Updates MITRE docs to currently used version v17.1 (#2518)

dplumlee · nastasha-solomon · web-flow · commit 849e9d134a65 · 2025-09-10T14:45:37.000Z
🟢 **NOTE TO SELF:** Merge this on Tuesday, Sep 3, 20205 and then open PRs for #2791 ## Summary Updates the 9.x and Serverless docs to show that detection rules will use the MITRE ATT&CK® version v17.1 in 9.2 and next weeks' Serverless release. Because we need to show that earlier versions of 9.x (specifically 9.0.0-9.0.6 and 9.1.0-9.1.3) use an older version of MITRE ATT&CK® (v16.1), I created a table to show how the versions are mapped. ## Related - Doc issue: elastic/kibana#166152 - Dev PR: elastic/kibana#231375 ## Preview https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/2518/solutions/security/detect-and-alert/mitre-attandckr-coverage --------- Co-authored-by: Nastasha Solomon <nastasha.solomon@elastic.co> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
diff --git a/solutions/security/detect-and-alert/mitre-attandckr-coverage.md b/solutions/security/detect-and-alert/mitre-attandckr-coverage.md
@@ -20,10 +20,10 @@ Mirroring the MITRE ATT&CK® framework, columns represent major tactics, and cel
 To access the **MITRE ATT&CK® coverage** page, find **Detection rules (SIEM)** in the navigation menu or look for “Detection rules (SIEM)” using the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md), then go to **MITRE ATT&CK® coverage**.
 
 ::::{note}
-This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to the following [MITRE ATT&CK® version](https://attack.mitre.org/resources/updates/updates-april-2024) used by {{elastic-sec}}: `v16.1`. Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map.
+This page only includes the detection rules you currently have installed, and only rules that are mapped to MITRE ATT&CK®. The coverage page maps detections to [MITRE ATT&CK® versions](https://attack.mitre.org/resources/updates/) used by {{elastic-sec}}. 
 
-You can map custom rules to tactics in **Advanced settings** when creating or editing a rule.
 
+Elastic prebuilt rules that aren’t installed and custom rules that are either unmapped or mapped to a deprecated tactic or technique will not appear on the coverage map. You can map custom rules to tactics in **Advanced settings** when creating or editing a rule.
 ::::
 
 
@@ -32,6 +32,13 @@ You can map custom rules to tactics in **Advanced settings** when creating or ed
 :screenshot:
 :::
 
+Refer to the following table to find the MITRE ATT&CK® version that's mapped to your version of {{elastic-sec}}. 
+
+| MITRE ATT\&CK® version | {{elastic-sec}} version |
+| :---- | :---- |
+| [v16.1](https://attack.mitre.org/resources/updates/updates-october-2024/) | • 9.0.0-9.0.6 <br> • 9.1.0-9.1.3|
+| [v17.1](https://attack.mitre.org/resources/updates/updates-april-2025/) | • {applies_to}`stack: ga 9.2.0` <br> • {{serverless-short}} |
+
 
 ## Filter rules [security-rules-coverage-filter-rules]
 
