Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
network traffic must have either a src_ref or a dst_ref, which in turn must be an IP, MAC, or domain name node
The latter point is rather complicated, because it needs to be handled at both the validator and publisher level, and it means that a network traffic's parent can be embedded in the network traffic if the parent has the proper type.
protocols
requires at least one item in the listThe latter point is rather complicated, because it needs to be handled at both the validator and publisher level, and it means that a network traffic's parent can be embedded in the network traffic if the parent has the proper type.