[Security Solution] Updates MITRE ATT&CK framework to v14.1 (#174120)

**Resolves: https://github.com/elastic/kibana/issues/171680** ## Summary Addresses: https://github.com/elastic/kibana/issues/166152 for `8.14.0` and https://github.com/elastic/kibana/issues/171680 [Flaky test runner result (internal)](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/5147) Updates MITRE ATT&CK mappings to `v14.1`. Last update was to `v13.1` in https://github.com/elastic/kibana/pull/166536. To update, I modified b0c6cc9777/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js (L22) to point to the `ATT&CK-v14.1` tag. Then ran `yarn extract-mitre-attacks` from the root `security_solution` plugin directory, and then `node scripts/i18n_check.js --fix` from Kibana root to regen the i18n files. ## Acceptance Criteria - [x] User can map and use new MITRE techniques in Security Solution - [ ] The user-facing documentation is updated with the new version - Ticket [here](https://github.com/elastic/security-docs/issues/4550) - [ ] [MITRE ATT&CK® coverage](https://www.elastic.co/guide/en/security/master/rules-coverage.html) page ## Test Criteria - [x] Verify that new techniques (see the changelog link above) are available for mapping on the Rule Creation page under "Advanced settings" - [x] Verify that new techniques are available on the MITRE ATT&CK coverage page ### For maintainers - [ ] This was checked for breaking API changes and was [labeled appropriately](https://www.elastic.co/guide/en/kibana/master/contributing.html#kibana-release-notes-process) --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-24 09:48:58 -04:00 · 2024-04-05 14:16:41 -04:00 · 2024-04-05 14:16:41 -04:00 · 1f2a3f01ed
commit 1f2a3f01ed
parent 392ef7b6a2
6 changed files with 269 additions and 61 deletions
--- a/x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts
+++ b/x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts
@ -209,7 +209,7 @@ export const techniques: MitreTechnique[] = [
    id: 'T1098',
    name: 'Account Manipulation',
    reference: 'https://attack.mitre.org/techniques/T1098',
-    tactics: ['persistence'],
+    tactics: ['persistence', 'privilege-escalation'],
    value: 'accountManipulation',
  },
  {
@ -553,6 +553,17 @@ export const techniques: MitreTechnique[] = [
    tactics: ['discovery'],
    value: 'containerAndResourceDiscovery',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.contentInjectionDescription',
+      { defaultMessage: 'Content Injection (T1659)' }
+    ),
+    id: 'T1659',
+    name: 'Content Injection',
+    reference: 'https://attack.mitre.org/techniques/T1659',
+    tactics: ['initial-access', 'command-and-control'],
+    value: 'contentInjection',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.createAccountDescription',
@ -1103,6 +1114,17 @@ export const techniques: MitreTechnique[] = [
    tactics: ['defense-evasion'],
    value: 'fileAndDirectoryPermissionsModification',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.financialTheftDescription',
+      { defaultMessage: 'Financial Theft (T1657)' }
+    ),
+    id: 'T1657',
+    name: 'Financial Theft',
+    reference: 'https://attack.mitre.org/techniques/T1657',
+    tactics: ['impact'],
+    value: 'financialTheft',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.firmwareCorruptionDescription',
@ -1235,6 +1257,17 @@ export const techniques: MitreTechnique[] = [
    tactics: ['defense-evasion'],
    value: 'impairDefenses',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.impersonationDescription',
+      { defaultMessage: 'Impersonation (T1656)' }
+    ),
+    id: 'T1656',
+    name: 'Impersonation',
+    reference: 'https://attack.mitre.org/techniques/T1656',
+    tactics: ['defense-evasion'],
+    value: 'impersonation',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.implantInternalImageDescription',
@ -1334,6 +1367,17 @@ export const techniques: MitreTechnique[] = [
    tactics: ['lateral-movement'],
    value: 'lateralToolTransfer',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.logEnumerationDescription',
+      { defaultMessage: 'Log Enumeration (T1654)' }
+    ),
+    id: 'T1654',
+    name: 'Log Enumeration',
+    reference: 'https://attack.mitre.org/techniques/T1654',
+    tactics: ['discovery'],
+    value: 'logEnumeration',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.masqueradingDescription',
@ -1620,6 +1664,17 @@ export const techniques: MitreTechnique[] = [
    tactics: ['defense-evasion'],
    value: 'plistFileModification',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.powerSettingsDescription',
+      { defaultMessage: 'Power Settings (T1653)' }
+    ),
+    id: 'T1653',
+    name: 'Power Settings',
+    reference: 'https://attack.mitre.org/techniques/T1653',
+    tactics: ['persistence'],
+    value: 'powerSettings',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackTechniques.preOsBootDescription',
@ -2396,7 +2451,7 @@ export const subtechniques: MitreSubTechnique[] = [
    id: 'T1098.001',
    name: 'Additional Cloud Credentials',
    reference: 'https://attack.mitre.org/techniques/T1098/001',
-    tactics: ['persistence'],
+    tactics: ['persistence', 'privilege-escalation'],
    techniqueId: 'T1098',
    value: 'additionalCloudCredentials',
  },
@ -2408,10 +2463,22 @@ export const subtechniques: MitreSubTechnique[] = [
    id: 'T1098.003',
    name: 'Additional Cloud Roles',
    reference: 'https://attack.mitre.org/techniques/T1098/003',
-    tactics: ['persistence'],
+    tactics: ['persistence', 'privilege-escalation'],
    techniqueId: 'T1098',
    value: 'additionalCloudRoles',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalContainerClusterRolesT1098Description',
+      { defaultMessage: 'Additional Container Cluster Roles (T1098.006)' }
+    ),
+    id: 'T1098.006',
+    name: 'Additional Container Cluster Roles',
+    reference: 'https://attack.mitre.org/techniques/T1098/006',
+    tactics: ['persistence', 'privilege-escalation'],
+    techniqueId: 'T1098',
+    value: 'additionalContainerClusterRoles',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.additionalEmailDelegatePermissionsT1098Description',
@ -2420,7 +2487,7 @@ export const subtechniques: MitreSubTechnique[] = [
    id: 'T1098.002',
    name: 'Additional Email Delegate Permissions',
    reference: 'https://attack.mitre.org/techniques/T1098/002',
-    tactics: ['persistence'],
+    tactics: ['persistence', 'privilege-escalation'],
    techniqueId: 'T1098',
    value: 'additionalEmailDelegatePermissions',
  },
@ -2664,6 +2731,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1584',
    value: 'botnet',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.breakProcessTreesT1036Description',
+      { defaultMessage: 'Break Process Trees (T1036.009)' }
+    ),
+    id: 'T1036.009',
+    name: 'Break Process Trees',
+    reference: 'https://attack.mitre.org/techniques/T1036/009',
+    tactics: ['defense-evasion'],
+    techniqueId: 'T1036',
+    value: 'breakProcessTrees',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.businessRelationshipsT1591Description',
@ -2940,6 +3019,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1552',
    value: 'cloudInstanceMetadataApi',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.cloudSecretsManagementStoresT1555Description',
+      { defaultMessage: 'Cloud Secrets Management Stores (T1555.006)' }
+    ),
+    id: 'T1555.006',
+    name: 'Cloud Secrets Management Stores',
+    reference: 'https://attack.mitre.org/techniques/T1555/006',
+    tactics: ['credential-access'],
+    techniqueId: 'T1555',
+    value: 'cloudSecretsManagementStores',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.cloudServicesT1021Description',
@ -3476,7 +3567,7 @@ export const subtechniques: MitreSubTechnique[] = [
    id: 'T1098.005',
    name: 'Device Registration',
    reference: 'https://attack.mitre.org/techniques/T1098/005',
-    tactics: ['persistence'],
+    tactics: ['persistence', 'privilege-escalation'],
    techniqueId: 'T1098',
    value: 'deviceRegistration',
  },
@ -3516,6 +3607,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1587',
    value: 'digitalCertificates',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.directCloudVmConnectionsT1021Description',
+      { defaultMessage: 'Direct Cloud VM Connections (T1021.008)' }
+    ),
+    id: 'T1021.008',
+    name: 'Direct Cloud VM Connections',
+    reference: 'https://attack.mitre.org/techniques/T1021/008',
+    tactics: ['lateral-movement'],
+    techniqueId: 'T1021',
+    value: 'directCloudVmConnections',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.directNetworkFloodT1498Description',
@ -3528,18 +3631,6 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1498',
    value: 'directNetworkFlood',
  },
-  {
-    label: i18n.translate(
-      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableCloudLogsT1562Description',
-      { defaultMessage: 'Disable Cloud Logs (T1562.008)' }
-    ),
-    id: 'T1562.008',
-    name: 'Disable Cloud Logs',
-    reference: 'https://attack.mitre.org/techniques/T1562/008',
-    tactics: ['defense-evasion'],
-    techniqueId: 'T1562',
-    value: 'disableCloudLogs',
-  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableCryptoHardwareT1600Description',
@ -3576,6 +3667,30 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1562',
    value: 'disableOrModifyCloudFirewall',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifyCloudLogsT1562Description',
+      { defaultMessage: 'Disable or Modify Cloud Logs (T1562.008)' }
+    ),
+    id: 'T1562.008',
+    name: 'Disable or Modify Cloud Logs',
+    reference: 'https://attack.mitre.org/techniques/T1562/008',
+    tactics: ['defense-evasion'],
+    techniqueId: 'T1562',
+    value: 'disableOrModifyCloudLogs',
+  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifyLinuxAuditSystemT1562Description',
+      { defaultMessage: 'Disable or Modify Linux Audit System (T1562.012)' }
+    ),
+    id: 'T1562.012',
+    name: 'Disable or Modify Linux Audit System',
+    reference: 'https://attack.mitre.org/techniques/T1562/012',
+    tactics: ['defense-evasion'],
+    techniqueId: 'T1562',
+    value: 'disableOrModifyLinuxAuditSystem',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifySystemFirewallT1562Description',
@ -4068,6 +4183,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1048',
    value: 'exfiltrationOverUnencryptedNonC2Protocol',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverWebhookT1567Description',
+      { defaultMessage: 'Exfiltration Over Webhook (T1567.004)' }
+    ),
+    id: 'T1567.004',
+    name: 'Exfiltration Over Webhook',
+    reference: 'https://attack.mitre.org/techniques/T1567/004',
+    tactics: ['exfiltration'],
+    techniqueId: 'T1567',
+    value: 'exfiltrationOverWebhook',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.exfiltrationOverUsbT1052Description',
@ -4428,6 +4555,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1591',
    value: 'identifyRoles',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.ignoreProcessInterruptsT1564Description',
+      { defaultMessage: 'Ignore Process Interrupts (T1564.011)' }
+    ),
+    id: 'T1564.011',
+    name: 'Ignore Process Interrupts',
+    reference: 'https://attack.mitre.org/techniques/T1564/011',
+    tactics: ['defense-evasion'],
+    techniqueId: 'T1564',
+    value: 'ignoreProcessInterrupts',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.imageFileExecutionOptionsInjectionT1546Description',
@ -4680,6 +4819,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1557',
    value: 'llmnrNbtNsPoisoningAndSmbRelay',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.lnkIconSmugglingT1027Description',
+      { defaultMessage: 'LNK Icon Smuggling (T1027.012)' }
+    ),
+    id: 'T1027.012',
+    name: 'LNK Icon Smuggling',
+    reference: 'https://attack.mitre.org/techniques/T1027/012',
+    tactics: ['defense-evasion'],
+    techniqueId: 'T1027',
+    value: 'lnkIconSmuggling',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.lsaSecretsT1003Description',
@ -5076,6 +5227,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1218',
    value: 'mavinject',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.modifyCloudComputeConfigurationsT1578Description',
+      { defaultMessage: 'Modify Cloud Compute Configurations (T1578.005)' }
+    ),
+    id: 'T1578.005',
+    name: 'Modify Cloud Compute Configurations',
+    reference: 'https://attack.mitre.org/techniques/T1578/005',
+    tactics: ['defense-evasion'],
+    techniqueId: 'T1578',
+    value: 'modifyCloudComputeConfigurations',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.mshtaT1218Description',
@ -6092,7 +6255,7 @@ export const subtechniques: MitreSubTechnique[] = [
    id: 'T1098.004',
    name: 'SSH Authorized Keys',
    reference: 'https://attack.mitre.org/techniques/T1098/004',
-    tactics: ['persistence'],
+    tactics: ['persistence', 'privilege-escalation'],
    techniqueId: 'T1098',
    value: 'sshAuthorizedKeys',
  },
@ -6516,6 +6679,30 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1598',
    value: 'spearphishingService',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.spearphishingVoiceT1598Description',
+      { defaultMessage: 'Spearphishing Voice (T1598.004)' }
+    ),
+    id: 'T1598.004',
+    name: 'Spearphishing Voice',
+    reference: 'https://attack.mitre.org/techniques/T1598/004',
+    tactics: ['reconnaissance'],
+    techniqueId: 'T1598',
+    value: 'spearphishingVoice',
+  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.spearphishingVoiceT1566Description',
+      { defaultMessage: 'Spearphishing Voice (T1566.004)' }
+    ),
+    id: 'T1566.004',
+    name: 'Spearphishing Voice',
+    reference: 'https://attack.mitre.org/techniques/T1566/004',
+    tactics: ['initial-access'],
+    techniqueId: 'T1566',
+    value: 'spearphishingVoice',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.spearphishingViaServiceT1566Description',
@ -6708,6 +6895,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1542',
    value: 'tftpBoot',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.temporaryElevatedCloudAccessT1548Description',
+      { defaultMessage: 'Temporary Elevated Cloud Access (T1548.005)' }
+    ),
+    id: 'T1548.005',
+    name: 'Temporary Elevated Cloud Access',
+    reference: 'https://attack.mitre.org/techniques/T1548/005',
+    tactics: ['privilege-escalation', 'defense-evasion'],
+    techniqueId: 'T1548',
+    value: 'temporaryElevatedCloudAccess',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.terminalServicesDllT1505Description',
@ -7128,6 +7327,18 @@ export const subtechniques: MitreSubTechnique[] = [
    techniqueId: 'T1505',
    value: 'webShell',
  },
+  {
+    label: i18n.translate(
+      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.wiFiDiscoveryT1016Description',
+      { defaultMessage: 'Wi-Fi Discovery (T1016.002)' }
+    ),
+    id: 'T1016.002',
+    name: 'Wi-Fi Discovery',
+    reference: 'https://attack.mitre.org/techniques/T1016/002',
+    tactics: ['discovery'],
+    techniqueId: 'T1016',
+    value: 'wiFiDiscovery',
+  },
  {
    label: i18n.translate(
      'xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.windowsCommandShellT1059Description',
@ -7278,62 +7489,62 @@ export const getMockThreatData = () => [
  },
  {
    tactic: {
-      name: 'Credential Access',
-      id: 'TA0006',
-      reference: 'https://attack.mitre.org/tactics/TA0006',
+      name: 'Command and Control',
+      id: 'TA0011',
+      reference: 'https://attack.mitre.org/tactics/TA0011',
    },
    technique: {
-      name: 'Steal or Forge Kerberos Tickets',
-      id: 'T1558',
-      reference: 'https://attack.mitre.org/techniques/T1558',
-      tactics: ['credential-access'],
+      name: 'Encrypted Channel',
+      id: 'T1573',
+      reference: 'https://attack.mitre.org/techniques/T1573',
+      tactics: ['command-and-control'],
    },
    subtechnique: {
-      name: 'AS-REP Roasting',
-      id: 'T1558.004',
-      reference: 'https://attack.mitre.org/techniques/T1558/004',
-      tactics: ['credential-access'],
-      techniqueId: 'T1558',
+      name: 'Asymmetric Cryptography',
+      id: 'T1573.002',
+      reference: 'https://attack.mitre.org/techniques/T1573/002',
+      tactics: ['command-and-control'],
+      techniqueId: 'T1573',
    },
  },
  {
    tactic: {
-      name: 'Persistence',
-      id: 'TA0003',
-      reference: 'https://attack.mitre.org/tactics/TA0003',
+      name: 'Defense Evasion',
+      id: 'TA0005',
+      reference: 'https://attack.mitre.org/tactics/TA0005',
    },
    technique: {
-      name: 'Boot or Logon Autostart Execution',
-      id: 'T1547',
-      reference: 'https://attack.mitre.org/techniques/T1547',
-      tactics: ['persistence', 'privilege-escalation'],
+      name: 'Indicator Removal',
+      id: 'T1070',
+      reference: 'https://attack.mitre.org/techniques/T1070',
+      tactics: ['defense-evasion'],
    },
    subtechnique: {
-      name: 'Active Setup',
-      id: 'T1547.014',
-      reference: 'https://attack.mitre.org/techniques/T1547/014',
-      tactics: ['persistence', 'privilege-escalation'],
-      techniqueId: 'T1547',
+      name: 'Clear Linux or Mac System Logs',
+      id: 'T1070.002',
+      reference: 'https://attack.mitre.org/techniques/T1070/002',
+      tactics: ['defense-evasion'],
+      techniqueId: 'T1070',
    },
  },
  {
    tactic: {
-      name: 'Persistence',
-      id: 'TA0003',
-      reference: 'https://attack.mitre.org/tactics/TA0003',
+      name: 'Resource Development',
+      id: 'TA0042',
+      reference: 'https://attack.mitre.org/tactics/TA0042',
    },
    technique: {
-      name: 'Account Manipulation',
-      id: 'T1098',
-      reference: 'https://attack.mitre.org/techniques/T1098',
-      tactics: ['persistence'],
+      name: 'Obtain Capabilities',
+      id: 'T1588',
+      reference: 'https://attack.mitre.org/techniques/T1588',
+      tactics: ['resource-development'],
    },
    subtechnique: {
-      name: 'Additional Cloud Credentials',
-      id: 'T1098.001',
-      reference: 'https://attack.mitre.org/techniques/T1098/001',
-      tactics: ['persistence'],
-      techniqueId: 'T1098',
+      name: 'Code Signing Certificates',
+      id: 'T1588.003',
+      reference: 'https://attack.mitre.org/techniques/T1588/003',
+      tactics: ['resource-development'],
+      techniqueId: 'T1588',
    },
  },
 ];
--- a/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js
+++ b/x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js
@ -19,7 +19,7 @@ const OUTPUT_DIRECTORY = resolve('public', 'detections', 'mitre');
 // Every release we should update the version of MITRE ATT&CK content and regenerate the model in our code.
 // This version must correspond to the one used for prebuilt rules in https://github.com/elastic/detection-rules.
 // This version is basically a tag on https://github.com/mitre/cti/tags, or can be a branch name like `master`.
-const MITRE_CONTENT_VERSION = 'ATT&CK-v13.1'; // last updated when preparing for 8.10.3 release
+const MITRE_CONTENT_VERSION = 'ATT&CK-v14.1'; // last updated when preparing for 8.14.0 release
 const MITRE_CONTENT_URL = `https://raw.githubusercontent.com/mitre/cti/${MITRE_CONTENT_VERSION}/enterprise-attack/enterprise-attack.json`;

 /**
@ -184,7 +184,7 @@ const buildMockThreatData = (tacticsData, techniques, subtechniques) => {
  const numberOfThreatsToGenerate = 4;
  const mockThreatData = [];
  for (let i = 0; i < numberOfThreatsToGenerate; i++) {
-    const subtechnique = subtechniques[i * 2]; // Double our interval to broaden the subtechnique types we're pulling data from a bit
+    const subtechnique = subtechniques[i * 20]; // Double our interval to broaden the subtechnique types we're pulling data from a bit
    const technique = techniques.find((technique) => technique.id === subtechnique.techniqueId);
    const tactic = tacticsData.find((tactic) => tactic.shortName === technique.tactics[0]);

--- a/x-pack/plugins/translations/translations/fr-FR.json
+++ b/x-pack/plugins/translations/translations/fr-FR.json
@ -34399,7 +34399,6 @@
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1588Description": "Certificats numériques (T1588.004)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1596Description": "Certificats numériques (T1596.003)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.directNetworkFloodT1498Description": "Flux de réseau direct (T1498.001)",
-    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableCloudLogsT1562Description": "Désactivation des logs de cloud (T1562.008)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableCryptoHardwareT1600Description": "Désactivation du matériel de crypto (T1600.002)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifyCloudFirewallT1562Description": "Désactivation ou modification du pare-feu du cloud (T1562.007)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifySystemFirewallT1562Description": "Désactivation ou modification du pare-feu du système (T1562.004)",
--- a/x-pack/plugins/translations/translations/ja-JP.json
+++ b/x-pack/plugins/translations/translations/ja-JP.json
@ -34368,7 +34368,6 @@
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1588Description": "デジタル証明書（T1588.004）",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1596Description": "デジタル証明書（T1596.003）",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.directNetworkFloodT1498Description": "ダイレクトネットワークフラッド（T1498.001）",
-    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableCloudLogsT1562Description": "クラウドログの無効化（T1562.008）",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableCryptoHardwareT1600Description": "暗号ハードウェアの無効化（T1600.002）",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifyCloudFirewallT1562Description": "クラウドファイアウォールの無効化または修正（T1562.007）",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifySystemFirewallT1562Description": "システムファイアウォールの無効化または修正（T1562.004）",
--- a/x-pack/plugins/translations/translations/zh-CN.json
+++ b/x-pack/plugins/translations/translations/zh-CN.json
@ -34411,7 +34411,6 @@
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1588Description": "Digital Certificates (T1588.004)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.digitalCertificatesT1596Description": "Digital Certificates (T1596.003)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.directNetworkFloodT1498Description": "Direct Network Flood (T1498.001)",
-    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableCloudLogsT1562Description": "Disable Cloud Logs (T1562.008)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableCryptoHardwareT1600Description": "Disable Crypto Hardware (T1600.002)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifyCloudFirewallT1562Description": "Disable or Modify Cloud Firewall (T1562.007)",
    "xpack.securitySolution.detectionEngine.mitreAttackSubtechniques.disableOrModifySystemFirewallT1562Description": "Disable or Modify System Firewall (T1562.004)",
--- a/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/coverage_overview/coverage_overview.cy.ts
+++ b/x-pack/test/security_solution_cypress/cypress/e2e/detection_response/rule_management/coverage_overview/coverage_overview.cy.ts
@ -48,8 +48,8 @@ const EnabledCustomRuleMitreData = getMockThreatData()[2];
 const DisabledCustomRuleMitreData = getMockThreatData()[3];

 // Mitre data used for duplicate technique tests
-const DuplicateTechniqueMitreData1 = getDuplicateTechniqueThreatData()[1];
-const DuplicateTechniqueMitreData2 = getDuplicateTechniqueThreatData()[0];
+const DuplicateTechniqueMitreData1 = getDuplicateTechniqueThreatData()[0];
+const DuplicateTechniqueMitreData2 = getDuplicateTechniqueThreatData()[1];

 const MockEnabledPrebuiltRuleThreat: Threat = {
  framework: 'MITRE ATT&CK',