New function to remove deprecated STIX objects #15
Conversation
marcusbakker
changed the title
marcusbakker
changed the title
|
Thank you very much @marcusbakker !! I appreciate it. I would like to hear more about how you guys are handling the sub-techniques update. I will merge this and push a quick fix to the version. |
|
Regarding the handling of the sub-techniques. Not sure if you have any questions in particular? But, we were pleased that no real changes were required in the functionality of To help users with the migration of YAML files in DeTT&CT we made heavy use of the crosswalk.json file provided by MITRE. We created some new logic and guidance to help the user to migrate their files/mappings the most efficient. Still, it can be an annoying exercise, but it has to be done. We dropped support for any old techniques. They can still be used in some areas, but not everywhere. We also did not re-mapped any published ATT&CK mappings (like the one for CrowdStrike, Red Canary, etc.). That's almost impossible to do because we do not have access to the raw data that tells us how it should be mapped into sub-techniques. No idea if this answers your question :-). |
|
That's awesome @marcusbakker ! Thank you very much for taking the time to write those details. Yes that helped. I am happy to hear that there were no real changes required in the functionality of |
|
I'm happy tot help. Also enjoy the rest of your week over there too! |
Hi Roberto,
While we were busy with adding support for sub-techniques in DeTT&CT we noticed that we needed to get rid of STIX objects that are deprecated. In our particular case, these were old techniques which are no longer used in the latest release of ATT&CK. I have therefore added a new function based on the already existing function
remove_revoked. The new functionremove_deprecatedremoves any objects which have the STIX property 'x_mitre_deprecated' set totrueI think it would be of value to add this to attackcti.
Regards,
Marcus