of the structural changes to support sub-technique in #75771.
spong added a commit that referenced this issue Oct 21, 2020
@spong
[Security Solution][Detections] Updates generated tactics and techniq…
6f82804 
…ues (#81270) (#81359)

Fixes the `extract-mitre-attacks` script and generates `v6.3` tactics and techniques. Will move to `7.x` as part of the structural changes to support sub-technique in #75771.
@MindyRS MindyRS added the Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. label Oct 27, 2020
@dplumlee dplumlee mentioned this issue Nov 18, 2020
Merged
6 tasks
@rw-access
Copy link
Contributor Author

@dplumlee @peluja1012 I think we can close this issue now. Is that right?

@peluja1012
Copy link
Contributor

peluja1012 commented Dec 17, 2020
edited
Loading

@rw-access We're good to close. Thanks. This PR implements it #83511.

@jmikell821 jmikell821 mentioned this issue Jan 6, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM v7.11.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@peluja1012 @MindyRS @spong @elasticmachine @rw-access @dontcallmesherryli @dplumlee