Comments (3)
I don't think this has always been this way. The last ATT&CK JSON I worked with extensively was either 8 or 9, and I'm fairly certain that at the time STIX versioning was working. It looks like the various versions of the JSON have been regenerated/modified, and I no longer have access to reference copies to compare.
While this isn't necessarily workflow breaking, it does seem that there is a mix of properly versioned & non-versioned objects intermingled, and some of these objects might or might not have a x_mitre meta versioning. It's a bit confusing and frustrating.
from attack-stix-data.
Taking a look at version 1.0 of the ATT&CK JSON, I get the impression that the "created" time is when the technique was created, not when the STIX object was created. For example:
id, created, modified
('attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', '2017-12-14T16:46:06.044Z', '2018-01-17T12:56:55.080Z')
('attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48', '2017-12-14T16:46:06.044Z', '2018-01-17T12:56:55.080Z')
('attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3', '2017-05-31T21:30:26.946Z', '2018-01-17T12:56:55.080Z')
.........182 more objects......
('attack-pattern--e906ae4d-1d3a-4675-be23-22f7311c0da4', '2017-05-31T21:31:05.140Z', '2018-01-17T12:56:55.080Z')
('attack-pattern--c3bce4f4-9795-46c6-976e-8676300bbc39', '2017-05-31T21:30:33.723Z', '2018-01-17T12:56:55.080Z')
('attack-pattern--514ede4c-78b3-4d78-a38b-daddf6217a79', '2017-05-31T21:30:20.148Z', '2018-01-17T12:56:55.080Z')
According to the STIX spec, The created property represents the time at which the object was originally created.
and looking at the timestamps from version 1.0, I get the feeling that the created values were scraped from another database & the modify time is whatever time it happened to be when the script started.
Either way - there are 188 objects in ATT&CK json version 1.0 that imply versioning but don't have requisite properties.
from attack-stix-data.
There are 188 attack patterns in ATT&CK 1.0 that aren't using STIX 2.1 versioning properly.
('attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', '2017-12-14T16:46:06.044Z', '2018-01-17T12:56:55.080Z')
('attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48', '2017-12-14T16:46:06.044Z', '2018-01-17T12:56:55.080Z')
('attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3', '2017-05-31T21:30:26.946Z', '2018-01-17T12:56:55.080Z')
There are 188 attack patterns in ATT&CK 2.0 that aren't using STIX 2.1 versioning properly.
('attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', '2017-12-14T16:46:06.044Z', '2018-04-18T17:59:24.739Z')
('attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48', '2017-12-14T16:46:06.044Z', '2018-04-18T17:59:24.739Z')
('attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3', '2017-05-31T21:30:26.946Z', '2018-04-18T17:59:24.739Z')
There are 219 attack patterns in ATT&CK 3.0 that aren't using STIX 2.1 versioning properly.
('attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', '2017-12-14T16:46:06.044Z', '2018-10-17T00:14:20.652Z')
('attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48', '2017-12-14T16:46:06.044Z', '2018-10-17T00:14:20.652Z')
('attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3', '2017-05-31T21:30:26.946Z', '2018-10-17T00:14:20.652Z')
There are 244 attack patterns in ATT&CK 4.0 that aren't using STIX 2.1 versioning properly.
('attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', '2017-12-14T16:46:06.044Z', '2018-10-31T13:45:13.024Z')
('attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48', '2017-12-14T16:46:06.044Z', '2018-10-31T13:45:13.024Z')
('attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3', '2017-05-31T21:30:26.946Z', '2018-10-17T00:14:20.652Z')
There are 244 attack patterns in ATT&CK 5.0 that aren't using STIX 2.1 versioning properly.
('attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', '2017-12-14T16:46:06.044Z', '2018-10-31T13:45:13.024Z')
('attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48', '2017-12-14T16:46:06.044Z', '2018-10-31T13:45:13.024Z')
('attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3', '2017-05-31T21:30:26.946Z', '2018-10-17T00:14:20.652Z')
There are 266 attack patterns in ATT&CK 6.0 that aren't using STIX 2.1 versioning properly.
('attack-pattern--01df3350-ce05-4bdf-bdf8-0a919a66d4a8', '2017-12-14T16:46:06.044Z', '2019-06-13T14:49:56.024Z')
('attack-pattern--dcaa092b-7de9-4a21-977f-7fcb77e89c48', '2017-12-14T16:46:06.044Z', '2019-10-14T20:45:04.451Z')
('attack-pattern--9b99b83a-1aac-4e29-b975-b374950551a3', '2017-05-31T21:30:26.946Z', '2019-07-16T19:07:04.652Z')
There are 574 attack patterns in ATT&CK 10.0 that aren't using STIX 2.1 versioning properly.
('attack-pattern--d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4', '2020-02-11T18:46:56.263Z', '2021-04-29T14:49:39.188Z')
('attack-pattern--cabe189c-a0e3-4965-a473-dcff00f17213', '2020-10-15T12:05:58.755Z', '2021-07-28T01:04:39.141Z')
('attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b', '2020-08-24T13:43:00.028Z', '2021-06-07T19:23:33.039Z')
There are 422 attack patterns in ATT&CK 11.2 that aren't using STIX 2.1 versioning properly.
('attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298', '2020-01-14T17:18:32.126Z', '2022-04-25T14:00:00.188Z')
('attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b', '2020-02-11T18:28:44.950Z', '2022-04-25T14:00:00.188Z')
('attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688', '2017-05-31T21:31:25.060Z', '2021-04-29T14:49:39.188Z')
from attack-stix-data.
Related Issues (20)
- found registry hive typo in enterprise-mitre v11.3 json HOT 4
- Description of WMI Creation added to multiple other data sources
- CVE and ATT&CK - Question HOT 2
- Invalid UUID in enterprise-attack.json
- M1027
- Broken Links to data source entries in STIX file HOT 1
- Question: Do relationships include custom Attack properties?
- Have a field for superseded entry in enterprise-attack.json HOT 2
- Cyclic refs in stix-capec.json
- Missing reference for x_mitre_platforms property on relationships
- Question: How to get the relevant APTs or TTPs of a certain indicator.
- Kill Chain (phase_name) may not match Tactic (x_mitre_shortname) HOT 1
- v13.0 bundle ids match in both mitre/cti and mitre-attack/attack-stix-data, but content is different
- ATT&CK's STIX Property Extensions Use Deprecated Standard HOT 1
- Please update Usage docs when introducing new fields
- Discussion: stix data terms of use can block contributions to CNCF projects HOT 3
- v13.1 having Duplicated G0097 and S0302 spanning both [enterprise-attack and mobile-attack] Stix JSON files HOT 1
- Use TAGs for the corresponding version of MITRE ATT&CK HOT 1
- Bug: All MITRE ATT&CK ICS Techniques have "x_mitre_platforms": [ "None" ] HOT 7
- Software Discovery HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from attack-stix-data.