TTP with inline Exploit Target without id should be given auto id and made expandable

Question

TTP with inline Exploit Target without id should be given auto id and made expandable

mattcoarr opened this issue 10 years ago · comments

Matt Coarr · Answer 1 · Sat Mar 15 2014 04:33:12 GMT+0800 (China Standard Time)

Here's a little bit more information on a similar document.

In this case, the TTP has an inline child Exploit Target (which isn't ID'ed). The ET then has a child Potential COA, which is referenced via idref.

The problem with this document was that the descendants (in this case the Potential COA) gets printed out and is expandable, but no details of the Exploit Target are printed. So it looks like the expandable id for the Potential COA is actually for the ID.

Here's a mockup of what the data looks like:

<stix:TTP xsi:type="ttp:TTPType" id="ttp1">
    <ttp:Behavior>
        <ttp:Exploits>
            <ttp:Exploit>
                <ttp:Description>Sample Exploit (in TTP)</ttp:Description>
            </ttp:Exploit>
        </ttp:Exploits>
    </ttp:Behavior>
    <ttp:Exploit_Targets>
        <stixCommon:Exploit_Target xsi:type="exploit_target:ExploitTargetType">
            <exploit_target:Potential_COAs>
                <exploit_target:Potential_COA>
                    <stixCommon:Course_Of_Action idref="coa1"/>
                </exploit_target:Potential_COA>
            </exploit_target:Potential_COAs>
        </stixCommon:Exploit_Target>
    </ttp:Exploit_Targets>
</stix:TTP>

Matt Coarr · Answer 2 · Fri Mar 21 2014 23:16:34 GMT+0800 (China Standard Time)

This should really help in some documents where content is specified with inline elements if the author does not include ids!

This is fixed. Please reopen or file a new issue if any problems are discovered.