Skip to content

Add mitre_categories field to event definitions#25977

Draft
danotorrey wants to merge 2 commits into
masterfrom
feature/event-definition-mitre-tactics-techniques
Draft

Add mitre_categories field to event definitions#25977
danotorrey wants to merge 2 commits into
masterfrom
feature/event-definition-mitre-tactics-techniques

Conversation

@danotorrey
Copy link
Copy Markdown
Contributor

@danotorrey danotorrey commented May 11, 2026
edited
Loading

Summary

  • Adds a single mitre_categories field on event definitions (a keyword array of canonical MITRE IDs like TA0002, T1059, T1059.001).
  • Values stamp onto every event the definition produces and are mapped as a top-level keyword array on the events index — sits alongside streams, associated_assets, etc.
  • Validation accepts tactic IDs (TA0000), technique IDs (T0000), and sub-technique IDs (T0000.000) in one combined regex; capped at 64 values per definition; can be relaxed via event_definition_mitre_id_validation_enabled for unusual deployments.

Notes

  • Frontend types, fixtures, and event-def save telemetry track the new field.
  • Adds MitreBackwardsCompatibilityFilter in org.graylog.events.search — a helper that the three storage-adapter MoreSearchAdapter implementations call to OR a legacy-shape MITRE filter (event.fields.sigma_rule_tag_*) with the new mitre_categories shape during the migration window. Scoped for removal alongside the legacy path.
  • Changelog entry intentionally omitted while this is in draft — to be added before merge. /nocl

/jpd Graylog2/graylog-plugin-enterprise#14205

Test plan

  • Create an event def with mitre_categories: ["TA0002","T1059","T1059.001"]; round-trip via GET.
  • Reject lowercase IDs (t1059), non-MITRE strings (bogus), and >64-entry arrays.
  • Search event defs via ?query=mitre_categories:T1059.
  • Trigger the def with messages flowing; confirm produced events carry mitre_categories on _source.
  • After an index rotation, run a pivot terms aggregation on mitre_categories — buckets are the canonical IDs.

Assisted with Claude Code

danotorrey added 2 commits May 11, 2026 15:38
@danotorrey
Add MITRE categories field to event definitions
3493294 
Adds a single `mitre_categories` keyword array on event definitions and stamps
it onto every produced event (mapped at the top level of the events index).
Validation accepts tactic, technique, and sub-technique IDs through one
combined regex; the 64-value cap is enforced. Frontend types, fixtures, and
event-def save telemetry track the new field.

Includes a `MitreBackwardsCompatibilityFilter` helper used by the three
storage-adapter `MoreSearchAdapter` implementations to OR the legacy
`event.fields.sigma_rule_tag_*` filter shape with the new `mitre_categories`
shape during the migration window. Scoped for removal alongside the legacy
path.

Co-Authored-By: Claude Opus 4.7 (1M context) <[EMAIL_ADDRESS_REDACTED]>
@danotorrey
Fix FilterPreviewContainer test fixture missing mitre_categories
9255d03 
CI yarn tsc surfaced a typed `EventDefinition` literal that hadn't been updated
when the field was added.

Co-Authored-By: Claude Opus 4.7 (1M context) <[EMAIL_ADDRESS_REDACTED]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danotorrey