I have been using the MITRE integration for a while fine but I recently noticed a limitation where I cannot send it multiple technique IDs or names without it generating an error. It seems like most of the MITRE functions can take comma separated inputs but not techniques from what I see. See error below:
Traceback (most recent call last): File "/usr/local/lib/python2.7/site-packages/fn_mitre_integration/components/mitre_technique_information.py", line 60, in _mitre_technique_information_function "Technique with name/id {}/{} can't be found".format(mitre_technique_name, mitre_technique_id)) ValueError: Technique with name/id None/T1016,T1018,T1049,T1087,T1135,T1569 can't be foundquerying MITRE STIX TAXII server. It might take several minutes...This seems like an oversight since incidents may encounter multiple techniques or am I missing something? We are on version 2.0.1 but I do not see a need to go to 2.0.2 since it just adds "proxy support".
Inevitably my use case is this:
1) 1 particular incident generating data source will establish multiple MITRE ATT&CK technique IDs.
2) I was planning to just concatenate them all separated by commas and use as an input within a similar workflow such as
Example: MITRE Get Technique information. However as noted above, this doesn't appear to work.
--- The rest of my use implies I can figure out how to successfully pass items 1-2 ---3) Store the data in a MITRE ATT&CK Techniques table and create a rule that can extract the Technique Names and Tactic Names.
4) Technique Names will be comma separated and inserted into an incident property which we leverage for metrics / reporting.
5) Tactic Names will be comma separated and inserted into an incident property which we leverage for metrics / reporting.
I assume I am not the first person to tackle this problem so I'd appreciate any feedback on how else to do it if the function cannot.
Thank you kindly in advance to those who take the time to work through this problem!
------------------------------
Mr Coco
------------------------------