Update mitre mappings as a stopgap to using mitre atlas

Mikaayenson · Mikaayenson · commit af9d82f4d25c · 2025-12-04T12:43:30.000-06:00
diff --git a/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml b/rules/cross-platform/command_and_control_genai_process_suspicious_tld_connection.toml
@@ -128,16 +128,4 @@ reference = "https://attack.mitre.org/techniques/T1071/004/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-[[rule.threat]]
-framework = "MITRE ATLAS"
-[[rule.threat.technique]]
-id = "AML.T0086"
-name = "Exfiltration via AI Agent Tool Invocation"
-reference = "https://atlas.mitre.org/techniques/AML.T0086/"
-
-
-[rule.threat.tactic]
-id = "AML.TA0010"
-name = "Exfiltration"
-reference = "https://atlas.mitre.org/tactics/AML.TA0010/"
 
diff --git a/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml b/rules/cross-platform/command_and_control_genai_process_unusual_domain.toml
@@ -142,18 +142,6 @@ reference = "https://attack.mitre.org/techniques/T1071/001/"
 id = "TA0011"
 name = "Command and Control"
 reference = "https://attack.mitre.org/tactics/TA0011/"
-[[rule.threat]]
-framework = "MITRE ATLAS"
-[[rule.threat.technique]]
-id = "AML.T0086"
-name = "Exfiltration via AI Agent Tool Invocation"
-reference = "https://atlas.mitre.org/techniques/AML.T0086/"
-
-
-[rule.threat.tactic]
-id = "AML.TA0010"
-name = "Exfiltration"
-reference = "https://atlas.mitre.org/tactics/AML.TA0010/"
 
 [rule.new_terms]
 field = "new_terms_fields"
diff --git a/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml b/rules/cross-platform/credential_access_genai_process_sensitive_file_access.toml
@@ -128,32 +128,27 @@ file where event.action in ("open", "creation", "modification") and event.outcom
 
 
 [[rule.threat]]
-framework = "MITRE ATLAS"
+framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-id = "AML.T0085"
-name = "Data from AI Services"
-reference = "https://atlas.mitre.org/techniques/AML.T0085/"
-[[rule.threat.technique.subtechnique]]
-id = "AML.T0085.001"
-name = "AI Agent Tools"
-reference = "https://atlas.mitre.org/techniques/AML.T0085.001/"
-
+id = "T1555"
+name = "Credentials from Password Stores"
+reference = "https://attack.mitre.org/techniques/T1555/"
 
 
 [rule.threat.tactic]
-id = "AML.TA0009"
-name = "Collection"
-reference = "https://atlas.mitre.org/tactics/AML.TA0009/"
+id = "TA0006"
+name = "Credential Access"
+reference = "https://attack.mitre.org/tactics/TA0006/"
 [[rule.threat]]
-framework = "MITRE ATLAS"
+framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-id = "AML.T0055"
-name = "Unsecured Credentials"
-reference = "https://atlas.mitre.org/techniques/AML.T0055/"
+id = "T1005"
+name = "Data from Local System"
+reference = "https://attack.mitre.org/techniques/T1005/"
 
 
 [rule.threat.tactic]
-id = "AML.TA0013"
-name = "Credential Access"
-reference = "https://atlas.mitre.org/tactics/AML.TA0013/"
+id = "TA0009"
+name = "Collection"
+reference = "https://attack.mitre.org/tactics/TA0009/"
 
diff --git a/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml b/rules/cross-platform/defense_evasion_genai_process_compiling_executables.toml
@@ -138,18 +138,6 @@ process where event.type == "start" and event.type == "start" and
 '''
 
 
-[[rule.threat]]
-framework = "MITRE ATLAS"
-[[rule.threat.technique]]
-id = "AML.T0053"
-name = "AI Agent Tool Invocation"
-reference = "https://atlas.mitre.org/techniques/AML.T0053/"
-
-
-[rule.threat.tactic]
-id = "AML.TA0005"
-name = "Execution"
-reference = "https://atlas.mitre.org/tactics/AML.TA0005/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
diff --git a/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml b/rules/cross-platform/defense_evasion_genai_process_encoding_prior_to_network_activity.toml
@@ -151,18 +151,6 @@ sequence by process.entity_id with maxspan=30s
 '''
 
 
-[[rule.threat]]
-framework = "MITRE ATLAS"
-[[rule.threat.technique]]
-id = "AML.T0086"
-name = "Exfiltration via AI Agent Tool Invocation"
-reference = "https://atlas.mitre.org/techniques/AML.T0086/"
-
-
-[rule.threat.tactic]
-id = "AML.TA0010"
-name = "Exfiltration"
-reference = "https://atlas.mitre.org/tactics/AML.TA0010/"
 [[rule.threat]]
 framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
diff --git a/rules_building_block/execution_mcp_server_child_process.toml b/rules_building_block/execution_mcp_server_child_process.toml
@@ -114,15 +114,15 @@ process where event.type == "start"
 
 
 [[rule.threat]]
-framework = "MITRE ATLAS"
+framework = "MITRE ATT&CK"
 [[rule.threat.technique]]
-id = "AML.T0053"
-name = "AI Agent Tool Invocation"
-reference = "https://atlas.mitre.org/techniques/AML.T0053/"
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
 
 
 [rule.threat.tactic]
-id = "AML.TA0005"
+id = "TA0002"
 name = "Execution"
-reference = "https://atlas.mitre.org/tactics/AML.TA0005/"
+reference = "https://attack.mitre.org/tactics/TA0002/"
 
diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py
@@ -332,6 +332,11 @@ def test_tactic_to_technique_correlations(self):
                     tactic = entry.tactic
                     techniques = entry.technique or []
 
+                    # TODO: ATLAS framework validation temporarily disabled until Security Solution supports it
+                    # Remove this skip once ATLAS threat mappings are fully supported in the product
+                    if framework == "MITRE ATLAS":
+                        continue
+
                     # Select the appropriate framework module
                     framework_module, framework_name = self._get_framework_module(framework, rule)
 
