attack/domain/
data_component.rs

1use serde::{Deserialize, Serialize};
2use stix_rs::{CommonProperties, StixObject};
3use crate::domain::AttackObject;
4
5/// Represents a MITRE ATT&CK Data Component (x-mitre-data-component).
6///
7/// Data Components are specific properties or values of a Data Source that
8/// can be used to detect adversary behavior. For example, the "Process" data
9/// source has components like "Process Creation", "Process Termination", etc.
10#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
11pub struct DataComponent {
12    #[serde(flatten)]
13    pub common: CommonProperties,
14
15    pub name: String,
16    pub description: Option<String>,
17
18    /// Reference to parent Data Source
19    #[serde(rename = "x_mitre_data_source_ref")]
20    pub data_source_ref: Option<String>,
21
22    // Extended ATT&CK fields
23    #[serde(default, rename = "x_mitre_version")]
24    pub version: Option<String>,
25
26    #[serde(default, rename = "x_mitre_domains")]
27    pub domains: Vec<String>,
28}
29
30impl StixObject for DataComponent {
31    fn id(&self) -> &str {
32        &self.common.id
33    }
34
35    fn type_(&self) -> &str {
36        &self.common.r#type
37    }
38
39    fn created(&self) -> chrono::DateTime<chrono::Utc> {
40        self.common.created
41    }
42}
43
44impl AttackObject for DataComponent {
45    fn name(&self) -> &str {
46        &self.name
47    }
48
49    fn description(&self) -> Option<&str> {
50        self.description.as_deref()
51    }
52
53    fn revoked(&self) -> bool {
54        self.common.revoked.unwrap_or(false)
55    }
56
57    fn deprecated(&self) -> bool {
58        self.common.custom_properties.get("x_mitre_deprecated").and_then(|v| v.as_bool()).unwrap_or(false)
59    }
60}
attack/domain/data_component.rs

attack/domain/
data_component.rs
