Add MITRE ATT&CK threat mappings for ML job rules

[jmcarlock]

Pull Request

Issue link(s):

• https://github.com/elastic/security-ml/issues/906

Summary - What I changed

Added MITRE ATT&CK threat mappings to the ML job detection rules.

How To Test

Ran rule test pipeline. Verified consistency.

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• [x] Added the meta:rapid-merge label if planning to merge within 24 hours
• [ ] Secret and sensitive material has been managed correctly
• [ ] Automated testing was updated or added to match the most common scenarios
• [ ] Documentation and comments were added for features that require explanation

[github-actions]

Enhancement - Guidelines

These guidelines serve as a reminder set of considerations when addressing adding a feature to the code.

Documentation and Context

• Describe the feature enhancement in detail (alternative solutions, description of the solution, etc.) if not already documented in an issue.
• Include additional context or screenshots.
• Ensure the enhancement includes necessary updates to the documentation and versioning.

Code Standards and Practices

• Code follows established design patterns within the repo and avoids duplication.
• Ensure that the code is modular and reusable where applicable.

Testing

• New unit tests have been added to cover the enhancement.
• Existing unit tests have been updated to reflect the changes.
• Provide evidence of testing and validating the enhancement (e.g., test logs, screenshots).
• Validate that any rules affected by the enhancement are correctly updated.
• Ensure that performance is not negatively impacted by the changes.
• Verify that any release artifacts are properly generated and tested.
• Conducted system testing, including fleet, import, and create APIs (e.g., run make test-cli, make test-remote-cli, make test-hunting-cli)

Additional Checks

• Verify that the enhancement works across all relevant environments (e.g., different OS versions).
• Confirm that the proper version label is applied to the PR patch, minor, major.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Unusual Network Destination Domain Name (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rare AWS Error Code (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Network Traffic to Rare Destination Country (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Linux Network Port Activity (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Linux Network Activity (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in AWS Error Messages (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual City For an AWS Command (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual AWS Command for a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decline in host-based traffic (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Network Traffic (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Windows Network Activity (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Network Traffic To a Country (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Country For an AWS Command (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Firewall Denies (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in host-based traffic (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[jmcarlock]

These ML rules are quite broad and I tried to be expansive in this PR and cover as many techniques/tactics as I could which were in the job descriptions. We can potentially trim them a bit.

@susan-shu-c and/or @sodhikirti07 can pick this up and merge while I am away. (Nov 19-30)

Can you advise on the RTA errors?

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Unusual Network Destination Domain Name (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rare AWS Error Code (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Network Traffic to Rare Destination Country (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Linux Network Port Activity (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Linux Network Activity (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in AWS Error Messages (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual City For an AWS Command (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual AWS Command for a User (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Decline in host-based traffic (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Network Traffic (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Windows Network Activity (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Network Traffic To a Country (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Unusual Country For an AWS Command (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in Firewall Denies (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Spike in host-based traffic (-)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta