attack-flow
attack-flow copied to clipboard
center-for-threat-informed-defense
Object Properties not well defined
Attempting to design a user interface using this schema. And have a couple of questions:
The purpose of Object Properties is not clear, and none of the corpus json examples include any populated object properties. Can you provide an example of it's usage, along with a use case justification?
Also unsure on Logic Operators - how do they interact?
Acknowledged. We are under way on an update to Attack Flow that will have better documentation and examples of all the fields in the schema. Until then, I'll try to answer your questions here.
The object property is based on OWL concepts: whereas a data property lets you associate a string, an object property lets you reference another object. (The mechanics of how the reference is resolved are unspecified. That is something we'll address in the next release.)
Logic operators allow you to specify dependencies. E.g. if Action A depends on having code execution (CE) and also an admin password (AP), then you can draw arrows from AP→A and CE→A and then set A's logic operator to AND. On the other hand, Action B depends on either spearphishing with link (SPL) or spearphishing with attachment (SPA), then you can draw arrows SPL→B and SPA→B and the the logic operator to OR. (There is also logic operator language. The overall approach and documentation for logic operators will be improved in the next release.)
Thank you for taking the the time to review the spec and give us feedback! Let me know if you have any further questions.
Hi @threatinteltests, we released Attack Flow v2 last week which changes the way logic operators work -- hopefully clearer semantics around that. We have also replaced data properties and object properties with richer data models based on STIX. We attempted to include at least one example of each language concept in the corpus of examples, which is itself greatly expanded since v1. Please let me know if this addresses your issues.