search

mitre-attack / attack-stix-data

STIX data representing MITRE ATT&CK
https://attack.mitre.org/
Other
348 stars 87 forks source link

<"x_mitre_is_subtechnique": false> field is missing for most of the techniques. #24

Open shankararavind opened 2 years ago

slincoln-aiq commented 2 years ago

Bumping this, as it conflicts with documentation here and threw me for a loop for a bit.

An example of a technique with this field missing is T1615 - Group Policy Discovery.

If using example code from the documentation, one could query for this specific technique with the following Filters:

query_results = src.query([
    Filter('type', '=', 'attack-pattern'),
    Filter('x_mitre_is_subtechnique', '=', False),
    Filter('external_references.external_id', '=', 'T1615')
])

Which returns a list of length 0

However, when removing the x_mitre_is_subtechnique filter:

query_results = src.query([
    Filter('type', '=', 'attack-pattern'),
    Filter('external_references.external_id', '=', 'T1615')
])

This returns the result as expected, and without the x_mitre_is_subtechnique field.

The workaround I am using now to filter out subtechniques is to not include the x_mitre_is_subtechnique filter, then use Python's built-in filter() function to filter out subtechniques after the query:

techniques = src.query(Filter("type", "=", "attack-pattern"))
only_techniques = list(filter(lambda x: not x.get('x_mitre_is_subtechnique', False), techniques))