forked from center-for-threat-informed-defense/attack-flow
-
Notifications
You must be signed in to change notification settings - Fork 4
/
attack-flow-schema-2.0.0.json
428 lines (428 loc) · 19.9 KB
/
attack-flow-schema-2.0.0.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://center-for-threat-informed-defense.github.io/attack-flow/schema/attack-flow-schema-2.0.0.json",
"title": "Attack Flow STIX 2.1 Extension",
"description": "This schema is the normative definition of the STIX 2.1 extension `extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4`. It extends STIX with additional STIX Data Objects (SDOs) that model Attack Flow concepts.",
"type": "object",
"unevaluatedProperties": false,
"allOf": [
{
"$comment": "All Attack Flow SDOs implement the required common properties.",
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/core.json"
},
{
"$comment": "Attack Flow SDOs must reference the extension definition.",
"type": "object",
"properties": {
"extensions": {
"type": "object",
"properties": {
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4": {
"type": "object",
"properties": {
"extension_type": {
"type": "string",
"const": "new-sdo"
}
},
"required": [
"extension_type"
]
}
},
"required": [
"extension-definition--fb9c968a-745b-4ade-9b25-c324172197f4"
]
}
},
"required": [
"extensions"
]
},
{
"$comment": "Link to the Attack Flow SDO subschemas based on object type. Note: this nested if-else construction is difficult to maintain. We weighed several different structures here, e.g. using a oneOf, but selected this structure because it produces better validation messages than a oneOf and make it easy to forward-reference the Attack Flow SDO subschemas from the main Attack Flow schema.",
"if": {
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "attack-flow"
}
}
},
"then": {
"$ref": "#/$defs/attack-flow"
},
"else": {
"if": {
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "attack-action"
}
}
},
"then": {
"$ref": "#/$defs/attack-action"
},
"else": {
"if": {
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "attack-condition"
}
}
},
"then": {
"$ref": "#/$defs/attack-condition"
},
"else": {
"if": {
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "attack-operator"
}
}
},
"then": {
"$ref": "#/$defs/attack-operator"
},
"else": {
"if": {
"type": "object",
"properties": {
"type": {
"type": "string",
"const": "attack-asset"
}
}
},
"then": {
"$ref": "#/$defs/attack-asset"
},
"else": true
}
}
}
}
}
],
"$defs": {
"attack-flow": {
"description": "Every Attack Flow document **MUST** contain exactly one ``attack-flow`` object. It provides metadata for name and description, starting points for the flow of actions, and can be referenced from other STIX objects.",
"type": "object",
"properties": {
"type": {
"description": "The type **MUST** be ``attack-flow``.",
"type": "string",
"const": "attack-flow"
},
"spec_version": {
"description": "The version **MUST** be ``2.1``.",
"type": "string",
"const": "2.1"
},
"name": {
"description": "The name of the Attack Flow.",
"type": "string"
},
"description": {
"description": "A description of the overall Attack Flow.",
"type": "string"
},
"scope": {
"description": "Indicates what type of behavior the Attack Flow describes: a specific incident, a campaign, etc.",
"type": "string",
"enum": [
"incident",
"campaign",
"threat-actor",
"malware",
"other"
]
},
"start_refs": {
"description": "A list of objects that start the flow.",
"type": "array",
"items": {
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
},
{
"pattern": "^(attack-action|attack-condition)--"
}
]
},
"minItems": 1
}
},
"required": [
"type",
"spec_version",
"name",
"start_refs",
"scope"
],
"x-exampleObject": "attack-flow--e9ec3a4b-f787-4e81-a3d9-4cfe017ebc2f"
},
"attack-action": {
"description": "An ``attack-action`` object represents the execution of a particular technique, i.e. a discrete unit of adverary behavior.",
"type": "object",
"properties": {
"type": {
"description": "The type **MUST** be ``attack-action``.",
"type": "string",
"const": "attack-action"
},
"spec_version": {
"description": "The version **MUST** be ``2.1``.",
"type": "string",
"const": "2.1"
},
"name": {
"description": "The name of the technique, or if a specific technique is not known, then the name of the tactic.",
"type": "string"
},
"tactic_id": {
"description": "A tactic identifier or shortname that may reference an authoritative collection of tactics, e.g. ATT&CK.",
"type": "string"
},
"tactic_ref": {
"description": "A reference to the tactic's STIX representation. For ATT&CK, this should be an ``x-mitre-tactic`` object.",
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
}
]
},
"technique_id": {
"description": "A technique identifier or shortname that may reference an authoritative collection of techniques, e.g. ATT&CK.",
"type": "string"
},
"technique_ref": {
"description": "A reference to the technique's STIX representation.",
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
},
{
"pattern": "^attack-pattern--"
}
]
},
"description": {
"description": "A description of the adversary behavior, e.g. what they did, how they did it, and why. This field may contain prose as well as technical information, but consider using ``command_ref`` for providing technical details about technique execution.",
"type": "string"
},
"execution_start": {
"description": "Timestamp indicating when the execution of this action began.",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/common/timestamp.json"
},
"execution_end": {
"description": "Timestamp indicating when the execution of this action ended.",
"$ref": "https://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/master/schemas/common/timestamp.json"
},
"command_ref": {
"description": "Describe tools or commands executed by the attacker by referring to a STIX Process object, which can represent commands, environment variables, process image, etc.",
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
},
{
"pattern": "^process--"
}
]
},
"asset_refs": {
"description": "The assets involved in this action, i.e. where this action modifies or depends on the state of the asset.",
"type": "array",
"items": {
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
},
{
"pattern": "^(attack-asset)--"
}
]
},
"minItems": 1
},
"effect_refs": {
"description": "The potential effects that result from executing this action. (See: :ref:`effects`.)",
"type": "array",
"items": {
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
},
{
"pattern": "^(attack-action|attack-operator|attack-condition)--"
}
]
},
"minItems": 1
}
},
"required": [
"type",
"spec_version",
"name"
],
"x-exampleObject": "attack-action--37345417-3ee0-4e11-b421-1d4be68e6f15"
},
"attack-asset": {
"description": "An asset is any object that is the subject or target of an action. Assets can be technical assets (such as machines and data) or non-technical assets such as people and physical systems. Actions typically either modify or depend upon the *state* of an asset in some way.\n\nNote that assets are not applicable in all contexts. For example, public threat reports may not include enough detail to represent the assets in a flow, or the flow might represent aggregate behavior (at the campaign or actor level) for which it does not make sense to specify an asset. Assets should be used to add context to a flow when the underlying intelligence contains sufficient detail to do so.",
"type": "object",
"properties": {
"type": {
"description": "The type **MUST** be ``attack-asset``.",
"type": "string",
"const": "attack-asset"
},
"spec_version": {
"description": "The version **MUST** be ``2.1``.",
"type": "string",
"const": "2.1"
},
"name": {
"description": "An name for the asset.",
"type": "string"
},
"description": {
"description": "A description of the asset.",
"type": "string"
},
"object_ref": {
"description": "A reference to any STIX data object (i.e. SDO) or observable (i.e. SCO) that contains structured data about this asset.",
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
}
},
"required": [
"type",
"spec_version",
"name"
],
"x-exampleObject": "attack-asset--f7edf4aa-29ec-47aa-b4f6-c42dfbe2ac20"
},
"attack-condition": {
"description": "An ``attack-condition`` object represents some possible condition, outcome, or state that could occur. Conditions can be used to split flows based on the success or failure of an action, or to provide further description of an action's results.",
"type": "object",
"properties": {
"type": {
"description": "The type **MUST** be ``attack-condition``.",
"type": "string",
"const": "attack-condition"
},
"spec_version": {
"description": "The version **MUST** be ``2.1``.",
"type": "string",
"const": "2.1"
},
"description": {
"description": "The condition that is evaluated, usually based on the success or failure of the preceding action.",
"type": "string"
},
"pattern": {
"description": "*(This is an experimental feature.)* The detection pattern for this condition may be expressed as a STIX Pattern or another appropriate language such as SNORT, YARA, etc.",
"type": "string"
},
"pattern_type": {
"description": "*(This is an experimental feature.)* The pattern langauge used in this condition. The value for this property should come from the STIX ``pattern-type-ov`` open vocabulary.",
"type": "string"
},
"pattern_version": {
"description": "*(This is an experimental feature.)* The version of the pattern language used for the data in the ``pattern`` property. For the STIX Pattern language, the default value is determined by the ``spec_version`` of the condition object.",
"type": "string"
},
"on_true_refs": {
"description": "When the condition is ``true``, the flow continues to these objects.",
"type": "array",
"items": {
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
},
{
"pattern": "^(attack-action|attack-operator|attack-condition)--"
}
]
},
"minItems": 1
},
"on_false_refs": {
"description": "When the condition is ``false``, the flow continues to these objects. (If there are no objects, then the flow halts at this node.)",
"type": "array",
"items": {
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
},
{
"pattern": "^(attack-action|attack-operator|attack-condition)--"
}
]
},
"minItems": 1
}
},
"required": [
"type",
"spec_version",
"description"
],
"x-exampleObject": "attack-condition--7e809f5b-319a-4b3f-82fe-e4dc09af5088"
},
"attack-operator": {
"description": "An ``attack-operator`` object joins multiple attack paths together using boolean logic.",
"type": "object",
"properties": {
"type": {
"description": "The type **MUST** be ``attack-operator``.",
"type": "string",
"const": "attack-operator"
},
"spec_version": {
"description": "The version **MUST** be ``2.1``.",
"type": "string",
"const": "2.1"
},
"operator": {
"description": "The logical operator to apply to the input effects.",
"type": "string",
"enum": [
"AND",
"OR"
]
},
"effect_refs": {
"description": "The effects, outcomes, or states that result when this operator evaluates to ``true``. If the operator evaluates to ``false``, then the flow halts. (See: :ref:`effects`.)",
"type": "array",
"items": {
"allOf": [
{
"$ref": "http://raw.githubusercontent.com/oasis-open/cti-stix2-json-schemas/stix2.1/schemas/common/identifier.json"
},
{
"pattern": "^(attack-action|attack-operator|attack-condition)--"
}
]
},
"minItems": 1
}
},
"required": [
"type",
"spec_version",
"operator"
],
"x-exampleObject": "attack-operator--609d7adf-a3d2-44e8-82de-4b30e3fb97be"
}
}
}