github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Security Solution] Updates MITRE ATT&CK framework to v13.1 (#166536)

Browse source
This commit is contained in:
Davis Plumlee 2023-09-20 16:27:13 -04:00 committed by GitHub
parent cd68eb7266
commit b9448d0310
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
13 changed files with 965 additions and 5747 deletions
Download patch file Download diff file Expand all files Collapse all files

2
x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/coverage_overview/build_coverage_overview_dashboard_model.ts
View file

@ -30,7 +30,7 @@ export async function buildCoverageOverviewDashboardModel(
apiResponse: CoverageOverviewResponse
): Promise<CoverageOverviewDashboard> {
const mitreConfig = await lazyMitreConfiguration();
const { tactics, technique: techniques, subtechniques } = mitreConfig;
const { tactics, techniques, subtechniques } = mitreConfig;
const mitreTactics = buildCoverageOverviewMitreGraph(tactics, techniques, subtechniques);
for (const tactic of mitreTactics) {

12
x-pack/plugins/security_solution/public/detection_engine/rule_management/logic/coverage_overview/build_coverage_overview_mitre_graph.test.ts
View file

@ -14,11 +14,15 @@ describe('buildCoverageOverviewModel', () => {
name: 'Tactic 1',
id: 'TA001',
reference: 'https://some-link/TA001',
label: 'Tactic 1',
value: 'tactic1',
},
{
name: 'Tactic 2',
id: 'TA002',
reference: 'https://some-link/TA002',
label: 'Tactic 2',
value: 'tactic2',
},
];
const techniques = [
@ -27,12 +31,16 @@ describe('buildCoverageOverviewModel', () => {
id: 'T001',
reference: 'https://some-link/T001',
tactics: ['tactic-1'],
label: 'Technique 1',
value: 'technique1',
},
{
name: 'Technique 2',
id: 'T002',
reference: 'https://some-link/T002',
tactics: ['tactic-1', 'tactic-2'],
label: 'Technique 2',
value: 'technique2',
},
];
const subtechniques = [
@ -42,6 +50,8 @@ describe('buildCoverageOverviewModel', () => {
reference: 'https://some-link/T001/001',
tactics: ['tactic-1'],
techniqueId: 'T001',
label: 'Subtechnique 1',
value: 'subtechnique1',
},
{
name: 'Subtechnique 2',
@ -49,6 +59,8 @@ describe('buildCoverageOverviewModel', () => {
reference: 'https://some-link/T001/002',
tactics: ['tactic-1'],
techniqueId: 'T001',
label: 'Subtechnique 2',
value: 'subtechnique2',
},
];

20
x-pack/plugins/security_solution/public/detections/components/rules/description_step/threat_description.tsx
View file

@ -8,11 +8,7 @@ import { EuiFlexItem, EuiLink, EuiFlexGroup, EuiButtonEmpty } from '@elastic/eui
import React, { useEffect, useState } from 'react';
import styled from 'styled-components';
import type { BuildThreatDescription } from './types';
import type {
MitreSubtechniquesOptions,
MitreTacticsOptions,
MitreTechniquesOptions,
} from '../../../mitre/types';
import type { MitreSubTechnique, MitreTactic, MitreTechnique } from '../../../mitre/types';
import ListTreeIcon from './assets/list_tree_icon.svg';
const lazyMitreConfiguration = () => {
@ -45,16 +41,16 @@ const TechniqueLinkItem = styled(EuiButtonEmpty)`
`;
export const ThreatEuiFlexGroup = ({ label, threat }: BuildThreatDescription) => {
const [techniquesOptions, setTechniquesOptions] = useState<MitreTechniquesOptions[]>([]);
const [tacticsOptions, setTacticsOptions] = useState<MitreTacticsOptions[]>([]);
const [subtechniquesOptions, setSubtechniquesOptions] = useState<MitreSubtechniquesOptions[]>([]);
const [techniquesOptions, setTechniquesOptions] = useState<MitreTechnique[]>([]);
const [tacticsOptions, setTacticsOptions] = useState<MitreTactic[]>([]);
const [subtechniquesOptions, setSubtechniquesOptions] = useState<MitreSubTechnique[]>([]);
useEffect(() => {
async function getMitre() {
const mitreConfig = await lazyMitreConfiguration();
setSubtechniquesOptions(mitreConfig.subtechniquesOptions);
setTechniquesOptions(mitreConfig.techniquesOptions);
setTacticsOptions(mitreConfig.tacticsOptions);
setSubtechniquesOptions(mitreConfig.subtechniques);
setTechniquesOptions(mitreConfig.techniques);
setTacticsOptions(mitreConfig.tactics);
}
getMitre();
}, []);
@ -70,7 +66,7 @@ export const ThreatEuiFlexGroup = ({ label, threat }: BuildThreatDescription) =>
target="_blank"
>
{tactic != null
? tactic.text
? tactic.label
: `${singleThreat.tactic.name} (${singleThreat.tactic.id})`}
</EuiLink>
<EuiFlexGroup gutterSize="none" alignItems="flexStart" direction="column">

2
x-pack/plugins/security_solution/public/detections/components/rules/mitre/helpers.ts
View file

@ -22,7 +22,7 @@ const lazyMitreConfiguration = () => {
* Returns true if the given mitre technique has any subtechniques
*/
export const hasSubtechniqueOptions = async (technique: ThreatTechnique) => {
return (await lazyMitreConfiguration()).subtechniquesOptions.some(
return (await lazyMitreConfiguration()).subtechniques.some(
(subtechnique) => subtechnique.techniqueId === technique.id
);
};

8
x-pack/plugins/security_solution/public/detections/components/rules/mitre/index.tsx
View file

@ -18,7 +18,7 @@ import { threatDefault } from '../step_about_rule/default_value';
import { MyAddItemButton } from '../add_item_form';
import * as i18n from './translations';
import { MitreAttackTechniqueFields } from './technique_fields';
import type { MitreTacticsOptions } from '../../../mitre/types';
import type { MitreTactic } from '../../../mitre/types';
const lazyMitreConfiguration = () => {
/**
@ -77,12 +77,12 @@ export const AddMitreAttackThreat = memo(({ field, idAria, isDisabled }: AddItem
}
}, [field]);
const [tacticsOptions, setTacticsOptions] = useState<MitreTacticsOptions[]>([]);
const [tacticsOptions, setTacticsOptions] = useState<MitreTactic[]>([]);
useEffect(() => {
async function getMitre() {
const mitreConfig = await lazyMitreConfiguration();
setTacticsOptions(mitreConfig.tacticsOptions);
setTacticsOptions(mitreConfig.tactics);
}
getMitre();
}, []);
@ -128,7 +128,7 @@ export const AddMitreAttackThreat = memo(({ field, idAria, isDisabled }: AddItem
]
: []),
...tacticsOptions.map((t) => ({
inputDisplay: <>{t.text}</>,
inputDisplay: <>{t.label}</>,
value: t.value,
disabled,
})),

6
x-pack/plugins/security_solution/public/detections/components/rules/mitre/subtechnique_fields.tsx
View file

@ -22,7 +22,7 @@ import * as Rulei18n from '../../../pages/detection_engine/rules/translations';
import type { FieldHook } from '../../../../shared_imports';
import { MyAddItemButton } from '../add_item_form';
import * as i18n from './translations';
import type { MitreSubtechniquesOptions } from '../../../mitre/types';
import type { MitreSubTechnique } from '../../../mitre/types';
const lazyMitreConfiguration = () => {
/**
@ -57,12 +57,12 @@ export const MitreAttackSubtechniqueFields: React.FC<AddSubtechniqueProps> = ({
onFieldChange,
}): JSX.Element => {
const values = field.value as Threats;
const [subtechniquesOptions, setSubtechniquesOptions] = useState<MitreSubtechniquesOptions[]>([]);
const [subtechniquesOptions, setSubtechniquesOptions] = useState<MitreSubTechnique[]>([]);
useEffect(() => {
async function getMitre() {
const mitreConfig = await lazyMitreConfiguration();
setSubtechniquesOptions(mitreConfig.subtechniquesOptions);
setSubtechniquesOptions(mitreConfig.subtechniques);
}
getMitre();
}, []);

12
x-pack/plugins/security_solution/public/detections/components/rules/mitre/technique_fields.tsx
View file

@ -23,7 +23,7 @@ import type { FieldHook } from '../../../../shared_imports';
import { MyAddItemButton } from '../add_item_form';
import * as i18n from './translations';
import { MitreAttackSubtechniqueFields } from './subtechnique_fields';
import type { MitreSubtechniquesOptions, MitreTechniquesOptions } from '../../../mitre/types';
import type { MitreTechnique, MitreSubTechnique } from '../../../mitre/types';
const lazyMitreConfiguration = () => {
/**
@ -37,7 +37,7 @@ const lazyMitreConfiguration = () => {
};
const hasSubtechniqueOptions = (
subtechniquesOptions: MitreSubtechniquesOptions[],
subtechniquesOptions: MitreSubTechnique[],
technique: ThreatTechnique
) => subtechniquesOptions.some((subtechnique) => subtechnique.techniqueId === technique.id);
@ -66,14 +66,14 @@ export const MitreAttackTechniqueFields: React.FC<AddTechniqueProps> = ({
}): JSX.Element => {
const values = field.value as Threats;
const [techniquesOptions, setTechniquesOptions] = useState<MitreTechniquesOptions[]>([]);
const [subtechniquesOptions, setSubtechniquesOptions] = useState<MitreSubtechniquesOptions[]>([]);
const [techniquesOptions, setTechniquesOptions] = useState<MitreTechnique[]>([]);
const [subtechniquesOptions, setSubtechniquesOptions] = useState<MitreSubTechnique[]>([]);
useEffect(() => {
async function getMitre() {
const mitreConfig = await lazyMitreConfiguration();
setTechniquesOptions(mitreConfig.techniquesOptions);
setSubtechniquesOptions(mitreConfig.subtechniquesOptions);
setTechniquesOptions(mitreConfig.techniques);
setSubtechniquesOptions(mitreConfig.subtechniques);
}
getMitre();
}, []);

6592
x-pack/plugins/security_solution/public/detections/mitre/mitre_tactics_techniques.ts
View file

File diff suppressed because it is too large Load diff

33
x-pack/plugins/security_solution/public/detections/mitre/types.ts
View file

@ -5,43 +5,18 @@
* 2.0.
*/
export interface MitreOptions {
id: string;
name: string;
reference: string;
value: string;
}
export interface MitreTacticsOptions extends MitreOptions {
text: string;
}
export interface MitreTechniquesOptions extends MitreOptions {
label: string;
tactics: string;
}
export interface MitreSubtechniquesOptions extends MitreTechniquesOptions {
techniqueId: string;
}
export interface MitreTactic {
id: string;
name: string;
reference: string; // A link to the tactic's page
value: string; // A camelCased version of the name we use to reference the tactic
label: string; // An i18n internationalized version of the name we use for rendering
}
export interface MitreTechnique {
id: string;
name: string;
reference: string; // A link to the technique's page
export interface MitreTechnique extends MitreTactic {
tactics: string[]; // Tactics this technique assigned to (lowercase dash separated)
}
export interface MitreSubTechnique {
id: string;
name: string;
reference: string; // A link to the subtechnique's page
tactics: string[]; // Tactics this technique assigned to (lowercase dash separated)
export interface MitreSubTechnique extends MitreTechnique {
techniqueId: string; // A technique id this subtechnique assigned to
}

22
x-pack/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js
View file

@ -19,7 +19,7 @@ const OUTPUT_DIRECTORY = resolve('public', 'detections', 'mitre');
// Every release we should update the version of MITRE ATT&CK content and regenerate the model in our code.
// This version must correspond to the one used for prebuilt rules in https://github.com/elastic/detection-rules.
// This version is basically a tag on https://github.com/mitre/cti/tags, or can be a branch name like `master`.
const MITRE_CONTENT_VERSION = 'ATT&CK-v12.1'; // last updated when preparing for 8.7.0 release
const MITRE_CONTENT_VERSION = 'ATT&CK-v13.1'; // last updated when preparing for 8.10.3 release
const MITRE_CONTENT_URL = `https://raw.githubusercontent.com/mitre/cti/${MITRE_CONTENT_VERSION}/enterprise-attack/enterprise-attack.json`;
const getTacticsOptions = (tactics) =>
@ -28,7 +28,7 @@ const getTacticsOptions = (tactics) =>
id: '${t.id}',
name: '${t.name}',
reference: '${t.reference}',
text: i18n.translate(
label: i18n.translate(
'xpack.securitySolution.detectionEngine.mitreAttackTactics.${camelCase(t.name)}Description', {
defaultMessage: '${t.name} (${t.id})'
}),
@ -48,7 +48,7 @@ const getTechniquesOptions = (techniques) =>
id: '${t.id}',
name: '${t.name}',
reference: '${t.reference}',
tactics: '${t.tactics.join()}',
tactics: [${t.tactics.map((tactic) => `'${tactic.trim()}'`)}],
value: '${camelCase(t.name)}'
}`.replace(/(\r\n|\n|\r)/gm, ' ')
);
@ -65,7 +65,7 @@ const getSubtechniquesOptions = (subtechniques) =>
id: '${t.id}',
name: '${t.name}',
reference: '${t.reference}',
tactics: '${t.tactics.join()}',
tactics: [${t.tactics.map((tactic) => `'${tactic.trim()}'`)}],
techniqueId: '${t.techniqueId}',
value: '${camelCase(t.name)}'
}`.replace(/(\r\n|\n|\r)/gm, ' ')
@ -203,25 +203,19 @@ async function main() {
import { i18n } from '@kbn/i18n';
import { MitreTacticsOptions, MitreTechniquesOptions, MitreSubtechniquesOptions } from './types';
import { MitreTactic, MitreTechnique, MitreSubTechnique } from './types';
export const tactics = ${JSON.stringify(tactics, null, 2)};
export const tacticsOptions: MitreTacticsOptions[] =
export const tactics: MitreTactic[] =
${JSON.stringify(getTacticsOptions(tactics), null, 2)
.replace(/}"/g, '}')
.replace(/"{/g, '{')};
export const technique = ${JSON.stringify(techniques, null, 2)};
export const techniquesOptions: MitreTechniquesOptions[] =
export const techniques: MitreTechnique[] =
${JSON.stringify(getTechniquesOptions(techniques), null, 2)
.replace(/}"/g, '}')
.replace(/"{/g, '{')};
export const subtechniques = ${JSON.stringify(subtechniques, null, 2)};
export const subtechniquesOptions: MitreSubtechniquesOptions[] =
export const subtechniques: MitreSubTechnique[] =
${JSON.stringify(getSubtechniquesOptions(subtechniques), null, 2)
.replace(/}"/g, '}')
.replace(/"{/g, '{')};

1
x-pack/plugins/translations/translations/fr-FR.json
View file

@ -31388,7 +31388,6 @@
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootkitDescription": "Bootkit (T1067)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootOrLogonAutostartExecutionDescription": "Exécution de démarrage ou de démarrage automatique de connexion (T1547)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootOrLogonInitializationScriptsDescription": "Scripts de démarrage ou d'initialisation de connexion (T1037)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserBookmarkDiscoveryDescription": "Découverte de favoris de navigateur (T1217)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserExtensionsDescription": "Extensions de navigateur (T1176)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserSessionHijackingDescription": "Détournement de session de navigateur (T1185)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bruteForceDescription": "Force brute (T1110)",

1
x-pack/plugins/translations/translations/ja-JP.json
View file

@ -31387,7 +31387,6 @@
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootkitDescription": "Bootkit (T1067)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootOrLogonAutostartExecutionDescription": "ブートまたはログオン自動起動実行T1547",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootOrLogonInitializationScriptsDescription": "ブートまたはログオン初期化スクリプトT1037",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserBookmarkDiscoveryDescription": "ブラウザーブックマーク検出T1217",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserExtensionsDescription": "ブラウザー拡張T1176",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserSessionHijackingDescription": "ブラウザーセッションハイジャックT1185",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bruteForceDescription": "Brute ForceT1110",

1
x-pack/plugins/translations/translations/zh-CN.json
View file

@ -31383,7 +31383,6 @@
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootkitDescription": "Bootkit (T1067)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootOrLogonAutostartExecutionDescription": "Boot or Logon Autostart Execution (T1547)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bootOrLogonInitializationScriptsDescription": "Boot or Logon Initialization Scripts (T1037)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserBookmarkDiscoveryDescription": "Browser Bookmark Discovery (T1217)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserExtensionsDescription": "Browser Extensions (T1176)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.browserSessionHijackingDescription": "Browser Session Hijacking (T1185)",
"xpack.securitySolution.detectionEngine.mitreAttackTechniques.bruteForceDescription": "Brute Force (T1110)",