UNPKG

@mitre-attack/attack-data-model

Version:

A TypeScript API for the MITRE ATT&CK data model

github.com/mitre-attack/attack-data-model

mitre-attack/attack-data-model

90 lines (87 loc) 3.1 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
import { attackBaseDomainObjectSchema } from "./chunk-ZQ5CIHH7.js"; import { xMitreDomainsSchema, xMitrePlatformsSchema } from "./chunk-Z7F5EWOT.js"; import { createAttackExternalReferencesSchema } from "./chunk-QY7EQ3UO.js"; import { createStixIdValidator } from "./chunk-OM2DJ5DL.js"; import { createStixTypeValidator } from "./chunk-5JU73PGM.js"; // src/schemas/sdo/analytic.schema.ts import { z } from "zod/v4"; var xMitreLogSourcePermutationKey = z.string(); var xMitreLogSourceRefSchema = z.object({ ref: createStixIdValidator("x-mitre-log-source"), keys: z.array(z.string()).nonempty().meta({ description: "Must match one of the elements in the ``x_mitre_log_source_permutations`` array" }).nonempty() }).meta({ description: "A reference to a log source permutation" }); var xMitreLogSourceRefsSchema = z.array(xMitreLogSourceRefSchema).nonempty().refine( // Reject duplicate refs (cannot reference the same log source twice) // Reject duplicate key elements for each ref (cannot reference the same key twice) (logSourceRefs) => { const seenRefs = /* @__PURE__ */ new Set(); for (const logSourceRef of logSourceRefs) { if (seenRefs.has(logSourceRef.ref)) { return false; } seenRefs.add(logSourceRef.ref); const seenKeys = /* @__PURE__ */ new Set(); for (const key of logSourceRef.keys) { if (seenKeys.has(key)) { return false; } seenKeys.add(key); } } return true; }, { message: "Duplicate log source permutation found: each (name, channel) pair must be unique", path: ["x_mitre_log_source_permutations"] } ).meta({ description: "A list of log source STIX IDs, plus the specific channel or event type, e.g., sysmon:1 or auditd:SYSCALL." }); var xMitreMutableElementSchema = z.object({ field: z.string().nonempty(), description: z.string().nonempty() }); var xMitreMutableElementsSchema = z.array(xMitreMutableElementSchema).nonempty().meta({ description: "Environment-specific tuning knobs like TimeWindow, UserContext, or PortRange, so defenders can adapt without changing core behavior." }); var extensibleAnalyticSchema = attackBaseDomainObjectSchema.extend({ id: createStixIdValidator("x-mitre-analytic"), type: createStixTypeValidator("x-mitre-analytic"), x_mitre_platforms: xMitrePlatformsSchema.max(1), // 0 or 1 x_mitre_detects: z.string().nonempty().meta({ description: "A tool-agnostic description of the adversary behavior chain this analytic looks for." }), external_references: createAttackExternalReferencesSchema("x-mitre-analytic"), x_mitre_log_sources: xMitreLogSourceRefsSchema, x_mitre_mutable_elements: xMitreMutableElementsSchema, x_mitre_domains: xMitreDomainsSchema }).required({ created_by_ref: true, object_marking_refs: true }).strict(); var analyticSchema = extensibleAnalyticSchema; export { xMitreLogSourcePermutationKey, xMitreLogSourceRefSchema, xMitreLogSourceRefsSchema, xMitreMutableElementSchema, xMitreMutableElementsSchema, extensibleAnalyticSchema, analyticSchema };