attack-scripts icon indicating copy to clipboard operation
attack-scripts copied to clipboard
verified publisher icon mitre-attack

Machine-parseable diff

Open mvglasow opened this issue 4 years ago • 1 comments

As a user of ATT&CK, I want to be able to create a diff between two arbitrary versions which I can further process electronically, e.g. in a relational database.

The stix_diff script is a start but falls short of this requirement in two points:

  • it does not allow for an exact comparison of old/new (cf. #11)
  • the output is not easily machine-parseable

We are in the process of implementing the MaGMa framework in our organization. MaGMa implements a top-down model of an adversary’s actions; a major source for the bottom layer are techniques taken from ATT&CK. In order to reflect changes in ATT&CK in our MaGMa implementation, we would need a detailed diff.

As we maintain the information in a relational database, we would need this information in a compatible format (CSV, XLS or ODS would work, in a manner similar to #45).

Our focus is mainly on techniques, although similar use cases with similar considerations might apply to other object types.

A diff would need to contain information such as:

  • T2370 has been removed from the new version
  • T2380 has been removed from TA0001 (but is still part of the new version and has other associated tactics)
  • T2390 has been added to TA0002 (i.e. the technique itself was already present in a previous version and has not changed)
  • T3170 had its title changed from Rubber ducky placement to Placement of water fowl-shaped rubber toy
  • T6580 has been added (quoting all its data fields, only those related to version control may be omitted)
  • T8038 is now T8031/008 (changed into a sub-technique)

mvglasow avatar Jan 29 '21 12:01 mvglasow

Hi @mvglasow,

diff_stix does actually include such an output, but only if you access the diff_stix instance programmatically. If you construct a new DiffStix instance you should be able to access the contents of the data property after it initializes, which includes all the change types exported in the markdown (and layer) output formats:

https://github.com/mitre-attack/attack-scripts/blob/master/scripts/diff_stix.py#L104-L117

  • It does not at present implement granular change detection as described in #11.
  • Revocations are also stored but are a bit harder to access, you may want to read through the implementation to reverse engineer how to get at those.

If you want to create a new output format for diff_stix (e.g a csv, json or xlsx representation of the changes), or an implementation of #11, feel free to submit it as a PR to this repo.

One other thing to note is that comparison of two versions of the dataset is also being implemented in another ATT&CK project mentioned in the January ATT&CKcon power hour -- the ATT&CK Workbench project will include functionalities (a UI and API) for assessing update/change information in a manner similar to diff_stix.

I'll leave this issue open to document the need for a machine readable output (json/csv/xlsx) aside from the contents of the internal data struct.

isaisabel avatar Feb 01 '21 13:02 isaisabel

This is now implemented in the --json-file option which can be seen here: https://github.com/mitre-attack/mitreattack-python/tree/master/mitreattack/diffStix

Admin note: closing all remaining issues and pull requests prior to archiving the repository

jondricek avatar Dec 11 '23 17:12 jondricek