chisholm
commented
1 year ago I am unable to reproduce this. I tried (using a different external_id for which I new an object existed on my server):
collection = Collection(
"http://localhost:5000/trustgroup1/collections/91a7b528-80eb-42ed-a74d-c6fbd5a26116/",
user="(user)",
password="(password)"
)
tc_source = TAXIICollectionSource(collection, allow_custom=True)
filters = [
Filter("external_references.external_id", "=", "B0005"),
Filter("type", "=", "attack-pattern")
]
objs = tc_source.query(filters)
print(objs)And got as output:
[taxii2client.v21] [WARNING ] [2022-12-06 19:00:00,604] TAXII Server Response with different amount of objects! Setting limit=100
[AttackPattern(type='attack-pattern', spec_version='2.1', id='attack-pattern--64ec233c-8762-4e4a-af40-475ebd3aa127', created_by_ref='identity--b73c59c1-8560-449a-b8d0-c2ce0533c5bf', created='2020-08-21T20:49:59.530265Z', modified='2022-09-08T18:26:13.302403Z', name='Emulator Evasion', description='Behaviors that obstruct analysis in an emulator.', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-mbc', phase_name='anti-behavioral-analysis')], revoked=False, external_references=[ExternalReference(source_name='mitre-mbc', url='https://github.com/MBCProject/mbc-markdown/blob/v2.3/anti-behavioral-analysis/emulator-evasion.md', external_id='B0005')], object_marking_refs=['marking-definition--093b6375-cd45-4aa3-8f91-6a03ddd7a3d3'], x_mitre_is_subtechnique=False)]
Hi, I have a code that used to work before I upgraded to STIX2 3.0.0 library version:
The filtering by
external_references.external_iddoes not seem to work anymore, as I get as response all of the objects that havetype==attack pattern, and not just the one that haveexternal_references.external_id==my_attack_id. Before the upgrade, I only got one object that meets my query.For example: Using
my_attack_id=T1111with the query above results in response with all of the attack_pattern objects in the system.Thanks