Can ATT&CK External References get Ref-ID's? about cti HOT 5 CLOSED

Hi @HamptonJ,

I'm not entirely sure what you're asking here. To my knowledge all technique (attack-pattern) objects in our catalog have ATT&CK Ids — the first object in the external_references array should always be an ATT&CK ID, marked with the external ID (also called the ATT&CK ID), the collection name (mitre-attack, mitre-mobile-attack, or mitre-pre-attack, depending on the domain), and the URL the technique can be found at — see this example.

Could you clarify what you meant by "attack-patterns that don't have external IDs," and cite any specific examples?

from cti.

Thanks for the response @isaisabel, and sorry for the delay. It's been a while since I initially made this issue but I think what I meant is that, in "stix-capec.json", all external reference objects have a property of "external_id". If the external id isn't CWE-xxx or something similar, it is REF-xxx. My question was, is there a plan to add the "Ref-xxx" ids to "enterprise-attack.json"? Please let me know if you'd like additional information! Thanks for your time

from cti.

Here is an example. The first picture is from stix-capec.json, which includes the "ref-xxx" properties, the second is from enterprise-attack.json, which doesn't.

from cti.

Hi @HamptonJ,

The "REF-XXX" ids in the CAPEC converted external references are probably a result of the way the references are stored in the CAPEC XML files. I'm not sure there is anything equivalent in ATT&CK.

from cti.

Closing due to inactivity.

from cti.