diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts index c17e01f056f81b..843ba4b1167795 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts @@ -21,18 +21,15 @@ import { esFilters } from '../../../../../../../../src/plugins/data/server'; export type PartialFilter = Partial; +export interface IMitreAttack { + id: string; + name: string; + reference: string; +} export interface ThreatParams { framework: string; - tactic: { - id: string; - name: string; - reference: string; - }; - technique: { - id: string; - name: string; - reference: string; - }; + tactic: IMitreAttack; + techniques: IMitreAttack[]; } export interface RuleAlertParams { description: string; diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts index 3eaa7a6cddcc81..e64153e81fe4aa 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts @@ -30,7 +30,7 @@ export const typicalPayload = (): Partial> = { framework: 'fake', tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef' }, - technique: { id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }, + techniques: [{ id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' }], }, ], }); @@ -154,11 +154,13 @@ export const getResult = (): RuleAlertType => ({ name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], references: ['http://www.example.com', 'https://ww.example.com'], diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts index 3c85618452d8cd..690d9b11b14552 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.test.ts @@ -290,11 +290,13 @@ describe('schemas', () => { name: 'fakeName', reference: 'fakeRef', }, - technique: { - id: 'techniqueId', - name: 'techniqueName', - reference: 'techniqueRef', - }, + techniques: [ + { + id: 'techniqueId', + name: 'techniqueName', + reference: 'techniqueRef', + }, + ], }, ], }).error @@ -825,11 +827,13 @@ describe('schemas', () => { name: 'fakeName', reference: 'fakeRef', }, - technique: { - id: 'techniqueId', - name: 'techniqueName', - reference: 'techniqueRef', - }, + techniques: [ + { + id: 'techniqueId', + name: 'techniqueName', + reference: 'techniqueRef', + }, + ], }, ], }).error @@ -860,11 +864,13 @@ describe('schemas', () => { threats: [ { framework: 'fake', - technique: { - id: 'techniqueId', - name: 'techniqueName', - reference: 'techniqueRef', - }, + techniques: [ + { + id: 'techniqueId', + name: 'techniqueName', + reference: 'techniqueRef', + }, + ], }, ], }).error @@ -2030,11 +2036,13 @@ describe('schemas', () => { name: 'fakeName', reference: 'fakeRef', }, - technique: { - id: 'techniqueId', - name: 'techniqueName', - reference: 'techniqueRef', - }, + techniques: [ + { + id: 'techniqueId', + name: 'techniqueName', + reference: 'techniqueRef', + }, + ], }, ]; expect( @@ -2060,11 +2068,13 @@ describe('schemas', () => { name: 'fakeName', reference: 'fakeRef', }, - technique: { - id: 'techniqueId', - name: 'techniqueName', - reference: 'techniqueRef', - }, + techniques: [ + { + id: 'techniqueId', + name: 'techniqueName', + reference: 'techniqueRef', + }, + ], }, ], }).value.threats @@ -2097,11 +2107,13 @@ describe('schemas', () => { name: 'fakeName', reference: 'fakeRef', }, - technique: { - id: 'techniqueId', - name: 'techniqueName', - reference: 'techniqueRef', - }, + techniques: [ + { + id: 'techniqueId', + name: 'techniqueName', + reference: 'techniqueRef', + }, + ], }, ], }).error @@ -2130,21 +2142,23 @@ describe('schemas', () => { threats: [ { framework: 'fake', - technique: { - id: 'techniqueId', - name: 'techniqueName', - reference: 'techniqueRef', - }, + techniques: [ + { + id: 'techniqueId', + name: 'techniqueName', + reference: 'techniqueRef', + }, + ], }, ], }).error ).toBeTruthy(); }); - test('threats is invalid when updated with missing technique sub-object', () => { + test('threats is invalid when updated with missing techniques', () => { expect( updateRulesSchema.validate< Partial> & { - threats: Array>>; + threats: Array>>; } >({ id: 'rule-1', diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts index 0b4f1094549a4d..59d52c113cbf2f 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/schemas.ts @@ -67,12 +67,13 @@ const threat_technique = Joi.object({ name: threat_technique_name.required(), reference: threat_technique_reference.required(), }); +const threat_techniques = Joi.array().items(threat_technique.required()); const threats = Joi.array().items( Joi.object({ framework: threat_framework.required(), tactic: threat_tactic.required(), - technique: threat_technique.required(), + techniques: threat_techniques.required(), }) ); /* eslint-enable @typescript-eslint/camelcase */ diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.test.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.test.ts index 1461c75295ee39..d20b4d213e9cc6 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.test.ts +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/utils.test.ts @@ -49,11 +49,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], to: 'now', @@ -91,11 +93,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], to: 'now', @@ -135,11 +139,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], to: 'now', @@ -179,11 +185,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], to: 'now', @@ -221,11 +229,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], to: 'now', @@ -266,11 +276,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], to: 'now', @@ -311,11 +323,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], to: 'now', @@ -409,11 +423,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], }, @@ -461,11 +477,13 @@ describe('utils', () => { name: 'impact', reference: 'https://attack.mitre.org/tactics/TA0040/', }, - technique: { - id: 'T1499', - name: 'endpoint denial of service', - reference: 'https://attack.mitre.org/techniques/T1499/', - }, + techniques: [ + { + id: 'T1499', + name: 'endpoint denial of service', + reference: 'https://attack.mitre.org/techniques/T1499/', + }, + ], }, ], }); diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/root_or_admin_threats.json b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/root_or_admin_threats.json index 845e6e17c6498c..9ca4c326313342 100644 --- a/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/root_or_admin_threats.json +++ b/x-pack/legacy/plugins/siem/server/lib/detection_engine/scripts/rules/root_or_admin_threats.json @@ -20,11 +20,13 @@ "name": "impact", "reference": "https://attack.mitre.org/tactics/TA0040/" }, - "technique": { - "id": "T1499", - "name": "endpoint denial of service", - "reference": "https://attack.mitre.org/techniques/T1499/" - } + "techniques": [ + { + "id": "T1499", + "name": "endpoint denial of service", + "reference": "https://attack.mitre.org/techniques/T1499/" + } + ] }, { "framework": "MITRE ATT&CK", @@ -33,11 +35,13 @@ "name": "Automated Exfiltration", "reference": "https://attack.mitre.org/techniques/T1020/" }, - "technique": { - "id": "T1002", - "name": "Data Compressed", - "reference": "https://attack.mitre.org/techniques/T1002/" - } + "techniques": [ + { + "id": "T1002", + "name": "Data Compressed", + "reference": "https://attack.mitre.org/techniques/T1002/" + } + ] } ] }