Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FR] Add GitHub Action to Open Issue in Kibana for ATT&CK Version Update #3100

Closed
terrancedejesus opened this issue Sep 14, 2023 · 0 comments · Fixed by #3796
Closed

[FR] Add GitHub Action to Open Issue in Kibana for ATT&CK Version Update #3100

terrancedejesus opened this issue Sep 14, 2023 · 0 comments · Fixed by #3796
Assignees
@shashank-elastic
Labels
backlog enhancement New feature or request

Comments

@terrancedejesus
Copy link
Collaborator

terrancedejesus commented Sep 14, 2023
edited
Loading

Is your feature request related to a problem? Please describe.
At the moment, TRaDE manages a local version of the MITRE ATT&CK matrix based on the available enterprise version. This is downloaded and stored locally within the repository so that rules are properly matched to the latest updates. However, this is not the Kibana ATT&CK version can diverge if an issue is not opened to update on their end. As a result, some features may not work properly such as references to techniques or the ATT&CK matrix coverage map.

Describe the solution you'd like
Implement a workflow where any time a PR is opened and the etc/attack-v*.json.gz file pattern is included in the diff, create an issue to Kibana to update theirs as well.

Starting Point:

name: Check MITRE ATT&CK Version Updates Are Synced

on:
  pull_request:
    paths:
      - 'detection_rules/etc/attack-v*.json.gz'

jobs:
  create_issue:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3

      - name: Extract version from file name
        id: extract_version
        run: |
          FILENAME=$(git diff --name-only ${{ github.event.before }} ${{ github.sha }} | grep 'detection_rules/etc/attack-v.*.json.gz')
          VERSION=$(echo $FILENAME | grep -o 'v[^.]*')
          echo "::set-output name=version::$VERSION"

      - name: Create issue in elastic/kibana repository
        run: |
          ISSUE_TITLE="Update MITRE ATT&CK to ${{ steps.extract_version.outputs.version }}"
          ISSUE_BODY="The detection rules MITRE ATT&CK version has been updated to ${{ steps.extract_version.outputs.version }}. Please update the MITRE ATT&CK version in Kibana accordingly."
          
          curl -X POST \
            -H "Authorization: token ${{ secrets.YOUR_GITHUB_TOKEN }}" \
            -H "Accept: application/vnd.github.v3+json" \
            https://api.github.com/repos/elastic/kibana/issues \
            -d '{
              "title": "'"$ISSUE_TITLE"'",
              "body": "'"$ISSUE_BODY"'"
            }'
        env:
          YOUR_GITHUB_TOKEN: ${{ secrets.YOUR_GITHUB_TOKEN }}
@terrancedejesus terrancedejesus self-assigned this Sep 14, 2023
@banderror banderror mentioned this issue Oct 13, 2023
Open
6 tasks
@shashank-elastic shashank-elastic mentioned this issue Jun 17, 2024
Merged
@shashank-elastic shashank-elastic linked a pull request Jun 17, 2024 that will close this issue
Create an Issue in Kibana for MITRE Updates #3796
Merged
@shashank-elastic shashank-elastic mentioned this issue Jul 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@shashank-elastic shashank-elastic

Labels
backlog enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Create an Issue in Kibana for MITRE Updates elastic/detection-rules
3 participants
@Mikaayenson @shashank-elastic @terrancedejesus