cti-python-stix2 icon indicating copy to clipboard operation
cti-python-stix2 copied to clipboard
verified publisher icon oasis-open

Question: How to get the relevant apts of an indicator

Open fear-the-reaper opened this issue 2 years ago • 2 comments

Hi! I'm trying to query mitre to get the relevant APTs or TTPs of a certain indicator. I've tried to use Filter where my query is basically indicator.value = <my-indicator-value but I get nothing back. If anyone can help me out or point me in the right direction that would be great!

fear-the-reaper avatar Apr 11 '23 09:04 fear-the-reaper

Hi, Indicators in STIX don't have a value property; you might want to use indicator.pattern instead. I'm not sure what you mean by "query mitre" - if you are querying the MITRE ATT&CK data represented in STIX, you may want to post your question to https://github.com/mitre-attack/attack-stix-data. I don't think that dataset includes any indicators though.

clenk avatar Apr 11 '23 17:04 clenk

@clenk Yeah asked there as well. Plus just found out indicators aren't in their dataset. By "query mitre" I meant I just want to get the IoC's relevant TTPs, APTs, and Campaigns. Since MITRE is the biggest knowledge base for APT-based information thought I might see that. If there's any other way or resource you could guide me on that would be great!

fear-the-reaper avatar Apr 11 '23 18:04 fear-the-reaper