Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution][Detection Rules]Update schema to match app Mitre ATT&CK validation #87546

Closed
dplumlee opened this issue Jan 6, 2021 · 5 comments
Closed

[Security Solution][Detection Rules]Update schema to match app Mitre ATT&CK validation #87546

dplumlee opened this issue Jan 6, 2021 · 5 comments
Assignees
@dplumlee
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0

Comments

@dplumlee
Copy link
Contributor

dplumlee commented Jan 6, 2021

With the update of the app's Mitre ATT&CK validation in #85481, the detection engine schema wasn't updated with the expectation there would be more overhauled changes to the Mitre fields coming in 7.12. Those have since been reprioritized to a later release so we need to update the Mitre schema, specifically the technique field, to be optional and update the corresponding and affected pre-built rules to match.
@dplumlee dplumlee added bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine v7.12.0 Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Jan 6, 2021
@dplumlee dplumlee self-assigned this Jan 6, 2021
This was referenced Jan 6, 2021
Closed
Closed
@MindyRS MindyRS added the Team:Detections and Resp Security Detection Response Team label Jan 7, 2021
@dplumlee dplumlee mentioned this issue Feb 22, 2021
Merged
3 tasks
@MadameSheema
Copy link
Member

@dplumlee is there any work missing? Thanks :)

@dplumlee
Copy link
Contributor Author

@MadameSheema we updated the schema to fit this ticket, but the rules themselves won't be updated from the detections side of things until after 7.13 per this ticket. We can probably close this ticket though, the work on our side is done

@peluja1012
Copy link
Contributor

PR for this work is here #92281. Closing.

@ghost
Copy link

ghost commented Mar 1, 2021

Hi @MadameSheema

We have validated this ticket on 7.12.0 BC2 and found that issue is Fixed. We observed that threat techniques is optional. User can add the tactic without threat techniques

Build Details:

Version: 7.12.0 BC2
Build: 39000
Commit: 4f65a5a1268fa78f1af9117d12312e1cee433376
Artifacts: https://staging.elastic.co/7.12.0-37f40745/summary-7.12.0.html

Screenshots:
Mitre+attack
Rule_created

Please let us know if any other scenarios need to be tested.

Thanks!!

@ghost ghost added the QA:Validated Issue has been validated by QA label Mar 1, 2021
@ghost
Copy link

ghost commented Mar 30, 2021

Bug Conversion:

Created 01 Test-Case for this Ticket
https://elastic.testrail.io/index.php?/cases/view/76929

Thanks!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dplumlee dplumlee

Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Rules Security Solution rules and Detection Engine QA:Validated Issue has been validated by QA Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v7.12.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@peluja1012 @MindyRS @MadameSheema @dplumlee