{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://docs.macat.io/schemas/macatable-library.schema.json", "title": "MACATable Library Export", "description": "Schema for MACATable library procedure export TOML files used by MACAT.", "type": "object", "required": ["lib_procedures"], "properties": { "version": { "type": "integer", "description": "Version number of the export.", "default": 1 }, "lib_procedures": { "type": "array", "items": { "$ref": "#/$defs/procedure" }, "description": "Procedures included in this library export." } }, "additionalProperties": false, "$defs": { "procedure": { "type": "object", "required": ["id", "name"], "properties": { "id": { "type": "string", "format": "uuid", "description": "Unique identifier for the procedure." }, "library_id": { "type": "string", "format": "uuid", "description": "Reference to a library entry." }, "name": { "type": "string", "description": "Name of the procedure." }, "description": { "type": "string", "description": "Description of the procedure." }, "primary_technique": { "type": "string", "description": "MITRE ATT&CK technique ID (e.g., T1053.005)." }, "primary_tactic": { "type": "string", "description": "Primary MITRE ATT&CK tactic." }, "mitre_tactics_ref": { "type": "array", "items": { "type": "string" }, "description": "Related MITRE ATT&CK tactics." }, "src_type": { "type": "string", "enum": ["macat", "art"], "description": "Source type of the procedure." }, "supported_platforms": { "type": "array", "items": { "type": "string" }, "description": "Platforms this procedure supports (e.g., windows, linux, macos)." }, "threat_profile_ids": { "type": "array", "items": { "type": "string" }, "description": "STIX identity references for threat profiles." }, "possible_defenses": { "type": "array", "items": { "type": "string" }, "description": "Defense tool types that may detect this procedure." }, "tags": { "type": "array", "items": { "type": "string" }, "description": "Tags for categorizing the procedure." }, "procedure_steps": { "type": "array", "items": { "$ref": "#/$defs/procedureStep" }, "description": "Steps to execute for this procedure." }, "cleanup_steps": { "type": "array", "items": { "$ref": "#/$defs/procedureStep" }, "description": "Steps to run after execution to clean up." }, "dependency_checks": { "type": "array", "items": { "$ref": "#/$defs/dependencyCheck" }, "description": "Checks to run before execution to verify prerequisites." }, "variables": { "type": "array", "items": { "$ref": "#/$defs/variable" }, "description": "Configurable variables for this procedure." }, "files": { "type": "object", "additionalProperties": { "$ref": "#/$defs/fileRef" }, "description": "File references keyed by reference name." }, "detection": { "type": "array", "items": { "$ref": "#/$defs/defenseContent" }, "description": "Detection rules or recommendations." }, "prevention": { "type": "array", "items": { "$ref": "#/$defs/defenseContent" }, "description": "Prevention rules or recommendations." } }, "additionalProperties": false }, "procedureStep": { "type": "object", "required": ["executor"], "properties": { "executor": { "type": "string", "description": "Executor type (powershell, cmd, bash, sh, file_extractor)." }, "command": { "type": "string", "default": "", "description": "Command to execute. Supports #{variable} substitution." }, "name": { "type": "string", "description": "Name of this step." }, "description": { "type": "string", "description": "Description of this step." }, "order": { "type": "integer", "description": "Execution order." }, "privilege": { "type": "boolean", "description": "Whether this step requires elevated privileges." }, "instance_id": { "type": "integer", "description": "Internal instance identifier." }, "fe_id": { "type": "string", "format": "uuid", "description": "Frontend identifier." }, "parameters": { "type": "object", "additionalProperties": { "type": "string" }, "description": "Parameters for parameter-based executors (e.g., file_extractor)." } }, "additionalProperties": false }, "dependencyCheck": { "type": "object", "required": ["dependency_check_executor", "dependency_check_command"], "properties": { "dependency_check_executor": { "type": "string", "description": "Executor type for the dependency check." }, "dependency_check_command": { "type": "string", "description": "Command to verify the prerequisite." }, "dependency_check_command_privilege": { "type": "boolean", "description": "Whether the check requires elevated privileges." }, "dependency_not_found_command": { "type": "string", "description": "Command to run if the dependency is not found." }, "name": { "type": "string", "description": "Name of this dependency check." }, "description": { "type": "string", "description": "Description of this dependency check." }, "order": { "type": "integer", "description": "Execution order." }, "instance_id": { "type": "integer", "description": "Internal instance identifier." }, "fe_id": { "type": "string", "format": "uuid", "description": "Frontend identifier." } }, "additionalProperties": false }, "variable": { "type": "object", "required": ["name", "var_type"], "properties": { "name": { "type": "string", "description": "Variable name. Referenced in commands as #{name}." }, "var_type": { "type": "string", "description": "Variable type (e.g., string, integer)." }, "default": { "type": "string", "description": "Default value." }, "value": { "type": "string", "description": "Current value. Overrides default when set." }, "description": { "type": "string", "description": "Description of this variable." }, "instance_id": { "type": "integer", "description": "Internal instance identifier." } }, "additionalProperties": false }, "fileRef": { "type": "object", "required": ["location", "name"], "properties": { "location": { "type": "string", "enum": ["db", "embedded", "archive"], "description": "Where the file is stored." }, "name": { "type": "string", "description": "Filename." }, "folder": { "type": "string", "description": "Folder path in the database (location=db)." }, "content": { "type": "string", "description": "Base64-encoded file content (location=embedded)." }, "path_in_archive": { "type": "string", "description": "Path within MCZ archive (location=archive)." }, "archive_ref": { "type": "string", "description": "Reference to the archive." }, "size": { "type": "integer", "description": "Original file size in bytes." }, "sha256": { "type": "string", "description": "SHA256 hash of the file." }, "source": { "type": "string", "description": "Origin of the file (e.g., user_upload, atomic_red_team)." }, "required": { "type": "boolean", "default": true, "description": "Whether this file is required for execution." }, "resolved_file_id": { "type": "string", "format": "uuid", "description": "Database file metadata ID (omitted in exports)." } }, "additionalProperties": false }, "defenseContent": { "type": "object", "required": ["content"], "properties": { "content_type": { "type": "string", "description": "Format type (e.g., sigma, yara)." }, "content": { "type": "string", "description": "Detection or prevention rule content." } }, "additionalProperties": false } } }