Description
The GTI API exposes a /api/v3/collections/{id}/mitre_tree endpoint that provides MITRE ATT&CK technique mappings for various object types (reports, malware, vulnerabilities, campaigns, etc.). The connector does not currently leverage this endpoint systematically across all supported object types.
Expected Behavior
For each ingested GTI object that has an associated MITRE tree, the connector should:
- Query the
/api/v3/collections/{id}/mitre_tree endpoint
- Ingest the returned Attack Pattern objects (matching existing ones by MITRE external ID where possible)
- Create appropriate STIX relationships between the source object and the Attack Patterns
This should be implemented as a reusable pattern across all object types that support it (reports, malware, campaigns, vulnerabilities, threat actors).
Current Behavior
The /mitre_tree endpoint is not systematically used. Some object types may partially fetch TTP data through other means, but there is no unified approach.
Considerations
Component
external-import/google-threat-intelligence
Description
The GTI API exposes a
/api/v3/collections/{id}/mitre_treeendpoint that provides MITRE ATT&CK technique mappings for various object types (reports, malware, vulnerabilities, campaigns, etc.). The connector does not currently leverage this endpoint systematically across all supported object types.Expected Behavior
For each ingested GTI object that has an associated MITRE tree, the connector should:
/api/v3/collections/{id}/mitre_treeendpointThis should be implemented as a reusable pattern across all object types that support it (reports, malware, campaigns, vulnerabilities, threat actors).
Current Behavior
The
/mitre_treeendpoint is not systematically used. Some object types may partially fetch TTP data through other means, but there is no unified approach.Considerations
Component
external-import/google-threat-intelligence