From 331d3216482f6a4ce50d890b475e0f40b1a3cc1f Mon Sep 17 00:00:00 2001
From: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Date: Thu, 17 Dec 2020 22:22:59 -0700
Subject: [PATCH] Make threat.technique optional (#727)

---
 detection_rules/attack.py        | 4 +++-
 detection_rules/rule.py          | 2 +-
 detection_rules/schemas/v7_11.py | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/detection_rules/attack.py b/detection_rules/attack.py
index d008d8fc9..f982ae518 100644
--- a/detection_rules/attack.py
+++ b/detection_rules/attack.py
@@ -134,7 +134,6 @@ def build_threat_map_entry(tactic: str, *technique_ids: str) -> dict:
 
     entry = {
         'framework': 'MITRE ATT&CK',
-        'technique': sorted(tech_entries.values(), key=lambda x: x['id']),
         'tactic': {
             'id': tactic_id,
             'name': tactic,
@@ -142,6 +141,9 @@ def build_threat_map_entry(tactic: str, *technique_ids: str) -> dict:
         }
     }
 
+    if tech_entries:
+        entry['technique'] = sorted(tech_entries.values(), key=lambda x: x['id'])
+
     return entry
 
 
diff --git a/detection_rules/rule.py b/detection_rules/rule.py
index 480c8f5b6..b4bfc6048 100644
--- a/detection_rules/rule.py
+++ b/detection_rules/rule.py
@@ -362,7 +362,7 @@ class Rule(object):
                 while click.confirm('add mitre tactic?'):
                     tactic = schema_prompt('mitre tactic name', type='string', enum=tactics, required=True)
                     technique_ids = schema_prompt(f'technique or sub-technique IDs for {tactic}', type='array',
-                                                  required=True, enum=list(technique_lookup))
+                                                  required=False, enum=list(technique_lookup)) or []
 
                     try:
                         threat_map.append(build_threat_map_entry(tactic, *technique_ids))
diff --git a/detection_rules/schemas/v7_11.py b/detection_rules/schemas/v7_11.py
index 934adf7f5..35792a0d0 100644
--- a/detection_rules/schemas/v7_11.py
+++ b/detection_rules/schemas/v7_11.py
@@ -24,7 +24,7 @@ class Threat711(Threat78):
         subtechnique = jsl.ArrayField(jsl.DocumentField(ThreatSubTechnique), required=False)
 
     # override the `technique` field definition
-    technique = jsl.ArrayField(jsl.DocumentField(ThreatTechnique), required=True)
+    technique = jsl.ArrayField(jsl.DocumentField(ThreatTechnique), required=False)
 
 
 class ApiSchema711(ApiSchema710):