Open approksiu opened 12 months ago
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-solution (Team: SecuritySolution)
Hi @MadameSheema
we have validated this ticket and found the expected checkpoint are working correctly on 8.10.3 and below are observations.
New Techniques | Tactics | Tactics Availability under Advanced settings of Rule creation | Tactics Availability under MITRE ATT&CK coverage page |
---|---|---|---|
Acquire Access (v1.0) | Resource Development | ✅ | ✅ |
Acquire Infrastructure: Malvertising (v1.0) | Resource Development | ✅ | ✅ |
Cloud Administration Command (v1.0) | Execution | ✅ | ✅ |
Command and Scripting Interpreter: Cloud API (v1.0) | Execution | ✅ | ✅ |
Device Driver Discovery (v1.0) | Discovery | ✅ | ✅ |
Exfiltration Over Web Service: Exfiltration to Text Storage Sites (v1.0) | Exfiltration | ✅ | ✅ |
Impair Defenses: Spoof Security Alerting (v1.0) | Defense Evasion | ✅ | ✅ |
Masquerading: Masquerade File Type (v1.0) | Defense Evasion | ✅ | ✅ |
Modify Authentication Process: Network Provider DLL (v1.0) | Credential Access, Defense Evasion, Persistence | ✅ | ✅ |
Obfuscated Files or Information: Command Obfuscation (v1.0) | Defense Evasion | ✅ | ✅ |
Obfuscated Files or Information: Fileless Storage (v1.0) | Defense Evasion | ✅ | ✅ |
Remote Services: Cloud Services (v1.0) | Lateral Movement | ✅ | ✅ |
Unsecured Credentials: Chat Messages (v1.0) | Credential Access | ✅ | ✅ |
Screen-Shoot
https://github.com/elastic/kibana/issues/171680 ticket for v14.0
update
The MITRE ATT&CK® version that our current detection rules support is referenced in both classic/stateful and serverless docs. Whenever Elastic changes the supported version of MITRE ATT&CK, we also need to update this information in the docs:
v15.1
)https://attack.mitre.org/resources/updates/updates-april-2024
)Currently there are separate source files for the classic/stateful docs and serverless docs, so you’ll need to update this info in two different files:
The version number and URL are located within the note at the top of the page.
In most cases, you can open a single PR to update both classic & serverless docs. The Security Docs team will automatically be added as a reviewer for the PR, and they can take care of any additional labeling, final approval, merging, and backporting.
Related to: https://github.com/elastic/detection-rules/issues/3100
Summary
This is a recurring ticket. We take it into work every release cycle. We don't close it, instead, we update its description.
Next version to update to:
TBD
Last version updated to:v15.1
(changelog)History of version updates:
Acceptance Criteria
Test Criteria