It was discovered that the Mitre ATT&CK galaxy was incorrectly identifying the external ID (TXXX.XXX) ID from techniques, as it was only looking for the existence of the external_id field in a reference. Taking this condensed item as an example (T1060):
{
"id": "attack-pattern--9422fc14-1c43-410d-ab0f-a709b76c72dc",
"type": "attack-pattern",
"external_references": [
{
"source_name": "mitre-attack",
"external_id": "T1060",
"url": "https://attack.mitre.org/techniques/T1060"
},
{
"external_id": "CAPEC-270",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/270.html"
}
],
"modified": "2020-01-23T22:05:32.409Z",
"name": "Registry Run Keys / Startup Folder",
"description": "Adversaries may achieve persistence by adding a program to a startup folder..."
}
As multiple items have 'external_id' populated, this resulted in the external_id being CAPEC-270, not T1060.
This PR resolves this bug, and also updates the affected cluster.
adulau
commented
1 year ago
It was discovered that the Mitre ATT&CK galaxy was incorrectly identifying the external ID (TXXX.XXX) ID from techniques, as it was only looking for the existence of the external_id field in a reference. Taking this condensed item as an example (T1060):
As multiple items have 'external_id' populated, this resulted in the external_id being
CAPEC-270, notT1060.This PR resolves this bug, and also updates the affected cluster.