Import STIX Attack Patterns

[sheetlaand]

Hello, The project is really interesting ! To be honest, I could already see myself confronting my entire CTI database with this project, in order to convert my data from lists to graphs. Knowing that this quote is positioned as a preamble to the Project Overview, I thought it would be possible to import my TTP lists automatically, and then finish the graphs manually (in an 80/20 approach).

However, I have not found how to import a STIX bundle directly into the Builder engine. I'm obviously thinking of a classic STIX bundle, i.e. not containing the custom ATT&CK objects, like the APT1 bundle: https://github.com/oasis-open/cti-documentation/blob/main/examples/example_json/apt1.json

Am I doing something wrong or is it not possible to import such bundles at this time? My database contains 300+ STIX bundles, with the TTPs defined in lists. Importing each bundle manually will take me forever, knowing that it takes between 20 and 40 TTPs each time.

[mehaase]

Hi, it is not possible to import STIX bundles at this time (other than native Attack Flow bundles), but this is an interesting idea. Do you have any STIX bundles that you can share, either here on GitHub or directly with me over email? That would be helpful for us to implement this feature.

[sheetlaand]

Hi @mehaase, of course I can share with you several STIX Bundles. To start, you can find a valid STIX bundle in the link shared above, but also in the links below:

• https://raw.githubusercontent.com/oasis-open/cti-documentation/main/examples/example_json/poisonivy.json
• https://raw.githubusercontent.com/oasis-open/cti-documentation/main/examples/example_json/threat-actor-leveraging-attack-patterns-and-malware.json I also add a STIX bundle file in attachment, you just have to modify the extension (txt -> json) to view it correctly. It's not possible to directly share json file. APT31.txt

Is it enough for you to begin the tests ? Keep me inform :) Regards,