Detection-Rules - Subtechniques

inf · April 9, 2021, 4:51am

As I understand from the official GitHub repository for detection-rules, sub-techniques are already used as part of the existing rules. One example can be found here.

However, from what I see in the latest guide, it is still not rolled out yet. There is no sub-technique under the technique object (which is otherwise implied by the example seen above).

I was trying to import these rules, and hence found out about this difference - the initial part of an example error message is {"statusCode":400,"error":"Bad Request","message":"[request body]: invalid keys \"subtechnique,[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}],subtechnique,[{\"id\":\"T1550.001\"...

Questions:

Are my observations above correct, or am I missing something out?
Is there anyway that I can continue to import these rules in the meantime? (I am presuming that I would otherwise have to wait for 7.13 to be out, which would presumably contain the sub-techniques as part of the existing field, or find an alternative solution in the meantime)

Thank you!

inf · April 11, 2021, 2:13am

Issue resolved by upgrading my Elastic Stack from 7.10 to 7.12.

However, I am still not sure why the latest guide does not have the sub-technique under the technique object.

spong · April 13, 2021, 1:08am

Thanks for the update @inf -- glad that resolved the issue! As for the docs, I've created this issue to update them and let the docs folks know so thanks for the heads up here too.

Cheers!
Garrett

inf · April 13, 2021, 1:47am

Thank you for getting back to me on this @spong!

Greatly appreciate it!

system · May 11, 2021, 1:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.