IBM QRadar SOAR

I have been using the MITRE integration for a while fine but I recently noticed a limitation where I cannot send it multiple technique IDs or names without it generating an error. It seems like most of the MITRE functions can take comma separated inputs but not techniques from what I see. See error below:

Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/fn_mitre_integration/components/mitre_technique_information.py", line 60, in _mitre_technique_information_function "Technique with name/id {}/{} can't be found".format(mitre_technique_name, mitre_technique_id)) ValueError: Technique with name/id None/T1016,T1018,T1049,T1087,T1135,T1569 can't be found
querying MITRE STIX TAXII server. It might take several minutes...

This seems like an oversight since incidents may encounter multiple techniques or am I missing something? We are on version 2.0.1 but I do not see a need to go to 2.0.2 since it just adds "proxy support".

Inevitably my use case is this:
1) 1 particular incident generating data source will establish multiple MITRE ATT&CK technique IDs.
2) I was planning to just concatenate them all separated by commas and use as an input within a similar workflow such as Example: MITRE Get Technique information. However as noted above, this doesn't appear to work. 
--- The rest of my use implies I can figure out how to successfully pass items 1-2 ---
3) Store the data in a MITRE ATT&CK Techniques table and create a rule that can extract the Technique Names and Tactic Names.
4) Technique Names will be comma separated and inserted into an incident property which we leverage for metrics / reporting.
5) Tactic Names will be comma separated and inserted into an incident property which we leverage for metrics / reporting.

I assume I am not the first person to tackle this problem so I'd appreciate any feedback on how else to do it if the function cannot.

Thank you kindly in advance to those who take the time to work through this problem!

------------------------------
Mr Coco
------------------------------

Well I think I figured out a way around it by doing the following:

1) Used an incident rule to dump each technique ID to the technique ID row on the MITRE ATT&CK Techniques data table.
2) Used a data table rule to update each row to get the technique and tactic names leveraging a bastardized version of the Example: MITRE Get Technique output section but had to comment out everything after row["technique_name"] = att_tech["name"] or it would error out.
3) Used another data table rule which executes a script when it sees a technique or tactic name updated in the data table which then passes the data table inputs to my incident property. 

I still think you should be able to run a workflow similar to Example: MITRE Get Technique and pass it comma separated entries but perhaps someone is following that agrees and sees the value. :)

------------------------------
Mr Coco
------------------------------

Original Message:
Sent: Tue November 24, 2020 02:31 PM
From: Mr Coco
Subject: fn-mitre-integration Help - Any idea how to search for multiple techniques?

I have been using the MITRE integration for a while fine but I recently noticed a limitation where I cannot send it multiple technique IDs or names without it generating an error. It seems like most of the MITRE functions can take comma separated inputs but not techniques from what I see. See error below:

Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/fn_mitre_integration/components/mitre_technique_information.py", line 60, in _mitre_technique_information_function "Technique with name/id {}/{} can't be found".format(mitre_technique_name, mitre_technique_id)) ValueError: Technique with name/id None/T1016,T1018,T1049,T1087,T1135,T1569 can't be found
querying MITRE STIX TAXII server. It might take several minutes...

This seems like an oversight since incidents may encounter multiple techniques or am I missing something? We are on version 2.0.1 but I do not see a need to go to 2.0.2 since it just adds "proxy support".

Inevitably my use case is this:
1) 1 particular incident generating data source will establish multiple MITRE ATT&CK technique IDs.
2) I was planning to just concatenate them all separated by commas and use as an input within a similar workflow such as Example: MITRE Get Technique information. However as noted above, this doesn't appear to work. 
--- The rest of my use implies I can figure out how to successfully pass items 1-2 ---
3) Store the data in a MITRE ATT&CK Techniques table and create a rule that can extract the Technique Names and Tactic Names.
4) Technique Names will be comma separated and inserted into an incident property which we leverage for metrics / reporting.
5) Tactic Names will be comma separated and inserted into an incident property which we leverage for metrics / reporting.

I assume I am not the first person to tackle this problem so I'd appreciate any feedback on how else to do it if the function cannot.

Thank you kindly in advance to those who take the time to work through this problem!

------------------------------
Mr Coco
------------------------------