WIP - Initial MITRE v19 Support#6367
Draft
eric-forte-elastic wants to merge 14 commits into
Draft
Conversation
Contributor
Enhancement - GuidelinesThese guidelines serve as a reminder set of considerations when addressing adding a feature to the code. Documentation and Context
Code Standards and Practices
Testing
Additional Checks
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue link(s):
Resolves #6366
Related to #6035
Summary - What I changed
Adds a dev command to generate a first pass at v19 mappings, and adds general support for v19 mappings in rule toml files. Also allows one to specify which framework version to use for outputting rules. Adds scaffolding to support other mapping frameworks in the future.
For much more context see issue: #6366
How To Test
Step 1: write the v19 block into the rule TOML
dev attack convert-threat-mappingsreads the rule's existing v18threatfield, remaps itthrough
attack_v18_to_v19.yaml, and writes a[[rule.threat_mappings]]block (version = "19")back into the TOML. Any IDs not present in the config are dropped and reported.
Step 2: export with v19 as the output
threatexport-rules-from-repohas no--threat-versionflag. Version selection is controlled by theDR_THREAT_MAPPING_VERSIONenvironment variable (orthreat_mapping_versionin_config.yaml).Pass it inline to select v19 for a single export:
The build selects the v19
threat_mappingsblock and emits it asthreat;threat_mappingsisalways stripped from the exported artifact. Rules that have no v19 block fall back to their v18
threatwith a warning logged.Setting v19 as the persistent default
To avoid passing the env var on every command, set it in
detection_rules/etc/_config.yaml:All commands (including
export-rules-from-repo) will use v19 until the value is reverted.The env var
DR_THREAT_MAPPING_VERSIONtakes precedence over the config file if both are set.Should be able to select which mapping to use which would result in rendering like this (left v18 right v19):

Checklist
bug,enhancement,schema,maintenance,Rule: New,Rule: Deprecation,Rule: Tuning,Hunt: New, orHunt: Tuningso guidelines can be generatedmeta:rapid-mergelabel if planning to merge within 24 hoursContributor checklist