Add tactics_techniques field on event definitions#25977
Open
danotorrey wants to merge 19 commits into
Open
Conversation
Adds a single `mitre_categories` keyword array on event definitions and stamps it onto every produced event (mapped at the top level of the events index). Validation accepts tactic, technique, and sub-technique IDs through one combined regex; the 64-value cap is enforced. Frontend types, fixtures, and event-def save telemetry track the new field. Includes a `MitreBackwardsCompatibilityFilter` helper used by the three storage-adapter `MoreSearchAdapter` implementations to OR the legacy `event.fields.sigma_rule_tag_*` filter shape with the new `mitre_categories` shape during the migration window. Scoped for removal alongside the legacy path. Co-Authored-By: Claude Opus 4.7 (1M context) <[EMAIL_ADDRESS_REDACTED]>
CI yarn tsc surfaced a typed `EventDefinition` literal that hadn't been updated when the field was added. Co-Authored-By: Claude Opus 4.7 (1M context) <[EMAIL_ADDRESS_REDACTED]>
…ition-mitre-tactics-techniques # Conflicts: # graylog2-server/src/main/java/org/graylog/events/contentpack/entities/EventDefinitionEntity.java # graylog2-server/src/main/java/org/graylog/events/event/Event.java # graylog2-server/src/main/java/org/graylog/events/event/EventDto.java # graylog2-server/src/main/java/org/graylog/events/event/EventProcessorEventFactory.java # graylog2-server/src/main/java/org/graylog/events/processor/EventDefinitionDto.java # graylog2-server/src/main/java/org/graylog/events/rest/EventDefinitionsResource.java # graylog2-server/src/main/java/org/graylog2/indexer/template/EventsIndexMapping.java # graylog2-web-interface/src/components/events/events/types.ts
- Rename `mitre_categories` to `tactics_techniques` across DTO, JSON, ES mapping, content-pack entity, FE types, fixtures. - `TacticsTechniquesNormalizer` (mirrors `TagNormalizer`): trim, upper-case, drop empties. Applied in `EventDefinitionDto.Builder.build()`. - `TacticsTechniquesValidator` Guice extension point with OSS no-op default; wired into create/update/validate endpoints. Enterprise overrides to reject IDs not in the Illuminate LUTs. - New "Tactics/Techniques" column on the Event Definitions list. - Editor on the event-def edit form and chip on the list column are pluggable (`eventDefinitions.tacticsTechniquesEditor`, `eventDefinitions.tacticsTechniquesChip`). OSS leaves both empty. - Rename `TagsCell` → `ChipsCell` with generic prop names. Tags and Tactics/Techniques share the collapse / +N overflow UX. - `EventImpl.equals/hashCode/toString` now include the new field. - New TacticsTechniquesNormalizerTest; expanded EventDefinitionDtoTest, EventProcessorEventFactoryTest, EventDefinitionsResourceTest.
danotorrey
changed the title
mitre_categories field to event definitions…ition-mitre-tactics-techniques # Conflicts: # graylog2-server/src/main/java/org/graylog/events/rest/EventDefinitionsResource.java
…ition-mitre-tactics-techniques
Remove the events list column, event-defs list column, summary view row, and expanded details row. Schema and plugin slot wiring remain. Assisted with Claude Code
…ithub.com:Graylog2/graylog2-server into feature/event-definition-mitre-tactics-techniques
- Make `tactics_techniques` optional on the FE EventDefinition type so consumers that don't set it (older fixtures, ad-hoc instances) still type-check. Mutation hook fills `[]` when sending to the API. - Drop tactics_techniques from the Event Definitions EntityAttribute list; keep it as an extraSearchField so API search still works. - Fix TableElement.getColumnRenderer typing to return the ColumnRenderersByAttribute map instead of a single ColumnRenderer. Make expandedSection / tableCellComponent optional and have the consumer handle their absence. Assisted with Claude Code
Roll back the getColumnRenderer signature fix and the optional expandedSection/tableCellComponent change. They're a worthwhile cleanup but they create cross-repo coupling — anywhere a downstream plugin had `@ts-expect-error` working around the old signature, the directive becomes unused once the type is corrected. That tripped CI on this PR. Will revisit in a standalone follow-up that touches both repos together. Assisted with Claude Code
Assisted with Claude Code
Assisted with Claude Code
Assisted with Claude Code
…ition-mitre-tactics-techniques # Conflicts: # graylog2-server/src/test/java/org/graylog/events/processor/EventDefinitionDtoTest.java
Assisted with Claude Code
danotorrey
changed the title
Replaces use of the shared entityTableElements slot to keep the column scoped to event definitions. The plugin owns the attribute (id/title/sortable), the cell component, and the license gate. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Contributor
Author
|
The e2e failures seem to match those on the enterprise side, which all appear to be preexisting (not from these PRs). See https://github.com/Graylog2/graylog-plugin-enterprise/pull/14205#issuecomment-4554987322. |
Two new slots on the event-definition / events UI: - events.components.tacticsTechniquesDetailRow - consumed by the events details expanded section to render a row next to Tags. - eventDefinitions.components.tacticsTechniquesSummary - consumed by the event definition summary view to render a row next to Tags. Server defines the slot contracts; the security plugin contributes the components, gates them on the security license, and owns the dual-read between the new tactics_techniques field and the legacy sigma_rule_tag_* shape. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
tactics_techniqueskeyword array on event definitions and propagates it to produced events. Format validation (regex on shape) runs unconditionally; semantic validation and UI are pluggable.What's in here
tactics_techniquesarray onEventDefinition/EventDefinitionDto/EventDefinitionEntity. Format validated by regex; values normalized (uppercased) on save viaTacticsTechniquesNormalizer, mirroringTagNormalizer.EventProcessorEventFactoryand mapped as a keyword on the events index.TacticsTechniquesValidatorextension point with a no-op default binding.event-definitions/types.ts:eventDefinitions.components.tacticsTechniquesEditor— edit-form sectioneventDefinitions.components.tacticsTechniquesColumn— list columnMitreBackwardsCompatibilityFilter— search helper used by the three OSS storage adapters so legacy and new field shapes can be queried together.TagsCellgeneralized toChipsCell; tags column behavior unchanged./nocl
Test plan
?query=tactics_techniques:<value>matches the def._sourcecarries the field.