Data sources enrichment function removes data sources metadata from techniques that do not have 'detects` relationships #45
Description
In the following function, if the technique ID does not match the target of any detects relationships (data component relationship), it removes the x_mitre_data_sources attribute. This happens to Mobile and ICS matrices. This is because ATT&CK has not added relationships for Mobile and ICS yet.
def enrich_techniques_data_sources(self, stix_object):
# Get 'detects' relationships
relationships = self.get_relationships(relationship_type='detects')
# Get all data component objects
data_components = self.get_data_components()
# Get all data source objects without data components objects
data_sources = self.get_data_sources()
# Create Data Sources and Data Components lookup tables
ds_lookup = {ds['id']:ds for ds in data_sources}
dc_lookup = {dc['id']:dc for dc in data_components}
# https://stix2.readthedocs.io/en/latest/guide/versioning.html
for i in range(len(stix_object)):
if 'x_mitre_data_sources' in stix_object[i].keys():
technique_ds = dict()
for rl in relationships:
if stix_object[i]['id'] == rl['target_ref']:
dc = dc_lookup[rl['source_ref']]
dc_ds_ref = dc['x_mitre_data_source_ref']
if dc_ds_ref not in technique_ds.keys():
technique_ds[dc_ds_ref] = ds_lookup[dc_ds_ref].copy()
technique_ds[dc_ds_ref]['data_components'] = list()
if dc not in technique_ds[dc_ds_ref]['data_components']:
technique_ds[dc_ds_ref]['data_components'].append(dc)
new_data_sources = [ v for v in technique_ds.values()]
stix_object[i] = stix_object[i].new_version(x_mitre_data_sources = new_data_sources)
return stix_object