Open lilyjw opened 1 year ago
Per discussion with @jondricek:
While the best course of action may be to create Relationships to track the domain-plaform relationship and eventually be able to dynamically generate something like MATRIX_PLATFORMS_LOOKUP, that's a future thing.
For now, we'll modify the attackToExcel
scripts to be able to support ATLAS' use case of a custom domain and resolve issues stated above. A few starting points to be done in our forked repo
A good test for ATT&CK's working state is to run this and there are no differences between current Excel data.
python update-attack.py --no-test-exitstatus --extras resources
@vivjamba take a look at how to auto-test this
Is your feature request related to a problem?
No, but an extension to existing functionality.
Happy to make and PR-propose the changes myself, but would like feedback from the team. Thanks for reading!
Background
I'm looking to create Excel versions of my custom ATT&CK-spinoff STIX, which is custom-domained items on top of ATT&CK Enterprise, i.e. https://mitre-atlas.github.io/atlas-navigator/ with STIX at https://github.com/mitre-atlas/atlas-navigator-data/blob/main/dist/stix-atlas.json, but have noticed some missing info and have some questions.
Steps to replicate
Upon running the following with
mitreattack-python==2.0.14
with a path to that STIX linked above:Results and Qs
The output is a directory named
enterprise-attack
with Excel filesenterprise-attack-*.xslx
within. As expected, since the default domain isenterprise-attack
, though a custom domain isn't supported because of pre-defined domain lookups.Looking at
enterprise-attack-tactics.xslx
, I see my custom tactic (top row, with the Enterprise version below), but it doesn't have an ID nor a URL.The ID and URL are set in the custom STIX as the first element in
external_references
.My custom STIX objects don't come out in
enterprise-attack.xlsx
, but they appear in the individual Excel files. For example - the upper window isenterprise-attack-tactics
, showing my custom tactic objects (the ones with blank IDs). The bottom window is thetactics
sheet ofenterprise-attack.xlsx
, which only has ATT&CK objects and not any custom ones.