Get techniques used by the software that a group uses (Group → Software → Techniques).
This provides an indirect view of a group's capabilities by following:
Group (intrusion set) → Software (malware/tools) → Techniques
Args:
group_stix_id: STIX ID of the group (e.g., "intrusion-set--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include technique descriptions.
Returns:
{
"group": {
"attack_id": "GXXXX" | null,
"name": "<group name or null>",
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>",
} | null,
"count": <number of techniques>,
"techniques": [
{
"attack_id": "TXXXX or TXXXX.YYY" | null,
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of techniques>",
"message": "<status summary>"
}