Skip to content

Refresh Manifest and Schemas November Update #5298

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Nov 11, 2025
Merged

Refresh Manifest and Schemas November Update #5298

merged 5 commits into from
Nov 11, 2025

Conversation

@shashank-elastic
Copy link
Contributor

@shashank-elastic shashank-elastic commented Nov 11, 2025
edited
Loading

Pull Request

Issue link(s): https://github.com/elastic/ia-trade-team/issues/744

Summary - What I changed

Refresh Data, Refresh Mappings and Updated Rule 
python -m detection_rules dev attack -h
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

Usage: detection_rules dev attack [OPTIONS] COMMAND [ARGS]...

  Commands for managing Mitre ATT&CK data and mappings.

Options:
  -h, --help  Show this message and exit.

Commands:
  refresh-data               Refresh the ATT&CK data file.
  refresh-redirect-mappings  Refresh the ATT&CK redirect file and update all rule threat mappings.
  update-rules               Update threat mappings attack data in all rules.

detection-rules on  nov_schema_refresh [$✘!+?] is 📦 v1.5.5 via 🐍 v3.12.8 (.venv) on ☁️  shashank.suryanarayana@elastic.co python -m detection_rules dev attack refresh-data
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

No versions newer than the current detected: 18.0.0

detection-rules on  nov_schema_refresh [$✘!+?] is 📦 v1.5.5 via 🐍 v3.12.8 (.venv) on ☁️  shashank.suryanarayana@elastic.co python -m detection_rules dev attack refresh-redirect-mappings
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

refreshing data in attack_technique_redirects.json
refreshed mapping file: /Users/shashankks/elastic_workspace/detection-rules/detection_rules/etc/attack-technique-redirects.json

detection-rules on  nov_schema_refresh [$✘!+?] is 📦 v1.5.5 via 🐍 v3.12.8 (.venv) on ☁️  shashank.suryanarayana@elastic.co took 39s python -m detection_rules dev attack update-rules             
Loaded config file: /Users/shashankks/elastic_workspace/detection-rules/.detection-rules-cfg.json

█▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄   ▄      █▀▀▄ ▄  ▄ ▄   ▄▄▄ ▄▄▄
█  █ █▄▄  █  █▄▄ █    █   █  █ █ █▀▄ █      █▄▄▀ █  █ █   █▄▄ █▄▄
█▄▄▀ █▄▄  █  █▄▄ █▄▄  █  ▄█▄ █▄█ █ ▀▄█      █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█

'Delayed Execution via Ping' requires update - technique name change for tactic 'Defense Evasion'

Finished - 1 rules updated!
  • Investigation Guides Required - One rule added with investigation guide.

How To Test

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

@shashank-elastic shashank-elastic self-assigned this Nov 11, 2025
@botelastic botelastic bot added Domain: Endpoint OS: Windows windows related rules labels Nov 11, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Nov 11, 2025

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

  • Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
  • Include additional context or screenshots.
  • Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

  • Code follows established design patterns within the repo and avoids duplication.
  • Ensure that the code is modular and reusable where applicable.

Testing

  • New unit tests have been added to cover the enhancement.
  • Existing unit tests have been updated to reflect the changes.
  • Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
  • Validate that any rules affected by the enhancement are correctly updated.
  • Ensure that performance is not negatively impacted by the changes.
  • Verify that any release artifacts are properly generated and tested.
  • Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

  • Verify that the enhancement works across all relevant environments (e.g., different OS versions).
  • Confirm that the proper version label is applied to the PR patch, minor, major.

@tradebot-elastic
Copy link

tradebot-elastic commented Nov 11, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Nov 11, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Samirbous
Samirbous approved these changes Nov 11, 2025
View reviewed changes
@botelastic botelastic bot added the OS: Linux label Nov 11, 2025
@tradebot-elastic
Copy link

tradebot-elastic commented Nov 11, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Nov 11, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@tradebot-elastic
Copy link

tradebot-elastic commented Nov 11, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Potential Privilege Escalation via SUID/SGID Proxy Execution (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Delayed Execution via Ping (eql)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

@shashank-elastic shashank-elastic merged commit e938ecf into main Nov 11, 2025
16 checks passed
@shashank-elastic shashank-elastic deleted the nov_schema_refresh branch November 11, 2025 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mikaayenson Mikaayenson Mikaayenson approved these changes

@Samirbous Samirbous Samirbous approved these changes

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@DefSecSentinel DefSecSentinel Awaiting requested review from DefSecSentinel

@imays11 imays11 Awaiting requested review from imays11

@Aegrah Aegrah Awaiting requested review from Aegrah

@terrancedejesus terrancedejesus Awaiting requested review from terrancedejesus

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic eric-forte-elastic is a code owner

Assignees

@shashank-elastic shashank-elastic

Labels

backport: auto Domain: Endpoint enhancement New feature or request meta:rapid-merge OS: Linux OS: Windows windows related rules patch schema

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@shashank-elastic @tradebot-elastic @Mikaayenson @Samirbous