elastic · dhurley14 · Nov 27, 2019 · Nov 26, 2019 · Nov 26, 2019 · Nov 27, 2019
diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/__mocks__/es_results.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/__mocks__/es_results.ts
@@ -35,6 +35,7 @@ export const sampleRuleAlertParams = (
   filters: undefined,
   savedId: undefined,
   meta: undefined,
+  threats: undefined,
 });
 
 export const sampleDocNoSortId = (someUuid: string = sampleIdGuid): SignalSourceHit => ({

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/create_rules.ts
@@ -30,6 +30,7 @@ export const createRules = async ({
   name,
   severity,
   tags,
+  threats,
   to,
   type,
   references,
@@ -57,6 +58,7 @@ export const createRules = async ({
         riskScore,
         severity,
         tags,
+        threats,
         to,
         type,
         references,

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/rules_alert_type.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/rules_alert_type.ts
@@ -48,6 +48,7 @@ export const rulesAlertType = ({
         riskScore: schema.number(),
         severity: schema.string(),
         tags: schema.arrayOf(schema.string(), { defaultValue: [] }),
+        threats: schema.nullable(schema.arrayOf(schema.object({}, { allowUnknowns: true }))),
         to: schema.string(),
         type: schema.string(),
         references: schema.arrayOf(schema.string(), { defaultValue: [] }),

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/types.ts
@@ -21,6 +21,19 @@ import { esFilters } from '../../../../../../../../src/plugins/data/server';
 
 export type PartialFilter = Partial<esFilters.Filter>;
 
+export interface ThreatParams {
+  framework: string;
+  tactic: {
+    id: string;
+    name: string;
+    reference: string;
+  };
+  technique: {
+    id: string;
+    name: string;
+    reference: string;
+  };
+}
 export interface RuleAlertParams {
   description: string;
   enabled: boolean;
@@ -44,6 +57,7 @@ export interface RuleAlertParams {
   severity: string;
   tags: string[];
   to: string;
+  threats: ThreatParams[] | undefined | null;
   type: 'filter' | 'query' | 'saved_query';
 }
 

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/update_rules.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/update_rules.ts
@@ -65,6 +65,7 @@ export const updateRules = async ({
   name,
   severity,
   tags,
+  threats,
   to,
   type,
   references,
@@ -101,6 +102,7 @@ export const updateRules = async ({
       riskScore,
       severity,
       tags,
+      threats,
       to,
       type,
       references,

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/utils.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/alerts/utils.ts
@@ -64,6 +64,7 @@ export const buildRule = ({
     filters: ruleParams.filters,
     created_by: createdBy,
     updated_by: updatedBy,
+    threats: ruleParams.threats,
   });
 };
 

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/__mocks__/request_responses.ts
@@ -26,6 +26,13 @@ export const typicalPayload = (): Partial<Omit<RuleAlertParamsRest, 'filter'>> =
   severity: 'high',
   query: 'user.name: root or user.name: admin',
   language: 'kuery',
+  threats: [
+    {
+      framework: 'fake',
+      tactic: { id: 'fakeId', name: 'fakeName', reference: 'fakeRef' },
+      technique: { id: 'techniqueId', name: 'techniqueName', reference: 'techniqueRef' },
+    },
+  ],
 });
 
 export const typicalFilterPayload = (): Partial<RuleAlertParamsRest> => ({
@@ -139,6 +146,21 @@ export const getResult = (): RuleAlertType => ({
     tags: [],
     to: 'now',
     type: 'query',
+    threats: [
+      {
+        framework: 'MITRE ATT&CK',
+        tactic: {
+          id: 'TA0040',
+          name: 'impact',
+          reference: 'https://attack.mitre.org/tactics/TA0040/',
+        },
+        technique: {
+          id: 'T1499',
+          name: 'endpoint denial of service',
+          reference: 'https://attack.mitre.org/techniques/T1499/',
+        },
+      },
+    ],
     references: ['http://www.example.com', 'https://ww.example.com'],
   },
   interval: '5m',

diff --git a/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/create_rules_route.ts b/x-pack/legacy/plugins/siem/server/lib/detection_engine/routes/create_rules_route.ts
@@ -50,11 +50,11 @@ export const createCreateRulesRoute: Hapi.ServerRoute = {
       name,
       severity,
       tags,
+      threats,
       to,
       type,
       references,
     } = request.payload;
-
     const alertsClient = isFunction(request.getAlertsClient) ? request.getAlertsClient() : null;
     const actionsClient = isFunction(request.getActionsClient) ? request.getActionsClient() : null;
 
@@ -94,6 +94,7 @@ export const createCreateRulesRoute: Hapi.ServerRoute = {
       tags,
       to,
       type,
+      threats,
       references,
     });
     return transformOrError(createdRule);