Let’s say I have T1113. I want to know what objects this Technique is related to (sub-techs, groups, software, etc.).
Is this possible?
Let’s say I have T1113. I want to know what objects this Technique is related to (sub-techs, groups, software, etc.).
Is this possible?
Yes, it’s entirely possible.
First you need to find the STIX ID of T1113.
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.type == "attack-pattern"
AND doc.x_mitre_is_subtechnique == false
FOR extRef IN doc.external_references
FILTER extRef.external_id == "T1113"
AND extRef.source_name == "mitre-attack"
RETURN doc.id
[
"attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688"
]
Now you can search what relationship objects link to / from it
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._is_ref == false
AND doc._stix2arango_note == "v15.1"
AND doc.target_ref == "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688"
RETURN doc
You can change the source_ref
(objects this object links to) line to target_ref
(objects this object links from) depending on what you need. Note, in this example, this object does not link to any others (using source_ref
returns 0 results).
Here are what the results look like on the graph returned (T1113 in the middle)
To just get a list of objects you can use the search
FOR doc IN mitre_attack_enterprise_edge_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._is_ref == false
AND doc._stix2arango_note == "v15.1"
AND doc.target_ref == "attack-pattern--0259baeb-9f63-4c69-bf10-eb038c390688"
RETURN doc.source_ref
[
"malware--5f9f7648-04ba-4a9f-bb4c-2a13e74572bd",
"malware--04fc1842-f9e4-47cf-8cb8-5c61becad142",
"malware--8ae43c46-57ef-47d5-a77a-eebb35628db2",
"malware--e7a5229f-05eb-440e-b982-9a6d2b2b87c8",
"intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1",
"tool--cb69b20d-56d0-41ab-8440-4a4b251614d4",
"malware--db1355a7-e5c9-4e2c-8da7-eccf2ae9bf5c",
"malware--82cb34ba-02b5-432b-b2d2-07f55cbf674d",
"malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
(there are 154 results in total)
You can achieve this in one query.
Return a graph:
FOR attackPattern IN mitre_attack_enterprise_vertex_collection
FILTER attackPattern._stix2arango_note != "automatically imported on collection creation"
AND attackPattern._stix2arango_note == "v15.1"
AND attackPattern.type == "attack-pattern"
AND attackPattern.x_mitre_is_subtechnique == false
FOR extRef IN attackPattern.external_references
FILTER extRef.external_id == "T1113"
AND extRef.source_name == "mitre-attack"
LET attackPatternId = attackPattern.id
FOR relationship IN mitre_attack_enterprise_edge_collection
FILTER relationship._stix2arango_note != "automatically imported on collection creation"
AND relationship._is_ref == false
AND relationship._stix2arango_note == "v15.1"
AND relationship.target_ref == attackPatternId
RETURN relationship
Or just return a list of objects
LET attackPatternId = (
FOR attackPattern IN mitre_attack_enterprise_vertex_collection
FILTER attackPattern._stix2arango_note != "automatically imported on collection creation"
AND attackPattern._stix2arango_note == "v15.1"
AND attackPattern.type == "attack-pattern"
AND attackPattern.x_mitre_is_subtechnique == false
FOR extRef IN attackPattern.external_references
FILTER extRef.external_id == "T1113"
AND extRef.source_name == "mitre-attack"
RETURN attackPattern.id
)
FOR relationship IN mitre_attack_enterprise_edge_collection
FILTER relationship._stix2arango_note != "automatically imported on collection creation"
AND relationship._is_ref == false
AND relationship._stix2arango_note == "v15.1"
AND relationship.target_ref IN attackPatternId
RETURN relationship.source_ref
And b/c STIX object ids are not very clear, you can also print a list of ATT&CK names instead
LET attackPatternIds = (
FOR attackPattern IN mitre_attack_enterprise_vertex_collection
FILTER attackPattern._stix2arango_note != "automatically imported on collection creation"
AND attackPattern._stix2arango_note == "v15.1"
AND attackPattern.type == "attack-pattern"
AND attackPattern.x_mitre_is_subtechnique == false
FOR extRef IN attackPattern.external_references
FILTER extRef.external_id == "T1113"
AND extRef.source_name == "mitre-attack"
RETURN attackPattern.id
)
LET relationshipSourceRefs = (
FOR relationship IN mitre_attack_enterprise_edge_collection
FILTER relationship._stix2arango_note != "automatically imported on collection creation"
AND relationship._is_ref == false
AND relationship._stix2arango_note == "v15.1"
AND relationship.target_ref IN attackPatternIds
RETURN relationship.source_ref
)
FOR doc IN mitre_attack_enterprise_vertex_collection
FILTER doc._stix2arango_note != "automatically imported on collection creation"
AND doc._stix2arango_note == "v15.1"
AND doc.id IN relationshipSourceRefs
RETURN { name: doc.name, type: doc.type }
[
{
"name": "Screen Capture Mitigation",
"type": "course-of-action",
"id": "course-of-action--51b37302-b844-4c08-ac98-ae6955ed1f55"
},
{
"name": "Dragonfly",
"type": "intrusion-set",
"id": "intrusion-set--1c63d4ec-0a75-4daa-b1df-0d11af3d3cc1"
},
{
"name": "MuddyWater",
"type": "intrusion-set",
"id": "intrusion-set--269e8108-68c6-4f99-b911-14b2e765dec2"
},