Add tactics_techniques to event definitions#25977
Draft
danotorrey wants to merge 12 commits into
Draft
Conversation
Adds a single `mitre_categories` keyword array on event definitions and stamps it onto every produced event (mapped at the top level of the events index). Validation accepts tactic, technique, and sub-technique IDs through one combined regex; the 64-value cap is enforced. Frontend types, fixtures, and event-def save telemetry track the new field. Includes a `MitreBackwardsCompatibilityFilter` helper used by the three storage-adapter `MoreSearchAdapter` implementations to OR the legacy `event.fields.sigma_rule_tag_*` filter shape with the new `mitre_categories` shape during the migration window. Scoped for removal alongside the legacy path. Co-Authored-By: Claude Opus 4.7 (1M context) <[EMAIL_ADDRESS_REDACTED]>
CI yarn tsc surfaced a typed `EventDefinition` literal that hadn't been updated when the field was added. Co-Authored-By: Claude Opus 4.7 (1M context) <[EMAIL_ADDRESS_REDACTED]>
…ition-mitre-tactics-techniques # Conflicts: # graylog2-server/src/main/java/org/graylog/events/contentpack/entities/EventDefinitionEntity.java # graylog2-server/src/main/java/org/graylog/events/event/Event.java # graylog2-server/src/main/java/org/graylog/events/event/EventDto.java # graylog2-server/src/main/java/org/graylog/events/event/EventProcessorEventFactory.java # graylog2-server/src/main/java/org/graylog/events/processor/EventDefinitionDto.java # graylog2-server/src/main/java/org/graylog/events/rest/EventDefinitionsResource.java # graylog2-server/src/main/java/org/graylog2/indexer/template/EventsIndexMapping.java # graylog2-web-interface/src/components/events/events/types.ts
- Rename `mitre_categories` to `tactics_techniques` across DTO, JSON, ES mapping, content-pack entity, FE types, fixtures. - `TacticsTechniquesNormalizer` (mirrors `TagNormalizer`): trim, upper-case, drop empties. Applied in `EventDefinitionDto.Builder.build()`. - `TacticsTechniquesValidator` Guice extension point with OSS no-op default; wired into create/update/validate endpoints. Enterprise overrides to reject IDs not in the Illuminate LUTs. - New "Tactics/Techniques" column on the Event Definitions list. - Editor on the event-def edit form and chip on the list column are pluggable (`eventDefinitions.tacticsTechniquesEditor`, `eventDefinitions.tacticsTechniquesChip`). OSS leaves both empty. - Rename `TagsCell` → `ChipsCell` with generic prop names. Tags and Tactics/Techniques share the collapse / +N overflow UX. - `EventImpl.equals/hashCode/toString` now include the new field. - New TacticsTechniquesNormalizerTest; expanded EventDefinitionDtoTest, EventProcessorEventFactoryTest, EventDefinitionsResourceTest.
danotorrey
changed the title
mitre_categories field to event definitions…ition-mitre-tactics-techniques # Conflicts: # graylog2-server/src/main/java/org/graylog/events/rest/EventDefinitionsResource.java
…ition-mitre-tactics-techniques
Remove the events list column, event-defs list column, summary view row, and expanded details row. Schema and plugin slot wiring remain. Assisted with Claude Code
…ithub.com:Graylog2/graylog2-server into feature/event-definition-mitre-tactics-techniques
- Make `tactics_techniques` optional on the FE EventDefinition type so consumers that don't set it (older fixtures, ad-hoc instances) still type-check. Mutation hook fills `[]` when sending to the API. - Drop tactics_techniques from the Event Definitions EntityAttribute list; keep it as an extraSearchField so API search still works. - Fix TableElement.getColumnRenderer typing to return the ColumnRenderersByAttribute map instead of a single ColumnRenderer. Make expandedSection / tableCellComponent optional and have the consumer handle their absence. Assisted with Claude Code
Roll back the getColumnRenderer signature fix and the optional expandedSection/tableCellComponent change. They're a worthwhile cleanup but they create cross-repo coupling — anywhere a downstream plugin had `@ts-expect-error` working around the old signature, the directive becomes unused once the type is corrected. That tripped CI on this PR. Will revisit in a standalone follow-up that touches both repos together. Assisted with Claude Code
Assisted with Claude Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
tactics_techniqueson event definitions — a keyword array of MITRE IDs (TA0002,T1059,T1059.001).TacticsTechniquesNormalizer(mirrorsTagNormalizer).TacticsTechniquesValidatorextension point — OSS no-op; enterprise rejects IDs missing from the Illuminate LUTs.Notes
eventDefinitions.tacticsTechniquesEditor,eventDefinitions.tacticsTechniquesChip). OSS users see the column populated with bare IDs; the edit-form section is hidden until enterprise contributes.TagsCellrenamed toChipsCellwith generic prop names. Tags and Tactics/Techniques share the collapse/+N overflow UX.MitreBackwardsCompatibilityFilterso the three storage adapters can OR the legacyevent.fields.sigma_rule_tag_*shape with the newtactics_techniquesshape during the migration window. Removable with the legacy path./nocl
Test plan
tactics_techniques: ["ta0002","T1059","T1059.001"]— stored values canonicalize to upper-case; round-trips via GET.bogus,T999) and >64-entry arrays.?query=tactics_techniques:T1059.tactics_techniqueson_source.+N.