Detection-Rules - Subtechniques

Elastic Security
1

As I understand from the official GitHub repository for detection-rules, sub-techniques are already used as part of the existing rules. One example can be found here.

However, from what I see in the latest guide, it is still not rolled out yet. There is no sub-technique under the technique object (which is otherwise implied by the example seen above).

I was trying to import these rules, and hence found out about this difference - the initial part of an example error message is {"statusCode":400,"error":"Bad Request","message":"[request body]: invalid keys \"subtechnique,[{\"id\":\"T1078.004\",\"name\":\"Cloud Accounts\",\"reference\":\"https://attack.mitre.org/techniques/T1078/004/\"}],subtechnique,[{\"id\":\"T1550.001\"...

Questions:

  1. Are my observations above correct, or am I missing something out?
  2. Is there anyway that I can continue to import these rules in the meantime? (I am presuming that I would otherwise have to wait for 7.13 to be out, which would presumably contain the sub-techniques as part of the existing field, or find an alternative solution in the meantime)

Thank you!

2

Issue resolved by upgrading my Elastic Stack from 7.10 to 7.12.

However, I am still not sure why the latest guide does not have the sub-technique under the technique object.

3

Thanks for the update @inf -- glad that resolved the issue! :slightly_smiling_face: As for the docs, I've created this issue to update them and let the docs folks know so thanks for the heads up here too.

Cheers!
Garrett

4

Thank you for getting back to me on this @spong!

Greatly appreciate it! :slight_smile:

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.