Skip to content

Improve alert triage ATT&CK source metadata#624

Closed
Floofy6 wants to merge 1 commit into
UnitOneAI:mainfrom
Floofy6:improve/alert-triage-v19-r3-source
Closed

Improve alert triage ATT&CK source metadata#624
Floofy6 wants to merge 1 commit into
UnitOneAI:mainfrom
Floofy6:improve/alert-triage-v19-r3-source

Conversation

@Floofy6

@Floofy6 Floofy6 commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown

Resolves #623.

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: alert-triage
Skill path: skills/secops/alert-triage/

What Was Wrong

The alert triage skill was still pinned to legacy ATT&CK source metadata:

  • Frontmatter and index.yaml referenced ATT&CK v16.
  • The report template repeated that legacy ATT&CK label as if it were current framework evidence.
  • The workflow did not require analysts to record reviewed ATT&CK version/date before making current ATT&CK claims.

Primary-source checks confirm MITRE ATT&CK v19.1 is current as of April 28, 2026.

Scope Note

This PR is intentionally scoped to ATT&CK source metadata only. I removed the NIST SP 800-61 Rev. 3 / CSF 2.0 changes after finding existing issue #324 and PRs #397/#325 already cover that separate lane.

What This PR Fixes

  • Updates alert-triage frontmatter and index metadata from MITRE-ATT&CK-v16 to MITRE-ATT&CK-v19.1.
  • Adds ATT&CK source-version evidence fields for reviewed version/date and legacy alert rule metadata.
  • Adds a source-version check during correlation so stale rule mappings are verified against the current Enterprise matrix before use.
  • Adds a pitfall warning against copying stale ATT&CK v16 labels into current triage reports.
  • Adds benign/vulnerable fixtures for current ATT&CK source evidence vs. stale legacy ATT&CK labels.

Test Cases Added

  • skills/secops/alert-triage/tests/vulnerable/stale-attack-v16-current-report.md
  • skills/secops/alert-triage/tests/benign/current-attack-v19-source-report.md

Validation

  • git diff --cached --check
  • frontmatter required-field and scoped framework consistency check
  • scoped index.yaml path/framework consistency check
  • markdown fence balance check for alert-triage docs and fixtures
  • prompt-injection pattern scan; only hit is the existing safety notice prohibiting exfiltration
  • official-source GET checks for MITRE ATT&CK version history, Enterprise matrix, and tactics page
  • duplicate sweep for open issues/PRs mentioning alert-triage with ATT&CK v19.1 returned no matches
  • scoped search confirms this PR no longer claims NIST Rev. 3 / CSF 2.0 ownership for alert-triage

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Payment details: Can be provided privately after acceptance, consistent with the project guidance that payment method is confirmed after the first contribution is accepted.

@Floofy6 Floofy6 mentioned this pull request Jun 4, 2026
Open
@Floofy6 Floofy6 force-pushed the improve/alert-triage-v19-r3-source branch from 71971e2 to 1bfe2f9 Compare June 4, 2026 10:58
@Floofy6 Floofy6 changed the title Improve alert triage source metadata Improve alert triage ATT&CK source metadata Jun 4, 2026
@kamalsrini kamalsrini closed this Jun 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] alert-triage: refresh ATT&CK v19.1 source metadata

2 participants

@Floofy6 @kamalsrini