Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SIEM] [DETECTION ENG] Add MITRE ATT&CK #52398

Merged
merged 6 commits into from Dec 10, 2019
Merged

[SIEM] [DETECTION ENG] Add MITRE ATT&CK #52398

merged 6 commits into from Dec 10, 2019

Conversation

XavierM
Copy link
Contributor

@XavierM XavierM commented Dec 6, 2019
edited

Summary

Create a script to get all the value of Tactics and Techniques from the Mitre JSON file + create the internationalization with it

To run the script go under the SIEM plugin folder and run yarn extract-mitre-attacks

Add a component to add tactics and techniques from MITRE ATT&CK Enterprise on the rule.

Mitre

Checklist

Use strikethroughs to remove checklist items you don't feel are applicable to this PR.

For maintainers

@XavierM XavierM self-assigned this Dec 6, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

@elastic elastic deleted a comment from elasticmachine Dec 7, 2019
@elastic elastic deleted a comment from elasticmachine Dec 7, 2019
@spong
Copy link
Member

spong commented Dec 9, 2019
edited by XavierM

Grabbed the latest and looped through again -- noticing the following things:

  • ✅ Still seeing backend.js:6 Warning: Each child in a list should have a unique "key" prop in the console after submitting all fields for step 1 (left comment in code)
  • ✅Selecting a tactic and then re-selecting Select Tactic ... is an invalid state and you have to delete the whole MITRE line to pass validation
  • ✅ An Empty MITRE Attack shows up in About Rule rollup if not selected (if deleted with trashcan, doesn't show up at all, which feels like the expected behavior)
  • ✅ Inputing a Reference/FP, then adding another but leaving blank will result in empty tags on the rollup, and then going back to edit will not have the original values till the second empty one is deleted
  • ✅ Inputing a Reference/FP, then clicking to add another twice will remove the value in the first field

Let me know if you have any questions around the specifics -- I'll update this comment when I test again.

spong
spong reviewed Dec 9, 2019
View reviewed changes
x-pack/legacy/plugins/siem/package.json
@@ -5,6 +5,7 @@
"private": true,
"license": "Elastic-License",
"scripts": {
"extract-mitre-attacks": "node scripts/extract_tactics_techniques_mitre.js & node ../../../../scripts/eslint ./public/pages/detection_engine/mitre/mitre_tactics_techniques.ts --fix",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is absolutely awesome @XavierM! Thanks for taking the time to make a re-usable script for updating these -- our future selves are thanking you graciously! 😅 I tested this with both removing some fields from the current and deleting the file altogether and looks good! When deleting the file for a clean re-gen it'll give a no matching pattern error when trying to lint (and you'll have to lint manually), but it still generates fine. (Not a big deal since we'll be generating with the file in tact.)

spong
spong approved these changes Dec 9, 2019
View reviewed changes
Copy link
Member

@spong spong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out locally, tested thoroughly, and performed code review. LGTM! 👍

As commented, thanks for not only taking the time to write a script to automate the generation of these rules, but for also looping back around to improve/fix the lingering usability quarks. Really appreciate it @XavierM! 🙂

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

History

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

@XavierM XavierM merged commit 8115e50 into elastic:master Dec 10, 2019
@XavierM XavierM mentioned this pull request Dec 10, 2019
Merged
XavierM added a commit to XavierM/kibana that referenced this pull request Dec 10, 2019
@XavierM
[SIEM] [DETECTION ENG] Add MITRE ATT&CK (elastic#52398)
a7f2771 
* add mitre attack enterprise

* Add Mitre Att&ck on the about rule

* review

* fix internatiolazition

* bugs review

* fix ux with add reference
XavierM added a commit that referenced this pull request Dec 10, 2019
@XavierM
[SIEM] [DETECTION ENG] Add MITRE ATT&CK (#52398) (#52645)
cdd5ccd 
* add mitre attack enterprise

* Add Mitre Att&ck on the about rule

* review

* fix internatiolazition

* bugs review

* fix ux with add reference
timductive pushed a commit to timductive/kibana that referenced this pull request Dec 16, 2019
@XavierM @timductive
[SIEM] [DETECTION ENG] Add MITRE ATT&CK (elastic#52398)
05a8d5c 
* add mitre attack enterprise

* Add Mitre Att&ck on the about rule

* review

* fix internatiolazition

* bugs review

* fix ux with add reference
@XavierM XavierM deleted the siem-detection-engine-mitre branch June 4, 2020 16:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spong spong spong approved these changes

Assignees

@XavierM XavierM

Labels
release_note:enhancement Team:SIEM v7.6.0 v8.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@XavierM @elasticmachine @spong