ATT&CK Spec 4.0.0 - Detection Strategies, Analytics, and Log Sources (Draft) #18
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Remove x-mitre-data-source type - Add x-mitre-detection and x-mitre-log-source types
- TODO is for remembering to replace x_mitre_data_source_ref property with new x_mitre_data_log_ref
- Add new schema, MITRE Log Source, that replaces MITRE Data Source - Update related components to use Log Source instead of Data Source BREAKING CHANGE: The MITRE Data Source type is being replaced by Log Sources. Data sources will be deprecated and removed in the next major ATT&CK specification version.
- Rewrite all Zod schemas that implement well-defined open vocabularies to use proper case with OV suffix
- Add type field for indicator - Add type field for x-mitre-analytic - Note that x-mitre-detection and x-mitre-analytic are still being evaluated as candidate custom SDO types (subject to change)
- Move MitreCollectionLayersOV to open-vocabularies.ts module - Implement new PatternTypeOV (to be used in Indicators) - Implement new IndicatorTypeOV (to be used in Indicators)
- This schema is still a work-in-progress - This iteration may not be the finalized version
- The attack-data-model.ts module was using the now deprecated DataSource and DataSourceImpl - Both have been replaced by LogSource and LogSource impl, respectively - This can be thought of as a simple rename
- Implements the Indicator SDO definition from STIX 2.1 - Deviates from STIX 2.1 spec by specifying valid_from as optional (too strict for ATT&CK uses)
- Was previously set to a singular external reference instance - Fixed to be an array of external references
- Rename variables, functions, and classes from dataSource to logSource - Update file names containing 'dataSource' to use 'logSource' - Replace references in comments and documentation - Update import statements across the codebase
clemiller
reviewed
Mar 25, 2025
Contributor
There was a problem hiding this comment.
The data component schema will need to be updated to support ATT&CK IDs with a refinement that validates the ID exists and matches the pattern DC####
clemiller
reviewed
Mar 25, 2025
Contributor
There was a problem hiding this comment.
May want to add export statements for indicators & detections here
clemiller
reviewed
Mar 25, 2025
src/schemas/sdo/technique.schema.ts
Outdated
Comment on lines
455
to
459
|
|
||
| if (x_mitre_data_sources && inMobileDomain) { | ||
| if (x_mitre_log_sources && inMobileDomain) { | ||
| ctx.addIssue({ | ||
| code: z.ZodIssueCode.custom, | ||
| message: "x_mitre_data_sources is not supported in the 'mobile-attack' domain.", | ||
| message: "x_mitre_log_sources is not supported in the 'mobile-attack' domain.", | ||
| }); |
Contributor
There was a problem hiding this comment.
I'm not sure if it makes sense to rename this field to log sources. Maybe we should consider removing it altogether? The x_mitre_data_sources field hasn't been supported/updated for a while and was effectively replaced by "detects" relationships with Data Components. Any techniques still using this field likely contain outdated information that hasn't kept up with the current Data Sources, and this would probably become even more apparent as we transition toward Log Sources.
clemiller
reviewed
Mar 27, 2025
Comment on lines
31
to
37
| | Campaign | ||
| | Collection | ||
| | DataComponent | ||
| | DataSource | ||
| | LogSource | ||
| | Identity | ||
| | Matrix | ||
| | Tool |
Contributor
There was a problem hiding this comment.
Will need to add Indicators and Detections as valid AttackObject types here
clemiller
reviewed
Mar 27, 2025
Comment on lines
53
to
59
| campaignSchema, | ||
| collectionSchema, | ||
| dataComponentSchema, | ||
| dataSourceSchema, | ||
| logSourceSchema, | ||
| identitySchema, | ||
| matrixSchema, | ||
| toolSchema, |
Contributor
There was a problem hiding this comment.
Will need to add Indicator and Detection schemas here as well
…urces - Data Sources will remain supported until ATT&CK spec 4.0.0 - Log Source tests will be restored after the schema is finalized
- Implement dual support for x_mitre_data_sources and x_mitre_log_sources - Refactor refinements to Zod v4 syntax
- x_mitre_domains was removed from all identities starting in ATT&CK v17.0 - Not a breaking change because this should have been codified in ATT&CK spec 3.2.0 or earlier
- Add x-mitre-detection-strategy to detects.source array alongside existing x-mitre-data-component - Enables detection strategies to target attack patterns via detects relationship type - Maintains backward compatibility with existing data component relationships
- They will not be used in the next spec revision related to detection strategies
…egy, and data component
- z.SafeParseReturnType appears to no longer be supported in Zod v4 - Removed it from main.ts - Fixed an import error and rolled log source references back to data sources in refinements.ts
- The tests that check relationships and STIX bundles take particularly long to run - >=2200ms for relationships and >=3000ms for STIX bundles when run locally - They frequently exceed the 5000ms timeout threshold when run on GitHub Actions - Increased to 10_000 (10s)
- Add conditional to publish job to only run on push events - Restrict deploy-docs job to main branch pushes only - Prevents external contributors from triggering releases via PRs
seansica
changed the title
seansica
changed the title
|
🎉 This PR is included in version 4.0.0-alpha.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 4.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 4.0.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Changes
x-mitre-detection-strategy)x-mitre-analytic)x-mitre-log-source)found-inSee #14 for a detailed summary of the specification changes.
Notably, this change is not final. Unit tests still need to be implemented. Further changes to the specification may occur before the official
4.0.0release.