mitre-attack / attack-stix-data

STIX data representing MITRE ATT&CK
https://attack.mitre.org/
Other
348 stars 87 forks source link

Have a field for superseded entry in enterprise-attack.json #33

Closed jecarr closed 1 year ago

jecarr commented 1 year ago

(Issue created as of v12.1)

For entries that are marked revoked or x_mitre_deprecated, it can be useful to note if one entry supersedes another.

For example, T1050:

https://attack.mitre.org/techniques/T1050/

redirects to

https://attack.mitre.org/techniques/T1543/003/

In enterprise-attack.json, there could be a field for attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790 (T1050) that refers to attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32 (T1543.003).

As far as I'm aware, the two entries don't have a link with each other to reflect one replaces the other.

ElJocko commented 1 year ago

There isn't a link directly in either of the technique (attack-pattern) objects. Instead, the two techniques are linked by a revoked-by relationship object. This is the STIX specified method for linking a revoked object with the object that supersedes it. Here's that relationship with T1050 referenced in the source_ref property and T1543.003 referenced in the target_ref property:

        {
            "object_marking_refs": [
                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
            ],
            "id": "relationship--5fa955eb-63da-4281-8904-03f6c04c9d8d",
            "type": "relationship",
            "created": "2020-03-17T16:21:36.718Z",
            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "modified": "2022-04-25T14:00:00.188Z",
            "relationship_type": "revoked-by",
            "source_ref": "attack-pattern--478aa214-2ca7-4ec0-9978-18798e514790",
            "target_ref": "attack-pattern--2959d63f-73fd-46a1-abd2-109d7dcede32",
            "x_mitre_version": "1.0",
            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "spec_version": "2.1",
            "x_mitre_attack_spec_version": "2.1.0",
            "x_mitre_domains": [
                "enterprise-attack"
            ]
        }
jecarr commented 1 year ago

Thanks @ElJocko for the quick reply!