Giters

splunk / security_content

Splunk Security Content

Home Page:https://research.splunk.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Feature Req] MITRE ATT&CK IDs are not versioned in published content

alexhaydock opened this issue · comments

commented

Is your feature request related to a problem? Please describe.
The published security content in this repo contains tags matching MITRE ATT&CK IDs, but I'm unclear what version of MITRE ATT&CK these are mapped to, as that data is not available in the tags, or anywhere obvious in the repo (unless I'm missing it, in which case I apologise!).

An example:

security_content/detections/endpoint/bcdedit_failure_recovery_modification.yml

Lines 35 to 36 in cf343e9

mitre_attack_id:
- T1490

I note that the MITRE ATT&CK (mitre_attack_id) tag is not actually defined by the detection schema, as it's simply treated as part of the tags, so I'm not clear on what the standard or expectation is here.

Without this info, it makes it a challenge to use the Splunk structured data format for storing detections for use in downstream tooling where there may be multiple tools that we want to invoke, some of which lag behind others and expect MITRE mappings to be using different versions of ATT&CK at a particular time.

The ATT&CK release cadence is fairly rapid, so I can imagine situations where this causes an issue will arise quite commonly as time goes on.

Describe the solution you'd like
Ideally, the tags on published content should be versioned, allowing middleware and scripts to be written which will select the appropriately versioned tag for the downstream tooling in use. I'm not completely sure on the best way to do this but it strikes me that an easy method might be simply to version the key name in the tag:

mitre_attack_v13_id:
  - T1651
  - T1586
  - T1586.003
mitre_attack_v12_id:
  - T1586
  - T1586.003

I'm not sure how backwards compatibility might be dealt with best (i.e. on the basis that the ideal scenario would be removing the current non-versioned mitre_attack_id tag), but I'm open to suggestions.

commented

My gut tells me security_content just needs to go by whatever the latest version of MITRE ATT&CK is but ofcourse once release there will be a delay to get all the content remapped/updated. Although not implicitly defined anywhere in code assume mappings are following the latest MITRE ATT&CK framework version, otherwise they need to be updated. I will circle back with the team make sure we can enforce this in code. Hope this helps!