diff --git a/source/images/manual/mitre/events-filters.png b/source/images/manual/mitre/events-filters.png index a29b2a67fc..7f77c158db 100644 Binary files a/source/images/manual/mitre/events-filters.png and b/source/images/manual/mitre/events-filters.png differ diff --git a/source/images/manual/mitre/mitre-id-t1110-information.png b/source/images/manual/mitre/mitre-id-t1110-information.png deleted file mode 100644 index 0faf1ec2a8..0000000000 Binary files a/source/images/manual/mitre/mitre-id-t1110-information.png and /dev/null differ diff --git a/source/images/manual/mitre/mitre-id-t1543.003-information.png b/source/images/manual/mitre/mitre-id-t1543.003-information.png new file mode 100644 index 0000000000..f4874c38f1 Binary files /dev/null and b/source/images/manual/mitre/mitre-id-t1543.003-information.png differ diff --git a/source/images/manual/mitre/visualize-the-alerts.png b/source/images/manual/mitre/visualize-the-alerts.png index 4a201ff393..4344902f90 100644 Binary files a/source/images/manual/mitre/visualize-the-alerts.png and b/source/images/manual/mitre/visualize-the-alerts.png differ diff --git a/source/release-notes/index-4x.rst b/source/release-notes/index-4x.rst index aee55ba55c..2c255a304e 100644 --- a/source/release-notes/index-4x.rst +++ b/source/release-notes/index-4x.rst @@ -15,7 +15,7 @@ Wazuh version Release date :doc:`4.7.1 ` TBD :doc:`4.7.0 ` TBD :doc:`4.6.0 ` TBD -:doc:`4.5.4 ` TBD +:doc:`4.5.4 ` 23 October 2023 :doc:`4.5.3 ` 10 October 2023 :doc:`4.5.2 ` 6 September 2023 :doc:`4.5.1 ` 24 August 2023 diff --git a/source/release-notes/index.rst b/source/release-notes/index.rst index b61726bd84..855f929981 100644 --- a/source/release-notes/index.rst +++ b/source/release-notes/index.rst @@ -15,7 +15,7 @@ Wazuh version Release date :doc:`4.7.1 ` TBD :doc:`4.7.0 ` TBD :doc:`4.6.0 ` TBD -:doc:`4.5.4 ` TBD +:doc:`4.5.4 ` 23 October 2023 :doc:`4.5.3 ` 10 October 2023 :doc:`4.5.2 ` 6 September 2023 :doc:`4.5.1 ` 24 August 2023 diff --git a/source/release-notes/release-4-5-4.rst b/source/release-notes/release-4-5-4.rst index 5e93a5df4a..33e0f17a6c 100644 --- a/source/release-notes/release-4-5-4.rst +++ b/source/release-notes/release-4-5-4.rst @@ -3,8 +3,8 @@ .. meta:: :description: Wazuh 4.5.4 has been released. Check out our release notes to discover the changes and additions of this release. -4.5.4 Release notes - TBD -========================= +4.5.4 Release notes - 23 October 2023 +===================================== This section lists the changes in version 4.5.4. Every update of the Wazuh solution is cumulative and includes all enhancements and fixes from previous releases. diff --git a/source/release-notes/release-4-6-0.rst b/source/release-notes/release-4-6-0.rst index 6f8c542a4d..bcc23e5ce4 100644 --- a/source/release-notes/release-4-6-0.rst +++ b/source/release-notes/release-4-6-0.rst @@ -108,28 +108,28 @@ Ruleset Wazuh dashboard ^^^^^^^^^^^^^^^ -- `#5197 `__ `#5274 `__ `#5298 `__ `#5409 `__ Added ``rel="noopener noreferrer"`` in documentation links. -- `#5203 `__ Added ``ignore`` and ``restrict`` options to Syslog configuration. -- `#5376 `__ Added the ``extensions.github`` and ``extensions.office`` settings to the default configuration file. -- `#4163 `__ Added new global error treatment (client-side). -- `#5519 `__ Added new CLI to generate API data from specification file. -- `#5551 `__ Added specific RBAC permissions to the Security section. -- `#5443 `__ Added **Refresh** and **Export formatted** button to panels in **Agents > Inventory data**. -- `#5491 `__ Added **Refresh** and **Export formatted** buttons to **Management > Cluster > Nodes**. -- `#5201 `__ Changed of regular expression in RBAC. -- `#5384 `__ Migrated the ``timeFilter``, ``metaFields``, and ``maxBuckets`` health checks inside the ``pattern`` check. -- `#5485 `__ Changed the query to search for an agent in **Management > Configuration**. -- `#5476 `__ Changed the search bar in ``management/log`` to the one used in the rest of the app. -- `#5457 `__ Changed the design of the wizard to add agents. -- `#5363 `__ `#5442 `__ `#5443 `__ `#5444 `__ `#5445 `__ `#5447 `__ `#5452 `__ `#5491 `__ `#5785 `__ Introduced a new, enhanced search bar. It adds new features to all the searchable tables which leverages the Wazuh API. It also addresses some of the issues found in the previous version. -- `#5451 `__ Removed deprecated request and code in agent's view. -- `#5453 `__ Removed unnecessary dashboard queries caused by the deploy agent view. -- `#5500 `__ Removed repeated and unnecessary requests in the Security section. -- `#5519 `__ Removed scripts to generate API data from live Wazuh manager. -- `#5532 `__ Removed the ``pretty`` parameter from cron job requests. -- `#5528 `__ Removed unnecessary requests in the **Management > Status** section. -- `#5485 `__ Removed obsolete code that caused duplicate requests to the API in **Management**. -- `#5592 `__ Removed unused embedded ``jquery-ui``. +- `#5197 `__ `#5274 `__ `#5298 `__ `#5409 `__ Added ``rel="noopener noreferrer"`` in documentation links. +- `#5203 `__ Added ``ignore`` and ``restrict`` options to Syslog configuration. +- `#5376 `__ Added the ``extensions.github`` and ``extensions.office`` settings to the default configuration file. +- `#4163 `__ Added new global error treatment (client-side). +- `#5519 `__ Added new CLI to generate API data from specification file. +- `#5551 `__ Added specific RBAC permissions to the Security section. +- `#5443 `__ Added **Refresh** and **Export formatted** button to panels in **Agents > Inventory data**. +- `#5491 `__ Added **Refresh** and **Export formatted** buttons to **Management > Cluster > Nodes**. +- `#5201 `__ Changed of regular expression in RBAC. +- `#5384 `__ Migrated the ``timeFilter``, ``metaFields``, and ``maxBuckets`` health checks inside the ``pattern`` check. +- `#5485 `__ Changed the query to search for an agent in **Management > Configuration**. +- `#5476 `__ Changed the search bar in ``management/log`` to the one used in the rest of the app. +- `#5457 `__ Changed the design of the wizard to add agents. +- `#5363 `__ `#5442 `__ `#5443 `__ `#5444 `__ `#5445 `__ `#5447 `__ `#5452 `__ `#5491 `__ `#5785 `__ Introduced a new, enhanced search bar. It adds new features to all the searchable tables which leverages the Wazuh API. It also addresses some of the issues found in the previous version. +- `#5451 `__ Removed deprecated request and code in agent's view. +- `#5453 `__ Removed unnecessary dashboard queries caused by the deploy agent view. +- `#5500 `__ Removed repeated and unnecessary requests in the Security section. +- `#5519 `__ Removed scripts to generate API data from live Wazuh manager. +- `#5532 `__ Removed the ``pretty`` parameter from cron job requests. +- `#5528 `__ Removed unnecessary requests in the **Management > Status** section. +- `#5485 `__ Removed obsolete code that caused duplicate requests to the API in **Management**. +- `#5592 `__ Removed unused embedded ``jquery-ui``. Resolved issues --------------- @@ -213,26 +213,26 @@ Reference Description Wazuh dashboard ^^^^^^^^^^^^^^^ -=============================================================== ============= -Reference Description -=============================================================== ============= -`#4828 `__ Fixed trailing hyphen character for OS value in the list of agents. -`#4911 `__ Fixed several typos in the code. -`#4917 `__ Fixed the display of more than one protocol in the Global configuration section. -`#4918 `__ Fixed uncaught error and wrong error message in the PCI DSS Control tab. -`#4894 `__ Fixed references to Elasticsearch in Wazuh-stack plugin. -`#5135 `__ Fixed the 2 errors that appeared in console in **Settings > Configuration** section. -`#5376 `__ Fixed the GitHub and Office 365 module visibility configuration for each API host that was not kept when changing/upgrading the plugin. -`#5376 `__ Fixed the GitHub and Office 365 modules appearing in the main menu when they were not configured. -`#5364 `__ Fixed TypeError in FIM Inventory using a new error handler. -`#5423 `__ Fixed error when using invalid group configuration. -`#5460 `__ Fixed repeated requests in inventory data and configurations of an agent. -`#5465 `__ Fixed repeated requests in the group table when adding a group or refreshing the table. -`#5521 `__ Fixed an error in the request body suggestions of API Console. -`#5734 `__ Fixed some errors related to relative dirname of rule and decoder files. -`#5879 `__ Fixed package URLs in the ``aarch64`` commands. -`#5888 `__ Fixed the install macOS agent commands. -=============================================================== ============= +========================================================================= ============= +Reference Description +========================================================================= ============= +`#4828 `__ Fixed trailing hyphen character for OS value in the list of agents. +`#4911 `__ Fixed several typos in the code. +`#4917 `__ Fixed the display of more than one protocol in the Global configuration section. +`#4918 `__ Fixed uncaught error and wrong error message in the PCI DSS Control tab. +`#4894 `__ Fixed references to Elasticsearch in Wazuh-stack plugin. +`#5135 `__ Fixed the 2 errors that appeared in console in **Settings > Configuration** section. +`#5376 `__ Fixed the GitHub and Office 365 module visibility configuration for each API host that was not kept when changing/upgrading the plugin. +`#5376 `__ Fixed the GitHub and Office 365 modules appearing in the main menu when they were not configured. +`#5364 `__ Fixed TypeError in FIM Inventory using a new error handler. +`#5423 `__ Fixed error when using invalid group configuration. +`#5460 `__ Fixed repeated requests in inventory data and configurations of an agent. +`#5465 `__ Fixed repeated requests in the group table when adding a group or refreshing the table. +`#5521 `__ Fixed an error in the request body suggestions of API Console. +`#5734 `__ Fixed some errors related to relative dirname of rule and decoder files. +`#5879 `__ Fixed package URLs in the ``aarch64`` commands. +`#5888 `__ Fixed the install macOS agent commands. +========================================================================= ============= Packages @@ -253,5 +253,5 @@ Changelogs More details about these changes are provided in the changelog of each component: - `wazuh/wazuh `__ -- `wazuh/wazuh-dashboard `__ +- `wazuh/wazuh-dashboard `__ - `wazuh/wazuh-packages `__ diff --git a/source/release-notes/release-4-7-0.rst b/source/release-notes/release-4-7-0.rst index 0ee7a8fa9d..7ba7fdd0a6 100644 --- a/source/release-notes/release-4-7-0.rst +++ b/source/release-notes/release-4-7-0.rst @@ -41,12 +41,12 @@ Agent Wazuh dashboard ^^^^^^^^^^^^^^^ -- `#5680 `_ Added the **Status detail** column in the **Agents** table. -- `#5738 `_ The agent registration wizard now effectively manages special characters in passwords. -- `#5636 `_ Changed the **Network ports** table columns for Linux agents. -- `#5748 `_ Updated development dependencies: ``@typescript-eslint/eslint-plugin, @typescript-eslint/parser, eslint, swagger-client``. -- `#5707 `_ Changed Timelion-type displays in the **Management > Statistics** section to line-type displays. -- `#5747 `_ Removed views in JSON and XML formats from the **Management** settings. +- `#5680 `__ Added the **Status detail** column in the **Agents** table. +- `#5738 `__ The agent registration wizard now effectively manages special characters in passwords. +- `#5636 `__ Changed the **Network ports** table columns for Linux agents. +- `#5748 `__ Updated development dependencies: ``@typescript-eslint/eslint-plugin, @typescript-eslint/parser, eslint, swagger-client``. +- `#5707 `__ Changed Timelion-type displays in the **Management > Statistics** section to line-type displays. +- `#5747 `__ Removed views in JSON and XML formats from the **Management** settings. Resolved issues --------------- @@ -95,20 +95,20 @@ Reference Description Wazuh dashboard ^^^^^^^^^^^^^^^ -============================================================== ============= -Reference Description -============================================================== ============= -`#5591 `_ Fixed problem with new or missing columns in the **Agents** table. -`#5676 `_ Fixed the color of the agent name in the groups section in dark mode. -`#5597 `_ Fixed the propagation event so that the flyout data, in the decoders, does not change when the button is pressed. -`#5631 `_ Fixed the tooltips of the tables in the **Security** section, and removed unnecessary requests. -============================================================== ============= +======================================================================= ============= +Reference Description +======================================================================= ============= +`#5591 `__ Fixed problem with new or missing columns in the **Agents** table. +`#5676 `__ Fixed the color of the agent name in the groups section in dark mode. +`#5597 `__ Fixed the propagation event so that the flyout data, in the decoders, does not change when the button is pressed. +`#5631 `__ Fixed the tooltips of the tables in the **Security** section, and removed unnecessary requests. +======================================================================= ============= Changelogs ---------- More details about these changes are provided in the changelog of each component: -- `wazuh/wazuh `_ -- `wazuh/wazuh-dashboard `_ -- `wazuh/wazuh-packages `_ \ No newline at end of file +- `wazuh/wazuh `__ +- `wazuh/wazuh-dashboard `__ +- `wazuh/wazuh-packages `__ \ No newline at end of file diff --git a/source/user-manual/ruleset/mitre.rst b/source/user-manual/ruleset/mitre.rst index 639fef9986..7d5afce0fb 100644 --- a/source/user-manual/ruleset/mitre.rst +++ b/source/user-manual/ruleset/mitre.rst @@ -3,8 +3,6 @@ .. meta:: :description: Learn more about the enhancement of Wazuh with MITRE, a feature that allows the user to customize the alert information to include specific information related to MITRE ATT&CK techniques. -.. _mitre: - Enhancing detection with MITRE ATT&CK framework =============================================== @@ -82,46 +80,40 @@ For this example, we require the following infrastructure: .. |WAZUH_OVA| replace:: `Wazuh OVA `__ -+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Endpoint | Example description | -+==================+======================================================================================================================================================================+ -| **Wazuh server** | You can download the |WAZUH_OVA| or install it using the :doc:`installation guide `. | -+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| **Kali Linux** | This is the attacker endpoint. We use it to perform brute-force attacks against the monitored Ubuntu endpoint. | -+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| **Ubuntu 22.04** || We perform SSH brute-force attacks against this victim endpoint. | -| || It is required to have an SSH server installed and enabled on this endpoint. | -+------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Endpoint | Example description | ++==================+======================================================================================================================================================================================================================================+ +| **Wazuh server** | You can download the |WAZUH_OVA| or install it using the :doc:`installation guide `. | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Windows 11** || We perform privilege escalation emulation attack on this endpoint. | +| || It is required to have a Wazuh agent installed and enrolled to the Wazuh server. To install the Wazuh agent, refer to the :doc:`Wazuh Windows installation guide `. | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Wazuh server ~~~~~~~~~~~~ + #. Append the following rules to the ``/var/ossec/etc/rules/local_rules.xml`` file: .. code-block:: xml - :emphasize-lines: 9,14 - - - - 5710 - sshd: authentication failed from $(srcip). - authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5, - + - - 100002 - sshd: brute force trying to get access to the system. - + + 61615 + HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC + ^SetValue$ + NT AUTHORITY\\\\SYSTEM + no_full_log + PsExec service running as $(win.eventdata.user) has been created on $(win.system.computer) - T1110 + T1543.003 - - The rule ``100003`` above creates an alert when eight (8) failed ssh bruteforce events occur on a monitored endpoint from the same IP address. It is mapped to the MITRE ATT&CK ID ``T1110`` indicating the brute force attack technique. + The rule ``110011`` creates an alert whenever there is a creation of a service named ``PSEXESVC``, which occurs each time PsExec is executed on the Windows endpoint. It is mapped to the MITRE ATT&CK ID ``T1543.003``, indicating the persistence and privilege escalation tactics. - When the rule triggers, the alert contains information about the MITRE ATT&CK ID ``T1110``. + When the rule triggers, the alert contains information about the MITRE ATT&CK ID ``T1543.003``. #. Restart the Wazuh manager service to apply the changes: @@ -129,33 +121,56 @@ Wazuh server $ sudo systemctl restart wazuh-manager.service -Kali endpoint -~~~~~~~~~~~~~ +Windows 11 +~~~~~~~~~~ -Perform the following steps on the Kali Linux endpoint to launch the brute-force attack. +Perform the following steps to configure the Wazuh agent to capture Sysmon logs and send them to the Wazuh server for analysis. -#. Create a text file, ``pass_list.txt``, with six (6) random passwords in the ``/tmp/`` directory using the following command: +#. Download `Sysmon `__ and the configuration file `sysmonconfig.xml `__. +#. Launch PowerShell with administrative privilege, and install Sysmon as follows: - .. code-block:: console + .. code-block:: powershell - $ cat > /tmp/pass_list.txt << EOF - X9#fGvK5mZ - tR3@LdN6xY - sP7#hJ8kQz - cF2!nB6jWx - dH5#tK9lMq - zT6$fR9pXs - bG8!mY7wQz - nE4&tU2cPq - gA1%pD3iSx - vW2!rC5oLm - EOF - -#. Launch the brute-force attack against the Ubuntu endpoint’s SSH service using the following command while replacing ```` with the IP address of the Ubuntu endpoint: + > .\Sysmon64.exe -accepteula -i .\sysmonconfig.xml - .. code-block:: console +#. Edit the Wazuh agent ``C:\Program Files (x86)\ossec-agent\ossec.conf`` file and include the following settings within the ```` block: + + .. code-block:: xml + + + + Microsoft-Windows-Sysmon/Operational + eventchannel + + +#. Restart the Wazuh agent for the changes to take effect: + + .. code-block:: powershell + + > Restart-Service -Name wazuh + +PsExec execution +^^^^^^^^^^^^^^^^ - $ sudo hydra -l attacker -P /tmp/pass_list.txt ssh +We download the `PsTools archive from the Microsoft Sysinternals `__ page and extract the PsExec binary from the archive. The following command escalates a Windows PowerShell process from an administrator user to a SYSTEM user: + + .. code-block:: powershell + + >./psexec -i -s powershell /accepteula + +Run the command below to confirm that the new instance of PowerShell is running as SYSTEM: + + .. code-block:: powershell + + > whoami + +Output is shown below: + + .. code-block:: none + :class: output + + PS C:\Windows\system32> whoami + nt authority\system Visualize the alerts ^^^^^^^^^^^^^^^^^^^^ @@ -174,9 +189,9 @@ We use filters on the **Security Module > MITRE ATT&CK> Events** tab of the Wazu :align: center :width: 80% -Expand the rule ID ``100003`` alert to view the MITRE ID ``T1110`` information. +Expand the rule ID ``110011`` alert to view the MITRE ID ``T1543.003`` information. -.. thumbnail:: /images/manual/mitre/mitre-id-t1110-information.png +.. thumbnail:: /images/manual/mitre/mitre-id-t1543.003-information.png :title: MITRE ID T1110 information :alt: MITRE ID T1110 information :align: center @@ -185,65 +200,78 @@ Expand the rule ID ``100003`` alert to view the MITRE ID ``T1110`` information. Click on the **JSON** tab to view the details of the alert in JSON format: .. code-block:: json - :emphasize-lines: 22-32 { "agent": { - "ip": "192.168.121.78", - "name": "Ubuntu-22", - "id": "003" + "ip": "172.20.10.3", + "name": "Windows11", + "id": "002" + }, + "manager": { + "name": "wazuh-server" }, "data": { - "srcuser": "attacker", - "srcip": "192.168.121.127", - "srcport": "34890" + "win": { + "eventdata": { + "image": "C:\\\\Windows\\\\system32\\\\services.exe", + "targetObject": "HKLM\\\\System\\\\CurrentControlSet\\\\Services\\\\PSEXESVC\\\\ObjectName", + "processGuid": "{45cd4aff-93d1-6501-0b00-000000000b00}", + "processId": "720", + "utcTime": "2023-10-16 12:12:15.759", + "ruleName": "technique_id=T1543,technique_name=Service Creation", + "details": "LocalSystem", + "eventType": "SetValue", + "user": "NT AUTHORITY\\\\SYSTEM" + }, + "system": { + "eventID": "13", + "keywords": "0x8000000000000000", + "providerGuid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", + "level": "4", + "channel": "Microsoft-Windows-Sysmon/Operational", + "opcode": "0", + "message": "\"Registry value set:\r\nRuleName: technique_id=T1543,technique_name=Service Creation\r\nEventType: SetValue\r\nUtcTime: 2023-10-16 12:12:15.759\r\nProcessGuid: {45cd4aff-93d1-6501-0b00-000000000b00}\r\nProcessId: 720\r\nImage: C:\\Windows\\system32\\services.exe\r\nTargetObject: HKLM\\System\\CurrentControlSet\\Services\\PSEXESVC\\ObjectName\r\nDetails: LocalSystem\r\nUser: NT AUTHORITY\\SYSTEM\"", + "version": "2", + "systemTime": "2023-10-16T12:12:15.7636688Z", + "eventRecordID": "118081", + "threadID": "3644", + "computer": "Windows11", + "task": "13", + "processID": "3140", + "severityValue": "INFORMATION", + "providerName": "Microsoft-Windows-Sysmon" + } + } }, "rule": { - "firedtimes": 1, + "firedtimes": 4, "mail": false, "level": 10, - "description": "sshd: brute force trying to get access to the system.", + "description": "PsExec service running as NT AUTHORITY\\\\SYSTEM has been created on Windows11", "groups": [ - "local", - "syslog", - "sshd" + "windows", + "sysmon" ], "mitre": { "technique": [ - "Brute Force" + "Windows Service" ], "id": [ - "T1110" + "T1543.003" ], "tactic": [ - "Credential Access" + "Persistence", + "Privilege Escalation" ] }, - "id": "100003", - "frequency": 8 - }, - "full_log": "May 22 10:40:41 ubuntu2204 sshd[2908]: Invalid user attacker from 192.168.121.127 port 34890", - "id": "1684752043.76892", - "timestamp": "2023-05-22T10:40:43.395+0000", - "predecoder": { - "hostname": "ubuntu2204", - "program_name": "sshd", - "timestamp": "May 22 10:40:41" - }, - "previous_output": "May 22 10:40:41 ubuntu2204 sshd[2909]: Invalid user attacker from 192.168.121.127 port 34892\nMay 22 10:40:41 ubuntu2204 sshd[2905]: Invalid user attacker from 192.168.121.127 port 34884\nMay 22 10:40:41 ubuntu2204 sshd[2904]: Invalid user attacker from 192.168.121.127 port 34880\nMay 22 10:40:41 ubuntu2204 sshd[2912]: Invalid user attacker from 192.168.121.127 port 34898\nMay 22 10:40:41 ubuntu2204 sshd[2906]: Invalid user attacker from 192.168.121.127 port 34886\nMay 22 10:40:41 ubuntu2204 sshd[2903]: Invalid user attacker from 192.168.121.127 port 34881\nMay 22 10:40:41 ubuntu2204 sshd[2907]: Invalid user attacker from 192.168.121.127 port 34888", - "manager": { - "name": "centos7" + "id": "110011" }, + "location": "EventChannel", "decoder": { - "parent": "sshd", - "name": "sshd" - }, - "input": { - "type": "log" + "name": "windows_eventchannel" }, - "@timestamp": "2023-05-22T10:40:43.395Z", - "location": "/var/log/auth.log", - "_id": "_H4MQ4gBagiVP1CbE_oe" + "id": "1694607138.3688437", + "timestamp": "2023-10-16T12:12:18.684+0000" } The alerts display the MITRE ATT&CK ID and its associated tactics and techniques. This helps users quickly understand the nature of the attack and take appropriate actions.