search

mitre / cti

Cyber Threat Intelligence Repository expressed in STIX 2.0
Other
1.71k stars 410 forks source link

Some relationship missing when v12, v13 release #215

Closed s920128 closed 1 year ago

s920128 commented 1 year ago

Hello After v13 release, I found some Enterprise relationships were removed.

In v11.3:

  1. T1150 
    {
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "type": "relationship",
  "id": "relationship--71aca8ff-1ac7-4d62-b388-ef4605cf8d4b",
  "created": "2022-04-22T18:49:20.528Z",
  "x_mitre_version": "0.1",
  "x_mitre_deprecated": false,
  "revoked": false,
  "description": "",
  "modified": "2022-04-22T18:49:20.528Z",
  "relationship_type": "revoked-by",
  "source_ref": "attack-pattern--06780952-177c-4247-b978-79c357fb311f",
  "target_ref": "attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a",
  "x_mitre_attack_spec_version": "2.1.0",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}
  2. T1162 
    {
  "object_marking_refs": [
    "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
  ],
  "type": "relationship",
  "id": "relationship--d3a3d5c2-a7d0-41b8-9f27-4fafc47ec97d",
  "created": "2022-04-22T18:50:50.487Z",
  "x_mitre_version": "0.1",
  "x_mitre_deprecated": false,
  "revoked": false,
  "description": "",
  "modified": "2022-04-22T18:50:50.487Z",
  "relationship_type": "revoked-by",
  "source_ref": "attack-pattern--36675cd3-fe00-454c-8516-aebecacbe9d9",
  "target_ref": "attack-pattern--6747daa2-3533-4e78-8fb8-446ebb86448a",
  "x_mitre_attack_spec_version": "2.1.0",
  "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
  "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
}

    These relationships appear to have been removed starting in v12. It's strange to me. This means that a techniques ID has been revoked, but I cannot find who has replaced it in CTI. Is this change correct?

s920128 commented 1 year ago

Hi @jondricek Can you please help me answer this question & #208? Thank you for your help!

jondricek commented 1 year ago

Hey @s920128, thanks for pointing this issue out to our team. We just released ATT&CK v13.1 a couple days ago and added these revoked-by relationships back into the STIX bundle. The reason they are a bit tricky on our end to export is that each of the source and target objects are revoked. Ultimately we believe we fixed the logic so that this issue shouldn't occur again in the future.