This repository is a maintained fork of center-for-threat-informed-defense/attack-flow with a production-ready SPARTA integration layered on top of the latest upstream codebase.
The goal of this fork is to keep pace with upstream Attack Flow changes while adding SPARTA-specific capabilities that are safe to regenerate during future updates instead of relying on manual patches.
- Upstream Attack Flow updates rebased into this fork.
- SPARTA framework integration using the maintained STIX source from JahazielLem/attack-stix-data.
- Automatic resolution of the latest
sparta-attack-*.jsonbundle during source regeneration. - Full SPARTA tactic, technique, and sub-technique support.
- Action TTP autocompletion for tactic, technique, and sub-technique combinations.
- Export and import support for
subtechnique_idandsubtechnique_refinattack-action. - Splash screen SPARTA version display sourced from the generated SPARTA bundle metadata.
- A dedicated blue
countermeasurecard mapped to STIXcourse-of-action. - Red
actioncards for easier visual distinction. - Catppuccin theme support and Catppuccin-based default styling.
- Customized splash screen and branding for the SPARTA-enabled builder.
- Custom STIX observables for:
x-sigmf-capturex-raw-iq-capture
SPARTA data is generated from the latest versioned bundle published in the sparta-attack directory of the STIX source repository. During regeneration, the builder:
- Detects the newest available SPARTA bundle version.
- Synthesizes SPARTA tactics from
kill_chain_phaseswhen the STIX bundle does not ship standalone tactic objects. - Preserves SPARTA sub-techniques and their relationships.
- Excludes non-matrix
SV-*threat reference objects from offensive matrix autocompletion.
To regenerate all source enumerations, including SPARTA:
cd src/attack_flow_builder
npm run update-sourcesThis fork adds two custom observables intended for RF and signal-capture workflows:
Fields:
namefile_namefrequency_hzsample_rate_hzmodulationcapture_datedescription
Fields:
namefile_namefrequency_hzsample_rate_hzmodulationcapture_datedescription
These observables are available in the builder UI and round-trip through STIX export/import.
poetry install
cd src/attack_flow_builder
npm cicd src/attack_flow_builder
npm run devcd src/attack_flow_builder
npm run buildThese commands mirror the Attack Flow Builder GitHub Actions checks:
cd src/attack_flow_builder
npm run lint
npm run test:unit
npm run buildThese commands cover the Python-side GitHub Actions checks:
poetry run black --check src/attack_flow/
poetry run make test-cimake docs-examples requires Graphviz's dot binary to be installed locally.
poetry run make docs-schema
poetry run make validate
poetry run make docs-examples
poetry run make docs-matrix
poetry run make docsThe workflow in .github/workflows/build.yml has been updated to work correctly in a forked repository by:
- Using the current repository name for GitHub Pages base paths.
- Generating PR flow links from the active repository instead of hardcoded upstream paths.
- Building docs with repository-relative Pages URLs.
This makes the fork safer to push, test, and publish with GitHub Actions without re-editing workflow URLs after every upstream sync.
The original Attack Flow project is maintained by the MITRE Center for Threat-Informed Defense:
- Fork documentation: Attack Flow Builder SPARTA Documentation
- Upstream repository: center-for-threat-informed-defense/attack-flow
- Project documentation: Attack Flow Documentation
Copyright 2021 MITRE.
Licensed under the Apache License, Version 2.0.
This project makes use of MITRE ATT&CK.