Importing stix json creates a new Attack pattern even if one exists from Mitre ATT&CK

[vedang122]

Prerequisites

• [x] I read the Deployment and Setup section of the OpenCTI documentation as well as the Troubleshooting page and didn't find anything relevant to my problem.
• [x] I went through old GitHub issues and couldn't find anything relevant
• [x] I googled the issue and didn't find anything relevant

Description

I already have an attack pattern from Mitre database named Manipulation of Control:

{
  "id": "d41a9023-26bc-4fc4-838b-8a46ef8d14cf",
  "standard_id": "attack-pattern--0040f898-6262-5e32-acb0-cb333e59887f",
  "entity_type": "Attack-Pattern",
  "parent_types": [
    "Basic-Object",
    "Stix-Object",
    "Stix-Core-Object",
    "Stix-Domain-Object"
  ],
  "spec_version": "2.1",
  "created_at": "2024-06-10T11:40:22.534Z",
  "updated_at": "2024-06-10T11:40:22.549Z",
  "createdBy": {
    "id": "dbd3158a-8e97-4dc5-bbd5-e6472a40287a",
    "standard_id": "identity--f11b0831-e7e6-5214-9431-ccf054e53e94",
    "entity_type": "Organization",
    "parent_types": [
      "Basic-Object",
      "Stix-Object",
      "Stix-Core-Object",
      "Stix-Domain-Object",
      "Identity"
    ],
    "spec_version": "2.1",
    "identity_class": "organization",
    "name": "The MITRE Corporation",
    "description": null,
    "roles": null,
    "contact_information": null,
    "x_opencti_aliases": null,
    "created": "2017-06-01T00:00:00.000Z",
    "modified": "2024-06-10T11:41:33.153Z",
    "objectLabel": [],
    "x_opencti_organization_type": null,
    "x_opencti_reliability": null,
    "objectLabelIds": []
  },
  "objectMarking": [],
  "objectLabel": [],
  "externalReferences": [
    {
      "id": "59d155ec-dca8-4626-8de1-3612df8c8a49",
      "standard_id": "external-reference--462e7d27-0d38-5302-8975-040cd444da8c",
      "entity_type": "External-Reference",
      "source_name": "Shelley Smith February 2008",
      "description": "Shelley Smith 2008, February 12 Teen Hacker in Poland Plays Trains and Derails City Tram System Retrieved. 2019/10/17",
      "url": "https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/",
      "hash": null,
      "external_id": null,
      "created": "2024-06-10T11:40:22.502Z",
      "modified": "2024-06-10T11:40:22.502Z",
      "createdById": null
    },
    {
      "id": "4989446e-f5d1-4dc1-ab1f-44df6435f089",
      "standard_id": "external-reference--c8fdb2e9-ea2a-5535-bee3-c21dd021b728",
      "entity_type": "External-Reference",
      "source_name": "John Bill May 2017",
      "description": "John Bill 2017, May 12 Hacked Cyber Security Railways Retrieved. 2019/10/17",
      "url": "https://www.londonreconnections.com/2017/hacked-cyber-security-railways/",
      "hash": null,
      "external_id": null,
      "created": "2024-06-10T11:40:22.459Z",
      "modified": "2024-06-10T11:40:22.459Z",
      "createdById": null
    },
    {
      "id": "3509048b-b533-4565-b652-c45c6b4dbe06",
      "standard_id": "external-reference--55982672-9cdd-5ae2-a366-61f24e9e80f8",
      "entity_type": "External-Reference",
      "source_name": "Bruce Schneier January 2008",
      "description": "Bruce Schneier 2008, January 17 Hacking Polish Trams Retrieved. 2019/10/17",
      "url": "https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html",
      "hash": null,
      "external_id": null,
      "created": "2024-06-10T11:40:22.427Z",
      "modified": "2024-06-10T11:40:22.427Z",
      "createdById": null
    },
    {
      "id": "82228e2b-c044-41a7-b579-70307326773b",
      "standard_id": "external-reference--e689ed6e-6d69-51e1-b222-a00d0094ad90",
      "entity_type": "External-Reference",
      "source_name": "mitre-attack",
      "description": null,
      "url": "https://attack.mitre.org/techniques/T0831",
      "hash": null,
      "external_id": "T0831",
      "created": "2024-06-10T11:40:22.393Z",
      "modified": "2024-06-10T11:40:22.393Z",
      "createdById": null
    }
  ],
  "revoked": false,
  "confidence": 100,
  "created": "2020-05-21T17:43:26.506Z",
  "modified": "2024-06-10T11:40:22.549Z",
  "name": "Manipulation of Control",
  "description": "Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection.   \n\nMethods of Manipulation of Control include: \n\n* Man-in-the-middle  \n* Spoof command message \n* Changing setpoints  \n\nA Polish student used a remote controller device to interface with the Lodz city tram system in Poland. (Citation: John Bill May 2017) (Citation: Shelley Smith February 2008) (Citation: Bruce Schneier January 2008) Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. (Citation: Shelley Smith February 2008) The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact. (Citation: Bruce Schneier January 2008)",
  "aliases": null,
  "x_mitre_platforms": null,
  "x_mitre_permissions_required": null,
  "x_mitre_detection": "",
  "x_mitre_id": "T0831",
  "killChainPhases": [
    {
      "id": "08c593fa-4264-4878-a9e2-17833383d4cb",
      "standard_id": "kill-chain-phase--34fb3ad9-2e5d-5aef-aa8b-d3c2233239dc",
      "entity_type": "Kill-Chain-Phase",
      "kill_chain_name": "mitre-ics-attack",
      "phase_name": "impact",
      "x_opencti_order": 0,
      "created": "2024-06-10T11:40:22.123Z",
      "modified": "2024-06-10T11:40:22.123Z",
      "createdById": null
    }
  ],
  "createdById": "dbd3158a-8e97-4dc5-bbd5-e6472a40287a",
  "objectMarkingIds": [],
  "objectLabelIds": [],
  "killChainPhasesIds": [
    "08c593fa-4264-4878-a9e2-17833383d4cb"
  ],
  "externalReferencesIds": [
    "59d155ec-dca8-4626-8de1-3612df8c8a49",
    "4989446e-f5d1-4dc1-ab1f-44df6435f089",
    "3509048b-b533-4565-b652-c45c6b4dbe06",
    "82228e2b-c044-41a7-b579-70307326773b"
  ]
}

Now, I have the following STIX bundle which I wanted to ingest with the same attack pattern, I thought it would not create a new attack pattern object but it actually create duplicates:

{
    "type": "bundle",
    "id": "bundle--ea60453e-eafe-47f7-9326-8db68ff37835",
    "objects": [
        {
            "type": "attack-pattern",
            "spec_version": "2.1",
            "id": "attack-pattern--48b9a20d-e74a-4119-a642-1f025f8c155c",
            "created": "2024-06-17T07:38:32.783683Z",
            "modified": "2024-06-17T07:38:32.783683Z",
            "name": "Manipulation of Control",
            "description": "Parsed from advisory",
            "external_references": [{
                "source_name": "Mandiant",
                "url": "https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect"
            }],
        }
    ]
}

Environment

1. OS (where OpenCTI server runs): { e.g. Mac OS 10, Windows 10, Ubuntu 16.4, etc. } Mac OS 14.4 (running using docker)
2. OpenCTI version: { e.g. OpenCTI 1.0.2 } OpenCTI 6.1.10
3. OpenCTI client: { e.g. frontend or python } python
4. Other environment details:

Reproducible Steps

Steps to create the smallest reproducible scenario:

1. Ingest MITRE ATT&CK data for 2019-2024
2. Import above STIX bundle using following python code:

   opencti_api_client = pycti.OpenCTIApiClient(OPENCTI_URL, OPENCTI_TOKEN)
   duplicated_pattern = {
   "type": "bundle",
   "id": "bundle--ea60453e-eafe-47f7-9326-8db68ff37835",
   "objects": [
       {
           "type": "attack-pattern",
           "spec_version": "2.1",
           "id": "attack-pattern--48b9a20d-e74a-4119-a642-1f025f8c155c",
           "created": "2024-06-17T07:38:32.783683Z",
           "modified": "2024-06-17T07:38:32.783683Z",
           "name": "Manipulation of Control",
           "description": "Parsed from advisory updated",
           "external_references": [{
               "source_name": "Mandiant Update",
               "url": "https://www.mandiant.com/resources/blog/initial-access-brokers-exploit-f5-screenconnect"
           }],
       }
   ]
   }
   opencti_api_client.stix2.import_bundle_from_json(json.dumps(duplicated_pattern), update = True, types=["attack-pattern"])

3. You will get a new Attack pattern object:

   {
   "id": "40146ea5-b526-480f-92a3-5e0084eb7827",
   "standard_id": "attack-pattern--4dfa9f55-f68e-500e-830c-371a975558e9",
   "entity_type": "Attack-Pattern",
   "parent_types": [
     "Basic-Object",
     "Stix-Object",
     "Stix-Core-Object",
     "Stix-Domain-Object"
   ],
   "spec_version": "2.1",
   "created_at": "2024-06-17T08:07:06.282Z",
   "updated_at": "2024-06-17T08:07:06.282Z",
   "createdBy": null,
   "objectMarking": [],
   "objectLabel": [],
   "externalReferences": [],
   "revoked": false,
   "confidence": 100,
   "created": "2024-06-17T07:38:32.783Z",
   "modified": "2024-06-17T07:38:32.783Z",
   "name": "Manipulation of Control",
   "description": "Parsed from advisory",
   "aliases": null,
   "x_mitre_platforms": null,
   "x_mitre_permissions_required": null,
   "x_mitre_detection": null,
   "x_mitre_id": null,
   "killChainPhases": [],
   "createdById": null,
   "objectMarkingIds": [],
   "objectLabelIds": [],
   "killChainPhasesIds": [],
   "externalReferencesIds": []
   }

Additional information

[vedang122]

romain-filigran