[FR] Add additional platforms for MITRE Attack Navigator Filter

elastic / detection-rules

https://www.elastic.co/guide/en/security/current/detection-engine-overview.html

Other

1.92k stars 492 forks source link

[FR] Add additional platforms for MITRE Attack Navigator Filter #3973

Closed shashank-elastic closed 1 month ago

shashank-elastic commented 2 months ago

Repository Feature

Core Repo - (rule management, validation, testing, lib, cicd, etc.)

Problem Description

Currently on the MITRE Attack Navigator we are able to filter from the default platform list such as

_DEFAULT_PLATFORMS = [
    "Azure AD",
    "Containers",
    "Google Workspace",
    "IaaS",
    "Linux",
    "macOS",
    "Network",
    "Office 365",
    "PRE",
    "SaaS",
    "Windows"
]

Referenced in Code here

Expand the list, to have additional platforms such as AWS, OKTA and others

Desired Solution

Stat check all supported platforms
Add them as part of _DEFAULT_PLATFORMS to support filtering

Considered Alternatives

As a workaround for platforms that are not part of _DEFAULT_PLATFORMS one can always filter using SaaS platform filter

Additional Context

Request from @approksiu

Hey team, is it possible to generate MITRE Navigator layer for example just for OKTA rules?

shashank-elastic commented 2 months ago

I think this is directly tied to the platforms supported in MITRE https://attack.mitre.org/matrices/enterprise/

We could check if adding our own filters would make sense @approksiu

shashank-elastic commented 1 month ago

This was tested

Draft PR to add a platform i.e OKTA https://github.com/elastic/detection-rules/pull/3979
We issued Generate navigator file and updated gist Refer Job Run

As expected the Platform Filter never appeared on the MITRE URL
- https://github.com/elastic/detection-rules/tree/issue-3973?tab=readme-ov-file
- Click on the Navigator File
- Check for platform

However, locally when we build the files, I was able to locate a file dedicated to tags such as okta

I used the site https://mitre-attack.github.io/attack-navigator/ to upload this file
You could see only OKTA related rules
So currently all these are gnerated for main and stored in GIST - https://gist.github.com/brokensound77/1a3f65224822a30a8228a8ed20289a89

So the steps to get the OKTA related MITRE details are

Go to https://mitre-attack.github.io/attack-navigator/
Use Open Existing Layer

Either upload the file locally if you have a dev setup or use the GIST link to open
This will get the required view and no additionaly fix is required.

cc @Mikaayenson @approksiu

shashank-elastic commented 1 month ago

The steps have been shared , and we can always do a KT if these are not clear. So closing this issue