client-python icon indicating copy to clipboard operation
client-python copied to clipboard
verified publisher icon OpenCTI-Platform

Identity ID generated for "The MITRE Corporation" inconsistent with what is provided by MITRE

Open n0p2 opened this issue 3 years ago • 0 comments

Description

The issue is related to Identity ID for "The MITRE Corporation". I encountered two IDs and they are inconsistent.

  1. When generated by using the pycti.Identity.generate_id, the ID is identity--f11b0831-e7e6-5214-9431-ccf054e53e94;
  2. When found on the internet, the ID is identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5

So the question is,

  1. Why are there two inconsistent ones for the same identity?
  2. What are some acceptable mitigations in order to load MITRE ATT&CK?

Environment

pycti 5.3.17

Actual Output (or pycti Output)

Steps to create the smallest reproducible scenario:

# Code 
from pycti import Identity
mitre_id = Identity.generate_id("The MITRE Corporation", "organization")
print(mitre_id)

# Result
identity--f11b0831-e7e6-5214-9431-ccf054e53e94

Expected Output (or Internet Expectation)

It seems that the "correct" ID corresponding to "The MITRE Corporation" should be identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.

Evidence 1

# Source: https://raw.githubusercontent.com/mitre-attack/attack-stix-data/master/enterprise-attack/enterprise-attack.json

"created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"

Evidence 2

# source: https://api.intelligence.fireeye.com/docs#indicators-collection
        {
            "object_marking_refs": [],
            "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
            "name": "The MITRE Corporation",
            "type": "identity",
            "created": "2017-06-01T00:00:00.000Z",
            "modified": "2017-06-01T00:00:00.000Z",
            "revoked": false,
            "identity_class": "organization",
            "lang": "en",
            "spec_version": "2.1"
        },

Evidence 3

# Source: https://docs.sekoia.io/tip/features/data_model/

{
  "type": "attack-pattern",
  "name": "Spearphishing Link",
  "id": "attack-pattern--6cd1a813-ccdf-4ba0-9b54-cb808f1059cc",

  "created_by_ref": "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",  # SEKOIA

  "x_inthreat_sources_refs": [
    "identity--357447d7-9229-4ce1-b7fa-f1b83587048e",  # SEKOIA
    "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"   # The MITRE Corporation
  ],

  [...]
}

n0p2 avatar Jan 23 '23 21:01 n0p2