Skip to content

[Security][9.5 & Serverless] Adds guide for remapping detection rules to MITRE ATT&CK v19#7374

Open
nastasha-solomon wants to merge 7 commits into
mainfrom
issue-7257
Open

[Security][9.5 & Serverless] Adds guide for remapping detection rules to MITRE ATT&CK v19#7374
nastasha-solomon wants to merge 7 commits into
mainfrom
issue-7257

Conversation

@nastasha-solomon

@nastasha-solomon nastasha-solomon commented Jul 14, 2026

Copy link
Copy Markdown
Member

Summary

MITRE ATT&CK v19 retires the Defense Evasion tactic, splitting it into Stealth and Defense Impairment and restructuring several techniques underneath it (most notably Impair Defenses / T1562). This PR adds a new guide for remapping custom rules affected by that change, and updates the surrounding docs to point to it.

Closes #7257

Previews

  • Remap detection rules to MITRE ATT&CK v19 - New page that explains what's changed in MITRE ATT&CK v19 and provides steps for identifying and remapping outdated rules.
  • MITRE ATT&CK coverage | Supported MITRE ATT&CK versions - Updated table, which was confusing to read and had missing versions. Also added a note pointing readers with custom rule mappings to the new remap guide.
  • Common rule settings - Add a note under MITRE ATT&CK threats clarifying that the mapping picker only offers the currently-supported ATT&CK version, linking to the remap guide for anyone hitting version-change issues

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes - Cursor + Claude
  • No

@nastasha-solomon nastasha-solomon self-assigned this Jul 14, 2026
@nastasha-solomon
nastasha-solomon requested review from a team as code owners July 14, 2026 23:37
@github-actions

Copy link
Copy Markdown
Contributor

Elastic Docs AI PR menu

Check the box to run an AI review for this pull request.

  • Review docs changes (docs-review). Status: not started.

Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team.

@github-actions

Copy link
Copy Markdown
Contributor

Elastic Docs Style Checker (Vale)

Summary: 3 suggestions found

💡 Suggestions (3): Optional style improvements. Apply when helpful.
File Line Rule Message
solutions/security/detect-and-alert/remap-mitre-attack.md 36 Elastic.WordChoice Consider using 'deactivate, deselect, hide, turn off' instead of 'Disable', unless the term is in the UI.
solutions/security/detect-and-alert/remap-mitre-attack.md 36 Elastic.WordChoice Consider using 'deactivate, deselect, hide, turn off' instead of 'Disable', unless the term is in the UI.
solutions/security/detect-and-alert/remap-mitre-attack.md 96 Elastic.Versions Use 'and later' instead of 'and newer' when referring to versions.

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@dplumlee dplumlee left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This all looks good @nastasha-solomon! Just had one nit about versioning specificity.

Comment thread solutions/security/detect-and-alert/mitre-attack-coverage.md Outdated

@bmorelli25 bmorelli25 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice job

@approksiu approksiu left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, left a few suggestions.

Comment thread solutions/security/detect-and-alert/mitre-attack-coverage.md Outdated
Comment thread solutions/security/detect-and-alert/remap-mitre-attack.md Outdated
Comment thread solutions/security/detect-and-alert/remap-mitre-attack.md Outdated
yctercero pushed a commit to elastic/kibana that referenced this pull request Jul 17, 2026
## Summary

Addresses: #166152 for `9.5.0`

Updates MITRE ATT&CK mappings to
[`v19.1`](https://attack.mitre.org/resources/updates/updates-april-2026/).
Last update was to `v18.1` in
#246770.

To update,  I modified 


https://github.com/elastic/kibana/blob/f2cebd21761b3143d9fabda6d5abddd26141faeb/x-pack/solutions/security/plugins/security_solution/scripts/extract_tactics_techniques_mitre.js#L20

to point to the `ATT&CK-v19.1` tag.

Then ran `yarn extract-mitre-attacks` from the root `security_solution`
plugin directory, and then `node scripts/i18n_check.js --fix` from
Kibana root to regen the i18n files.


## Acceptance Criteria

- [x] User can map and use new MITRE techniques in Security Solution
- [ ] The user-facing documentation is updated with the new version
- [ ] [MITRE ATT&CK®
coverage](https://www.elastic.co/guide/en/security/master/rules-coverage.html)
page
    - [ ] elastic/docs-content#7374

## Test Criteria

- [x] Verify that new techniques (see the changelog link above) are
available for mapping on the Rule Creation page under "Advanced
settings"
- [x] Verify that new techniques are available on the MITRE ATT&CK
coverage page

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Security][Rules Management][9.5 & Serverless] Add docs about MITRE v19 update and remapping to the new version

4 participants