MITRE ID in JSON Rules - How can i show them on Wazuh Portal?

[Constantinos Evangelou]

Hi, I am parsing JSON logs using Wazuh and the specific logs include MITRE ATT&CK Techniques (eg. T1047) which I want to use on Wazuh Web Console. I understand that my custom rules need to have <mitre></mitre> with defined IDs that i specify. However here the IDs are provided in the JSON log but i am not sure if and how i can use them. I've tried the mitre.id field inside the imported JSON however as soon as i do this the logs stop showing inside Wazuh. If i change the filed to eg. mitre.id.test i can see the logs just fine but without MITRE mappings and the mapping that is imported from my JSON is shown as data.mitre.id.test. Any ideas here cause i am really lost???