[Defend] Map Elastic Defend events directly to MITRE ATT&CK

[nicpenning]

Today many EDRs will tag or map an event to MITRE when possible, not just alerts. A basic example of such mapping can be found here (https://github.com/olafhartong/sysmon-modular/blob/master/1_process_creation/include_bitsadmin.xml, https://github.com/olafhartong/sysmon-modular?tab=readme-ov-file#mitre-attack) at a community Sysmon repository where it does this very well. Elastic does not do this with the events and I think it should. An alert for every mitre technique doesn't make much sense, it should live at the event level of possible.

[brokensound77]

Hey @nicpenning, it is definitely an interesting idea and one that we have discussed several times internally. At this time, based on the structure of the events and concerns around event volume, I don't think that it would make sense to do it as a built in feature.

However, one way to achieve this in a similar fashion would be to leverage an enrich process within an ingest pipeline. Then you could either add it the existing pipeline for Defend or even leverage the reindex API for more granular control (say when ingest volumes are lower).

I like the idea of having a community-maintained policy defining the criteria for enriching around ATT&CK. I will pass the idea along to see if there is any interest for starting this, otherwise if you want to give it a start, we can help share it.

[nicpenning]

Sounds great - I was thinking about this as an ingest pipeline to do the enrichments for specific event data, just not sure how workable that is over time. Perhaps this could be a Mitre ATT&CK Elastic Integration for Ingest Pipeline / Dashboards and a guide to create and use an enrich policy that provides both seeing the framework out of the box and searchable but then enrich directly to it when certain criteria match for registry/process/etc events. There is many ways this can be accomplished. I will think about this and see what we can come up with.