I’m trying to understand some anomalies I’m seeing with ATT&CK results.
My initial assumption was that all Matices have distinct object ID’s, even if the object is in more than one Matrix.
As an example, the Tactic Persistence is found in all three Matricies. For reference they are…
x-mitre-tactic--5bc1d813-693e-4823-9961-abf9af4b0e92(TA0003 Enterprise)x-mitre-tactic--78f1d2ae-a579-44c4-8fc5-3e1775c73fac(TA0110 ICS)x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54(TA0028 Mobile)
Here is the search I used after importing using stix2arango;
FOR doc IN UNION(
(FOR d IN mitre_attack_enterprise_vertex_collection RETURN d),
(FOR d IN mitre_attack_ics_vertex_collection RETURN d),
(FOR d IN mitre_attack_mobile_vertex_collection RETURN d)
)
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "x-mitre-tactic"
AND doc.name == "Persistence"
RETURN doc.id
Another example, take the Technique Process Injection…
attack-pattern--43c9bc06-715b-42db-972f-52d25c09a20c(T1659 Enterprise)attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff(T1631 Mobile)
BUT…
Take the group OilRig (G0049)
It has a duplicate ID in both the ICS and Enterprise Matrix as follows
intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d(Enterprise)intrusion-set--4ca1929c-7d64-4aab-b849-badbfc0c760d(ICS)
FOR doc IN UNION(
(FOR d IN mitre_attack_enterprise_vertex_collection RETURN d),
(FOR d IN mitre_attack_ics_vertex_collection RETURN d),
(FOR d IN mitre_attack_mobile_vertex_collection RETURN d)
)
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.external_references != null
FOR extRef IN doc.external_references
FILTER extRef.external_id == "G0049"
AND extRef.source_name == "mitre-attack"
LET keys = ATTRIBUTES(doc)
LET filteredKeys = keys[* FILTER !STARTS_WITH(CURRENT, "_")]
RETURN doc.id
So in some cases ids seem to persist, but in others they change.
What is the logic here?