attack-stix-data
attack-stix-data copied to clipboard
<"x_mitre_is_subtechnique": false> field is missing for most of the techniques.
Bumping this, as it conflicts with documentation here and threw me for a loop for a bit.
An example of a technique with this field missing is T1615 - Group Policy Discovery.
If using example code from the documentation, one could query for this specific technique with the following Filters:
query_results = src.query([
Filter('type', '=', 'attack-pattern'),
Filter('x_mitre_is_subtechnique', '=', False),
Filter('external_references.external_id', '=', 'T1615')
])
Which returns a list of length 0
However, when removing the x_mitre_is_subtechnique
filter:
query_results = src.query([
Filter('type', '=', 'attack-pattern'),
Filter('external_references.external_id', '=', 'T1615')
])
This returns the result as expected, and without the x_mitre_is_subtechnique
field.
The workaround I am using now to filter out subtechniques is to not include the x_mitre_is_subtechnique
filter, then use Python's built-in filter()
function to filter out subtechniques after the query:
techniques = src.query(Filter("type", "=", "attack-pattern"))
only_techniques = list(filter(lambda x: not x.get('x_mitre_is_subtechnique', False), techniques))