"reference" type should be more explicit

center-for-threat-informed-defense / attack-flow

Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.

https://ctid.io/attack-flow

Apache License 2.0

549 stars 86 forks source link

"reference" type should be more explicit #30

Closed JasonKeirstead closed 1 year ago

JasonKeirstead commented 2 years ago

Currently the "reference" data type says

"A reference for the action. May be a URL to an ATT&CK technique."

Because this is a "MAY", there is currently no way to know in code if it is actually a technique ID or not.

I would suggest that reference should always point at the ATT&CK technique if it is present. Otherwise, a new field should be added to this object to convey that information. Code that consumes this object needs a consistent way to know which technique ID is being referred to.

mehaase commented 1 year ago

@JasonKeirstead This should be addressed in the v2 release that we published last week.

mehaase commented 1 year ago

Closing because I think this is resolved. Please re-open if needed.