From 9adbe65d956c03f7cbb8782c4271c61cbaa3c0b5 Mon Sep 17 00:00:00 2001 From: Michael Carenzo <79934822+mikecarenzo@users.noreply.github.com> Date: Thu, 12 Oct 2023 20:46:19 -0400 Subject: [PATCH 1/3] add draft json schema --- schema/mapex-unified-data-schema.json | 187 ++++++++++++++++++++++++++ 1 file changed, 187 insertions(+) create mode 100644 schema/mapex-unified-data-schema.json diff --git a/schema/mapex-unified-data-schema.json b/schema/mapex-unified-data-schema.json new file mode 100644 index 00000000..c1dbf0ff --- /dev/null +++ b/schema/mapex-unified-data-schema.json @@ -0,0 +1,187 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "title": "ATT&CK Mappings Unified Schema", + "description": "Defines the data elements and properties of Mappings Explorer projects", + "type": "object", + "properties": { + "metadata": { + "description": "Properties that apply to all mappings in a project.", + "type": "object", + "properties": { + "mapping_version": { + "description": "The version of the mapping project.", + "type": "number" + }, + "attack_version": { + "description": "The version of ATT&CK used to source the objects included in this mapping.", + "type": "number" + }, + "technology_domain": { + "description": "ATT&CK Technology Domain (Enterprise, Mobile, ICS).", + "type": "array", + "items": { + "enum": [ + "enterprise", + "mobile", + "ics" + ] + } + }, + "creation_date": { + "description": "Creation date of this mapping file. Format: (MM/DD/YYYY) 1/21/2021", + "type": "string", + "pattern": "^[0-9]{2}/[0-9]{2}/[0-9]{4}$" + }, + "last_update": { + "description": "Last update date of this mapping file. Format: (MM/DD/YYYY) 1/21/2021", + "type": "string", + "pattern": "^[0-9]{2}/[0-9]{2}/[0-9]{4}$" + }, + "mapping_framework": { + "description": "The group of objects being mapped to ATT&CK.", + "type": "array", + "items": { + "enum": [ + "veris", + "nist_800_53", + "cve", + "aws", + "gcp", + "azure" + ] + } + }, + "mapping_framework_version": { + "description": "The Mapping Framework's version.", + "type": "string" + }, + "mapping_framework_version_scheme": { + "description": "How the Mapping Framework is versioned.", + "type": "array", + "items": { + "enum": [ + "framework", + "date_accessed" + ] + } + }, + "author": { + "description": "The author of this mapping file.", + "type": "string" + }, + "contact": { + "description": "The email address of the author.", + "type": "string" + }, + "organization": { + "description": "The organization associated with the author.", + "type": "string" + }, + "mapping_types": { + "description": "The mappings file valid mapping types.", + "type": "array", + "items": { + "type": "object", + "properties": { + "id": { + "description": "The mapping type's identifier.", + "type": "string" + }, + "description": { + "description": "A description of the mapping type." + } + } + } + } + }, + "required": [ + "mapping_version", + "attack_version", + "technology_domain", + "creation_date", + "mapping_framework", + "mapping_framework_version", + "mappings_types" + ] + }, + "mapping_object": { + "description": "The mappings between framework objects and ATT&CK objects.", + "type": "array", + "items": { + "type": "object", + "properties": { + "attack_object_id": { + "description": "The unique identifier of the ATT&CK object being mapped. (T1648)", + "type": "string" + }, + "attack_object_name": { + "description": "The name of the ATT&CK Object. (Serverless Execution)", + "type": "string" + }, + "capability_id": { + "description": "Unique identifier of the framework object being mapped.", + "type": "string" + }, + "mapping_description": { + "description": "Name or description of Mapping Target", + "type": "string" + }, + "comments": { + "description": "Used to document assumptions, circumstances, or other information regarding the mapping", + "type": "string" + }, + "references": { + "description": "A list of links to documentation that provides additional detail in understanding the data contained in this mapping. (A link to the documentation for a security control.)", + "type": "string" + }, + "mapping_type": { + "description": "Mapping type has framework-specific values. This property describes how the capability_id and attack_object_id are related.", + "type": "string" + }, + "if": { + "properties": { + "mapping_type": { + "const": "technique_scores" + } + } + }, + "then": { + "properties": { + "score_category": { + "description": "Assessment of the effectiveness of the mitigations provided. (Protect, Detect, Respond)", + "type": "array", + "items": { + "enum": [ + "protect", + "detect", + "respond" + ] + } + }, + "score_value": { + "description": "The score. (e.g. Minimal, Partial, Significant)", + "type": "array", + "items": { + "enum": [ + "minimal", + "partial", + "significant" + ] + } + }, + "related_score": { + "description": "When the ATT&CK object ID is a sub-technique, related score contains the parent technique ID.", + "type": "string" + } + } + }, + "else": {} + }, + "required": [ + "mapping_type", + "capability_id" + ] + } + } + } +} From 1a0bbe632f389049201123e3ec45de099c10fdbf Mon Sep 17 00:00:00 2001 From: Michael Carenzo <79934822+mikecarenzo@users.noreply.github.com> Date: Fri, 13 Oct 2023 16:09:26 -0400 Subject: [PATCH 2/3] fix mapping_types description --- schema/mapex-unified-data-schema.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/schema/mapex-unified-data-schema.json b/schema/mapex-unified-data-schema.json index c1dbf0ff..3b5a8d4b 100644 --- a/schema/mapex-unified-data-schema.json +++ b/schema/mapex-unified-data-schema.json @@ -88,7 +88,8 @@ "type": "string" }, "description": { - "description": "A description of the mapping type." + "description": "A description of the mapping type.", + "type": "string" } } } From a3fc75a8a114bee5def21a02ce7526accf3a0f04 Mon Sep 17 00:00:00 2001 From: rossj-en <94643257+rossj-en@users.noreply.github.com> Date: Wed, 18 Oct 2023 10:18:12 -0700 Subject: [PATCH 3/3] updated keyword names. added valid_mapping_types --- schema/mapex-unified-data-schema.json | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/schema/mapex-unified-data-schema.json b/schema/mapex-unified-data-schema.json index 3b5a8d4b..6c1a5406 100644 --- a/schema/mapex-unified-data-schema.json +++ b/schema/mapex-unified-data-schema.json @@ -10,11 +10,11 @@ "properties": { "mapping_version": { "description": "The version of the mapping project.", - "type": "number" + "type": "string" }, "attack_version": { "description": "The version of ATT&CK used to source the objects included in this mapping.", - "type": "number" + "type": "string" }, "technology_domain": { "description": "ATT&CK Technology Domain (Enterprise, Mobile, ICS).", @@ -78,7 +78,7 @@ "type": "string" }, "mapping_types": { - "description": "The mappings file valid mapping types.", + "description": "The mappings types that are associated with each Framework.", "type": "array", "items": { "type": "object", @@ -106,7 +106,7 @@ ] }, "mapping_object": { - "description": "The mappings between framework objects and ATT&CK objects.", + "description": "A single mapping between framework object and ATT&CK object.", "type": "array", "items": { "type": "object", @@ -116,15 +116,15 @@ "type": "string" }, "attack_object_name": { - "description": "The name of the ATT&CK Object. (Serverless Execution)", + "description": "The name of the ATT&CK object. (Serverless Execution)", "type": "string" }, "capability_id": { "description": "Unique identifier of the framework object being mapped.", "type": "string" }, - "mapping_description": { - "description": "Name or description of Mapping Target", + "capability_description": { + "description": "Name or description of framework object", "type": "string" }, "comments": { @@ -181,7 +181,10 @@ "required": [ "mapping_type", "capability_id" - ] + ], + "dependentRequired":{ + "mapping_type":["valid_mapping_types"] + } } } }