[Security Solution] Update MITRE ATT&CK mappings to the next version

[approksiu]

Related to: https://github.com/elastic/detection-rules/issues/3100

Summary

This is a recurring ticket. We take it into work every release cycle. We don't close it, instead, we update its description.

Next version to update to: TBD Last version updated to: v15.1 (changelog)

History of version updates:

• https://github.com/elastic/kibana/pull/183463
• https://github.com/elastic/kibana/pull/174120
• https://github.com/elastic/kibana/pull/166536
• https://github.com/elastic/kibana/pull/151931
• https://github.com/elastic/kibana/pull/137122

Acceptance Criteria

• [ ] User can map and use new MITRE techniques in Security Solution
• [ ] The user-facing documentation is updated with the new version (instructions)
  • [ ] MITRE ATT&CK® coverage page (classic/stateful docs)
  • [ ] MITRE ATT&CK® coverage page (serverless docs)

Test Criteria

• [ ] Verify that new techniques (see the changelog link above) are available for mapping on the Rule Creation page under "Advanced settings"
• [ ] Verify that new techniques are available on the MITRE ATT&CK coverage page

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[ghost]

Hi @MadameSheema

we have validated this ticket and found the expected checkpoint are working correctly on 8.10.3 and below are observations.

New Techniques	Tactics	Tactics Availability under Advanced settings of Rule creation	Tactics Availability under MITRE ATT&CK coverage page
Acquire Access (v1.0)	Resource Development	✅	✅
Acquire Infrastructure: Malvertising (v1.0)	Resource Development	✅	✅
Cloud Administration Command (v1.0)	Execution	✅	✅
Command and Scripting Interpreter: Cloud API (v1.0)	Execution	✅	✅
Device Driver Discovery (v1.0)	Discovery	✅	✅
Exfiltration Over Web Service: Exfiltration to Text Storage Sites (v1.0)	Exfiltration	✅	✅
Impair Defenses: Spoof Security Alerting (v1.0)	Defense Evasion	✅	✅
Masquerading: Masquerade File Type (v1.0)	Defense Evasion	✅	✅
Modify Authentication Process: Network Provider DLL (v1.0)	Credential Access, Defense Evasion, Persistence	✅	✅
Obfuscated Files or Information: Command Obfuscation (v1.0)	Defense Evasion	✅	✅
Obfuscated Files or Information: Fileless Storage (v1.0)	Defense Evasion	✅	✅
Remote Services: Cloud Services (v1.0)	Lateral Movement	✅	✅
Unsecured Credentials: Chat Messages (v1.0)	Credential Access	✅	✅

Screen-Shoot

[dplumlee]

https://github.com/elastic/kibana/issues/171680 ticket for v14.0 update

[joepeeples]

Updating the docs 📚

The MITRE ATT&CK® version that our current detection rules support is referenced in both classic/stateful and serverless docs. Whenever Elastic changes the supported version of MITRE ATT&CK, we also need to update this information in the docs:

• The MITRE ATT&CK version number (for example, v15.1)
• URL link to MITRE’s release notes (for example, https://attack.mitre.org/resources/updates/updates-april-2024)

Currently there are separate source files for the classic/stateful docs and serverless docs, so you’ll need to update this info in two different files:

• Classic docs: security-docs/docs/detections/rules-coverage.asciidoc
• Serverless docs: security-docs/docs/serverless/rules/rules-coverage.mdx

The version number and URL are located within the note at the top of the page.

In most cases, you can open a single PR to update both classic & serverless docs. The Security Docs team will automatically be added as a reviewer for the PR, and they can take care of any additional labeling, final approval, merging, and backporting.