[1.x] Add threat.technique.subtechnique (#951)

CHANGELOG.next.md

@@ -10,6 +10,8 @@ Thanks, you're awesome :-) -->
 
 ### Schema Changes
 
+* Added `threat.technique.subtechnique` to capture MITRE ATT&CK® subtecqhniques. #951
+
 #### Breaking changes
 
 #### Bugfixes

docs/field-details.asciidoc

@@ -5418,7 +5418,7 @@ example: `MITRE ATT&CK`
 // ===============================================================
 
 | threat.tactic.id
-| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
+| The id of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
 
 type: keyword
 
@@ -5427,14 +5427,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `TA0040`
+example: `TA0002`
 
 | extended
 
 // ===============================================================
 
 | threat.tactic.name
-| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)
+| Name of the type of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)
 
 type: keyword
 
@@ -5443,14 +5443,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `impact`
+example: `Execution`
 
 | extended
 
 // ===============================================================
 
 | threat.tactic.reference
-| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )
+| The reference url of tactic used by this threat. You can use a MITRE ATT&CK® tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )
 
 type: keyword
 
@@ -5459,14 +5459,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `https://attack.mitre.org/tactics/TA0040/`
+example: `https://attack.mitre.org/tactics/TA0002/`
 
 | extended
 
 // ===============================================================
 
 | threat.technique.id
-| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
+| The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
 
@@ -5475,14 +5475,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `T1499`
+example: `T1059`
 
 | extended
 
 // ===============================================================
 
 | threat.technique.name
-| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)
+| The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
 
@@ -5497,14 +5497,14 @@ Note: this field should contain an array of values.
 
 
 
-example: `Endpoint Denial of Service`
+example: `Command and Scripting Interpreter`
 
 | extended
 
 // ===============================================================
 
 | threat.technique.reference
-| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1499/ )
+| The reference url of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
 
 type: keyword
 
@@ -5513,7 +5513,61 @@ Note: this field should contain an array of values.
 
 
 
-example: `https://attack.mitre.org/techniques/T1499/`
+example: `https://attack.mitre.org/techniques/T1059/`
+
+| extended
+
+// ===============================================================
+
+| threat.technique.subtechnique.id
+| The full id of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `T1059.001`
+
+| extended
+
+// ===============================================================
+
+| threat.technique.subtechnique.name
+| The name of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+
+type: keyword
+
+Multi-fields:
+
+* threat.technique.subtechnique.name.text (type: text)
+
+
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `PowerShell`
+
+| extended
+
+// ===============================================================
+
+| threat.technique.subtechnique.reference
+| The reference url of subtechnique used by this threat. You can use a MITRE ATT&CK® subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)
+
+type: keyword
+
+
+Note: this field should contain an array of values.
+
+
+
+example: `https://attack.mitre.org/techniques/T1059/001/`
 
 | extended
 

generated/beats/fields.ecs.yml

@@ -4538,30 +4538,30 @@
       type: keyword
       ignore_above: 1024
       description: "The id of tactic used by this threat. You can use a MITRE ATT&CK\xAE\
-        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/ )"
-      example: TA0040
+        \ tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/ )"
+      example: TA0002
     - name: tactic.name
       level: extended
       type: keyword
       ignore_above: 1024
       description: "Name of the type of tactic used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/)"
-      example: impact
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/)"
+      example: Execution
     - name: tactic.reference
       level: extended
       type: keyword
       ignore_above: 1024
       description: "The reference url of tactic used by this threat. You can use a\
-        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0040/\
+        \ MITRE ATT&CK\xAE tactic, for example. (ex. https://attack.mitre.org/tactics/TA0002/\
         \ )"
-      example: https://attack.mitre.org/tactics/TA0040/
+      example: https://attack.mitre.org/tactics/TA0002/
     - name: technique.id
       level: extended
       type: keyword
       ignore_above: 1024
       description: "The id of technique used by this threat. You can use a MITRE ATT&CK\xAE\
-        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
-      example: T1499
+        \ technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: T1059
     - name: technique.name
       level: extended
       type: keyword
@@ -4572,16 +4572,43 @@
         norms: false
         default_field: false
       description: "The name of technique used by this threat. You can use a MITRE\
-        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/)"
-      example: Endpoint Denial of Service
+        \ ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: Command and Scripting Interpreter
     - name: technique.reference
       level: extended
       type: keyword
       ignore_above: 1024
       description: "The reference url of technique used by this threat. You can use\
-        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1499/\
-        \ )"
-      example: https://attack.mitre.org/techniques/T1499/
+        \ a MITRE ATT&CK\xAE technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)"
+      example: https://attack.mitre.org/techniques/T1059/
+    - name: technique.subtechnique.id
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The full id of subtechnique used by this threat. You can use a\
+        \ MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: T1059.001
+      default_field: false
+    - name: technique.subtechnique.name
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      multi_fields:
+      - name: text
+        type: text
+        norms: false
+      description: "The name of subtechnique used by this threat. You can use a MITRE\
+        \ ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: PowerShell
+      default_field: false
+    - name: technique.subtechnique.reference
+      level: extended
+      type: keyword
+      ignore_above: 1024
+      description: "The reference url of subtechnique used by this threat. You can\
+        \ use a MITRE ATT&CK\xAE subtechnique, for example. (ex. https://attack.mitre.org/techniques/T1059/001/)"
+      example: https://attack.mitre.org/techniques/T1059/001/
+      default_field: false
   - name: tls
     title: TLS
     group: 2

generated/csv/fields.csv

@@ -534,13 +534,17 @@ ECS_Version,Indexed,Field_Set,Field,Type,Level,Normalization,Example,Description
 1.7.0-dev,true,source,source.user.roles,keyword,extended,array,"[""kibana_admin"", ""reporting_user""]",Array of user roles at the time of the event.
 1.7.0-dev,true,span,span.id,keyword,extended,,3ff9a8981b7ccd5a,Unique identifier of the span within the scope of its trace.
 1.7.0-dev,true,threat,threat.framework,keyword,extended,,MITRE ATT&CK,Threat classification framework.
-1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0040,Threat tactic id.
-1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,impact,Threat tactic.
-1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0040/,Threat tactic URL reference.
-1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1499,Threat technique id.
-1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Endpoint Denial of Service,Threat technique name.
-1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Endpoint Denial of Service,Threat technique name.
-1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1499/,Threat technique URL reference.
+1.7.0-dev,true,threat,threat.tactic.id,keyword,extended,array,TA0002,Threat tactic id.
+1.7.0-dev,true,threat,threat.tactic.name,keyword,extended,array,Execution,Threat tactic.
+1.7.0-dev,true,threat,threat.tactic.reference,keyword,extended,array,https://attack.mitre.org/tactics/TA0002/,Threat tactic URL reference.
+1.7.0-dev,true,threat,threat.technique.id,keyword,extended,array,T1059,Threat technique id.
+1.7.0-dev,true,threat,threat.technique.name,keyword,extended,array,Command and Scripting Interpreter,Threat technique name.
+1.7.0-dev,true,threat,threat.technique.name.text,text,extended,,Command and Scripting Interpreter,Threat technique name.
+1.7.0-dev,true,threat,threat.technique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/,Threat technique URL reference.
+1.7.0-dev,true,threat,threat.technique.subtechnique.id,keyword,extended,array,T1059.001,Threat subtechnique id.
+1.7.0-dev,true,threat,threat.technique.subtechnique.name,keyword,extended,array,PowerShell,Threat subtechnique name.
+1.7.0-dev,true,threat,threat.technique.subtechnique.name.text,text,extended,,PowerShell,Threat subtechnique name.
+1.7.0-dev,true,threat,threat.technique.subtechnique.reference,keyword,extended,array,https://attack.mitre.org/techniques/T1059/001/,Threat subtechnique URL reference.
 1.7.0-dev,true,tls,tls.cipher,keyword,extended,,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,String indicating the cipher used during the current connection.
 1.7.0-dev,true,tls,tls.client.certificate,keyword,extended,,MII...,PEM-encoded stand-alone certificate offered by the client.
 1.7.0-dev,true,tls,tls.client.certificate_chain,keyword,extended,array,"['MII...', 'MII...']",Array of PEM-encoded certificates that make up the certificate chain offered by the client.