merging develop into master

CHANGELOG.md

@@ -1,3 +1,24 @@
+# v4.3 - 29 April 2021
+## New Features
+- Added aggregate scores. Aggregate scores are computed using the score of the technique and all sub-techniques using an "aggregate function" -- min, max, average, or sum. The aggregate score is used to determine the color of the technique in place of the technique's score. Aggregate scores are an optional feature and can be enabled in the "matrix configuration" dropdown. See issue [#269](https://github.com/mitre-attack/attack-navigator/issues/269).
+- The user can now suppress the "leave site?" warning dialog in the config file or via the "create a customized navigator" interface. See issue [#267](https://github.com/mitre-attack/attack-navigator/issues/267).
+- Added an (optional) configurable banner. The new "banner" field of the config file can be used to customize the banner content with full HTML support. See issue [#205](https://github.com/mitre-attack/attack-navigator/issues/205). 
+- Added button to toolbar to only expand all sub-techniques that are annotated. See issue [#256](https://github.com/mitre-attack/attack-navigator/issues/256).
+- Added support for displaying STIX 2.1 notes in tooltips. Notes attached to techniques in the STIX data are indicated in the same style as a comment. As of version 4.3 the ATT&CK Navigator supports STIX 2.1, but cannot load data from a TAXII 2.1 server.
+
+## Improvements
+- Consolidated AWS, GCP, and Azure platforms into IaaS platform to integrate upcoming release of ATT&CK. See issue [#252](https://github.com/mitre-attack/attack-navigator/issues/252).
+
+## Fixes
+- Fixed a bug in exporting matrix to Excel sheet, where the style of all sub-techniques with the same name in a column were incorrectly over-ridden by the style of the first sub-technique in its name. See issue [#270](https://github.com/mitre-attack/attack-navigator/issues/270).
+## Layer File Format Changes
+Layer file format updated to version 4.2. This update is fully backwards compatible with the layer format v4.1 since the added fields are optional. See [layers/LAYERFORMATv4_2.md](layers/LAYERFORMATv4_2.md) for the full specification.
+
+This update adds settings for aggregate scores to the layout object of the layer:
+- `showAggregateScores`, which turns on the feature
+- `countUnscored` which counts unscored techniques as if their score was `0` when the aggregate function is "average".
+- `aggregateFunction`: the desired aggregation function: "average", "min", "max" or "sum".
+
 # v4.2 - 3 February 2021
 
 With version 4.2 of the Navigator we are retiring support for the Safari browser. A bug introduced in the sub-techniques release (version 3.0) causes safari to freeze when changing between layer tabs (see issue [#251](https://github.com/mitre-attack/attack-navigator/issues/251)). We have been unable to determine the cause of the freeze and thus are retiring official support for that browser. Safari users can continue to use the application, but will be warned of possible freezes via a dialog window when they first load the app.

README.md

@@ -111,7 +111,7 @@ Example custom context menu objects:
 ```
 
 ## Loading content from a TAXII server
-*By default, the Navigator loads content from ATT&CK STIX data hosted on the [MITRE/CTI repository](#related-mitre-work).*
+*By default, the Navigator loads content from ATT&CK STIX data hosted on the [MITRE/CTI repository](#related-mitre-work). Note: TAXII 2.1/STIX 2.1 bundles are **not** supported when loading content from a TAXII server.*
 
 1. Edit the `config.json` file in the **nav-app/src/assets** directory.
 2. Define the `taxii_url` property in place of the `data` property and set the value to your server's URL.
@@ -129,7 +129,7 @@ Example loading content from a TAXII server:
 ```
 
 ## Loading content from local files
-*It's possible to populate the the Navigator using files that consist of bundles of STIX objects, similarly to [this](https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json) file.*
+*It's possible to populate the the Navigator using files that consist of bundles of STIX objects, similarly to [this](https://raw.githubusercontent.com/mitre/cti/master/enterprise-attack/enterprise-attack.json) file. STIX 2.0 and STIX 2.1 bundles are supported.*
 1. Put the stix bundles in `src/assets`. This will tell the server hosting the Navigator to host the data as well.
 2. Edit the `config.json` file in the **nav-app/src/assets** directory.
 3. Change the URL specified in the `data` array to the path to the STIX bundle (e.g `assets/enterprise-attack.json`). Multiple paths may be added to the `data` array to display multiple STIX bundles in a single instance.
@@ -169,6 +169,9 @@ Local files to load should be placed in the `nav-app/src/assets/` directory.
 
 Default layers from the web can also be set using a query string in the Navigator URL. Refer to the in-application help page section "Customizing the Navigator" for more details.
 
+## Enabling Banner in Navigator
+The `banner` setting in `nav-app/src/assets/config.json` by default is an empty string `"""` (and not visible), and can be set to whatever content you wish to display inside a banner at the top of the Navigator webpage. The banner supports HTML and hyperlinks in the content.
+
 ## Disabling Navigator Features
 The `features` array in `nav-app/src/assets/config.json` lists Navigator features you may want to disable. Setting the `enabled` field on a feature in the configuration file will hide all control
 elements related to that feature.
@@ -185,13 +188,15 @@ If you want to embed the Navigator in a webpage, use an iframe:
 ```HTML
 <iframe src="https://mitre-attack.github.io/attack-navigator/enterprise/" width="1000" height="500"></iframe>
 ```
-If you want to imbed a version of the Navigator with specific features removed (e.g tabs, adding annotations), or with a default layer, we recommend using the _create customized Navigator_ feature. Refer to the in-application help page section "Customizing the Navigator" for more details.
+If you want to embed a version of the Navigator with specific features removed (e.g tabs, adding annotations), or with a default layer, we recommend using the _create customized Navigator_ feature. We highly recommend disabling the "leave site dialog" via this means when embedding the Navigator since otherwise you will be warned whenever you try to leave the embedding page. Refer to the in-application help page section "Customizing the Navigator" for more details.
 
 The following is an example iframe which embeds our [*Bear APTs](layers/data/samples/Bear_APT.json) layer with tabs and the ability to add annotations removed:
 ```HTML
 <iframe src="https://mitre-attack.github.io/attack-navigator/enterprise/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2Fmitre%2Fattack-navigator%2Fmaster%2Flayers%2Fdata%2Fsamples%2FBear_APT.json&tabs=false&selecting_techniques=false" width="1000" height="500"></iframe>
 ```
 
+
+
 ## Related MITRE Work
 #### CTI
 [Cyber Threat Intelligence repository](https://github.com/mitre/cti) of the ATT&CK catalog expressed in STIX 2.0 JSON.

layers/LAYERFORMATv4_2.md

@@ -0,0 +1,189 @@
+# ATT&CK® Navigator Layer File Format Definition
+This document describes **Version 4.2** of the MITRE ATT&CK Navigator Layer file format. The ATT&CK Navigator stores layers as JSON, therefore this document defines the JSON properties in a layer file.
+
+## Property Table
+
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| versions | Version object | No | | See Version object definition below |
+| name | String | Yes | n/a | The name of the layer |
+| description | String | No | "" | A free-form text field that describes the contents or intent of the layer |
+| domain | String | Yes | n/a | Technology domain that this layer represents. Valid values are: "enterprise-attack", "mobile-attack", "ics-attack" |
+| filters | Filter object | No | | See Filter object definition below
+| sorting | Number | No | 0 | Specifies the ordering of the techniques within each tactic category as follows: <br>**0**: sort ascending alphabetically by technique name <br>**1**: sort descending alphabetically by technique name <br>**2**: sort ascending by technique score <br>**3**: sort descending by technique score |
+| layout | Layout object | No | | See definition of Layout object below |
+| hideDisabled | Boolean | No | false | Specifies whether techniques that have been disabled are still displayed (greyed-out) or omitted from the view as follows: <br>**true**: omit techniques marked as disabled from the view <br>**false**: include disabled techniques in the view but display as greyed-out |
+| techniques | Array of Technique objects | No | | See definition of Technique object below |
+| gradient | Gradient object | No | Red to Green, minValue=0, maxValue=100 | See definition of Gradient object below |
+| legendItems | Array of LegendItem objects | no | | See definition of LegendItem object below |
+| showTacticRowBackground | boolean | no | false | If true, the tactic row background color will be the value of the _tacticRowBackground_ field |
+| tacticRowBackground | string | no | "#dddddd" | The tactic row background color |
+| selectTechniquesAcrossTactics | boolean | no | true | If true, selecting a technique also selects all instances with the same technique ID. See also selectSubtechniquesWithParent |
+| selectSubtechniquesWithParent | boolean | no | true | If true, selecting a technique will also select all subtechniques of the technique. See also selectTechniquesAcrossTactics |
+| metadata | Array of Metadata objects | No | | User defined metadata for this layer. See definition of Metadata object |
+
+
+## Filter Object Properties
+
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| platforms | Array of String | No | all platforms within domain | Specifies the platforms within the technology domain - only those techniques tagged with these platforms are to be displayed. Valid values are as follows: <br>**domain=enterprise-attack**: "PRE", "Windows", "Linux", "macOS", "Network", "AWS", "GCP", "Azure", "Azure AD", "Office 365", "SaaS" <br>**domain=mobile-attack**: "Android", "iOS". <br>**domain=ics-attack**: "Windows", "Control Server", "Data Historian", "Engineering Workstation", "Field Controller/RTU/PLC/IED", "Human-Machine Interface", "Input/Output Server", "Safety Instrumented System/Protection Relay" |
+
+## Version Object Properties
+
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| attack | String | No | Current version of ATT&CK: "9" | ATT&CK version of this layer |
+| navigator | String | Yes | | Must be "4.3" |
+| layer | String | Yes | | Must be "4.2" |
+
+## Technique Object properties
+
+Technique objects are used to store both techniques and subtechniques. The only difference in representation between a technique and a subtechnique is in the techniqueID field, which for subtechniques is the parent technique ID followed by the subtechnique-id suffix.
+
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| techniqueID | String | Yes | n/a | Unique identifier of the ATT&CK technique, e.g. "T####". For subtechniques, the format is "T####.###", where the substring to the left of the decimal is the parent technique ID, and the right-side substring is the subtechnique ID suffix. |
+| tactic | String | No | n/a | Unique identifier of the ATT&CK technique's tactic, e.g. "lateral-movement". If the field is not present, the annotations for the technique will appear under every tactic the technique belongs to |
+| comment | String | No | "" | Free-text field |
+| enabled | Boolean | No | true | Specifies if the technique is considered enabled or disabled in this layer |
+| score | Number | No | (unscored) | Optional numeric score assigned to this technique in the layer. If omitted, the technique is considered to be "unscored" meaning that it will not be assigned a color from the gradient by the Navigator |
+| color | String | No | "" | Explicit color value assigned to the technique in this layer. Note that explicitly defined color overrides any color implied by the score - the Navigator will display the technique using the explicitly defined color |
+| metadata | Array of Metadata objects and Metadata Separator objects | No | | User defined metadata for this technique. See definition of Metadata object and Metadata Separator object below |
+| showSubtechniques | boolean | No | false | if true, the sub-techniques under this technique will be shown by default. This field is only valid under a technique with subtechniques. Note that subtechniques can still be shown/hidden using the UI controls - this field is simply the default state. |
+
+## Gradient Object properties
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| colors | Array of String | Yes | n/a | Specifies the hexadecimal RGB color values that constitute the color spectrum in use. The array must contain at least two (2) values, corresponding to the minValue and maxValue scores |
+| minValue | Number | Yes | n/a | Lower bound score of the gradient |
+| maxValue | Number | Yes | n/a | Upper bound score of the gradient. *Note: maxValue must be > minValue* |
+
+## LegendItem Object properties
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| label | String | Yes | n/a | The name of the legend item |
+| color | String | Yes | n/a | The color of the legend item |
+
+## Metadata Object properties
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| name | String | Yes | n/a | The name of the metadata |
+| value | String | Yes | n/a | The value of the metadata |
+
+## Metadata Separator Object properties
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| divider | Boolean | Yes | n/a | If true, display a horizontal separator in the metadata tooltip where this object occurs in the list of metadata
+
+## Layout Object properties
+| Name     | Type     | Required? | Default Value (if not present) | Description |
+| :------------- | :------------- | :------------- | :------------- | :------------- |
+| layout | String | No | "side' | The layout of the matrix. Either "side", "flat" or "mini" |
+| showID | Boolean | No | false | if true, show the ATT&CK ID of techniques and tactics in the matrix |
+| showName | Boolean | No | true | if true, show the name of techniques and tactics in the matrix |
+| showAggregateScores | Boolean | No | false | if true, show the aggregate scores of techniques and its subtechniques in the matrix |
+| countUnscored | Boolean | No | false | if true, count the unscored techniques in the calculation of the aggregate score of techniques in the matrix |
+| aggregateFunction | String | No | "average" | The aggregate function used to calculate aggregate scores for techniques in the matrix. Either "average", "min", "max" or "sum" |
+
+## Example
+The following example illustrates the layer file format:
+```json
+{
+    "name": "example layer",
+    "versions": {
+        "attack": "8",
+        "navigator": "4.3",
+        "layer": "4.2"
+    },
+    "domain": "enterprise-attack",
+    "description": "hello, world",
+    "filters": {
+        "platforms": [
+            "Windows",
+            "macOS"
+        ]
+    },
+    "sorting": 2,
+    "layout": {
+        "layout": "side",
+        "showName": true,
+        "showID": false,
+        "showAggregateScores": true,
+        "countUnscored": true,
+        "aggregateFunction": "average"
+    },
+    "hideDisabled": false,
+    "techniques": [
+        {
+            "techniqueID": "T1110",
+            "score": 0,
+            "color": "#fd8d3c",
+            "comment": "This is a comment for technique T1110",
+            "showSubtechniques": true
+        },
+        {
+            "techniqueID": "T1110.001",
+            "score": 100,
+            "comment": "This is a comment for T1110.001 - the first subtechnique of technique T1110.001"
+        },
+        {
+            "techniqueID": "T1134",
+            "tactic": "defense-evasion",
+            "score": 75,
+            "comment": "this is a comment for T1134 which is only applied on the defense-evasion tactic"
+        },
+        {
+            "techniqueID": "T1078",
+            "tactic": "discovery",
+            "enabled": false
+        },
+        {
+            "techniqueID": "T1053",
+            "tactic": "privilege-escalation",
+            "metadata": [
+                { 
+                    "name": "T1053 metadata1", 
+                    "value": "T1053 metadata1 value" 
+                },
+                {
+                    "divider": true
+                },
+                { 
+                    "name": "T1053 metadata2", 
+                    "value": "T1053 metadata2 value" 
+                }
+            ]
+        }
+    ],
+    "gradient": {
+        "colors": [
+            "#ff6666",
+            "#ffe766",
+            "#8ec843"
+        ],
+        "minValue": 0,
+        "maxValue": 100
+    },
+    "legendItems": [
+        {
+            "label": "Legend Item Label",
+            "color": "#FF00FF"
+        }
+    ],
+    "showTacticRowBackground": true,
+    "tacticRowBackground": "#dddddd",
+    "selectTechniquesAcrossTactics": false,
+    "selectSubtechniquesWithParent": false,
+    "metadata": [
+        { 
+            "name": "layer metadata 1", 
+            "value": "layer metadata 1 value" 
+        },
+        { 
+            "name": "layer metadata 2", 
+            "value": "layer metadata 2 value" 
+        }
+    ]
+}
+```

nav-app/package.json

@@ -5,7 +5,7 @@
     "type": "git",
     "url": "https://github.com/mitre-attack/attack-navigator.git"
   },
-  "version": "4.2.0",
+  "version": "4.3.0",
   "license": "Apache-2.0",
   "scripts": {
     "ng": "ng",

nav-app/src/app/app.component.ts

@@ -1,5 +1,6 @@
 import { Component, ViewChild, DoCheck, HostListener } from '@angular/core';
-import {TabsComponent} from './tabs/tabs.component';
+import { TabsComponent } from './tabs/tabs.component';
+import { ConfigService } from './config.service';
 import * as globals from "./globals";
 
 @Component({
@@ -14,12 +15,13 @@ export class AppComponent {
 
     @HostListener('window:beforeunload', ['$event'])
     promptNavAway($event) {
+        if (!this.configService.getFeature('leave_site_dialog')) return;
         //this text only shows in the data, not visible to user as far as I can tell
         //however, if it's not included the window doesn't open.
         $event.returnValue='Are you sure you want to navigate away? Your data may be lost!';
     }
 
-    constructor() {
+    constructor(public configService: ConfigService) {
         Array.prototype.includes = function(value): boolean {
             // console.log("checking include")
             for (let i = 0; i < this.length; i++) {