In [5]:
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
import pandas as pd

# Initialize dictionary to hold Enterprise ATT&CK content
attack = {}
# Establish TAXII2 Collection instance for Enterprise ATT&CK collection
collection = Collection("https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/")
# Supply the collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)

In [13]:
# Create filters to retrieve content from Enterprise ATT&CK based on type
filter_objs = {
    "techniques": Filter("type", "=", "attack-pattern"),
    "mitigations": Filter("type", "=", "course-of-action"),
    "groups": Filter("type", "=", "intrusion-set"),
    "malware": Filter("type", "=", "malware"),
    "tools": Filter("type", "=", "tool"),
    "relationships": Filter("type", "=", "relationship"),
    "tactics": Filter("type", "=", "x-mitre-tactic"),
    "matrix": Filter("type", "=", "x-mitre-matrix"),
    "identity": Filter("type", "=", "identity"),
    "marking-definition": Filter("type", "=", "marking-definition")
}

# Retrieve all Enterprise ATT&CK content
for key in filter_objs:
          attack[key] = tc_source.query(filter_objs[key])

In [None]:
# For visual purposes, print a specific data set received from the server
# print(attack["techniques"])
# print(attack["mitigations"])
# print(attack["groups"])
# print(attack["malware"])
# print(attack["tools"])
# print(attack["relationships"])

# For visual purposes, print the first item received from the server
print(attack["techniques"][0])

In [4]:
def get_datasources():
    """returns all data sources in Enterprise ATT&CK"""

    all_data_srcs = []

    # Get all techniques in Enterprise ATT&CK
    techniques = tc_source.query([Filter("type", "=", "attack-pattern")])

    # Get all data sources in Enterprise ATT&CK
    for tech in techniques:
        if 'x_mitre_data_sources' in tech:
            all_data_srcs += [
                data_src for data_src in tech.x_mitre_data_sources
                if data_src not in all_data_srcs
            ]
    
    return all_data_srcs

datasource = pd.DataFrame(get_datasources())
datasource.transpose()
datasource.columns=["x_mitre_data_source"]
datasource

In [None]:
def get_technique_datasource():
    """returns all technique to data sources mappings in Enterprise ATT&CK"""

    tech_datasource = []

    # Get all techniques in Enterprise ATT&CK
    techniques = tc_source.query([Filter("type", "=", "attack-pattern")])

    # Get all data sources in Enterprise ATT&CK
    for tech in techniques:
        if 'x_mitre_data_sources' in tech:
            for data_src in tech.x_mitre_data_sources:
                tech_datasource += [
                    [tech.external_references[0].external_id, data_src]
                ]
    
    return tech_datasource
    
technique_datasource = pd.DataFrame(get_technique_datasource())
technique_datasource.transpose()
technique_datasource.columns=["external_id", "x_mitre_data_source"]
technique_datasource

In [None]:
def get_techniques():
    """returns all techniques in Enterprise ATT&CK"""

    all_techniques = []

    # Get all techniques in Enterprise ATT&CK
    techniques = tc_source.query([Filter("type", "=", "attack-pattern")])

    # Get all techniques in Enterprise ATT&CK
    for tech in techniques:

        if 'x_mitre_deprecated' in tech:
            deprecated = "true"
        else:
            deprecated = "false"

        all_techniques += [
            [
                tech.external_references[0].external_id,
                tech.name,
                deprecated,
                tech.external_references[0].url,
                tech.created,
                tech.modified
            ]
        ]
    
    return all_techniques

technique = pd.DataFrame(get_techniques())
technique.transpose()
technique.columns=["external_id","name","deprecated","url","created","modified"]
technique.sort_values(by=['deprecated'])

In [None]:
def get_tactics():
    """returns all techniques in Enterprise ATT&CK"""

    all_tactics = []

    # Get all techniques in Enterprise ATT&CK
    tactics = tc_source.query([Filter("type", "=", "x-mitre-tactic")])

    # Get all techniques in Enterprise ATT&CK
    for tactic in tactics:

        all_tactics += [
            [
                tactic['external_references'][0]['external_id'],
                tactic['name'],
                tactic['external_references'][0]['url'],
                tactic['created'],
                tactic['modified']
            ]
        ]
    
    return all_tactics

get_tactics()

tactic = pd.DataFrame(get_tactics())
tactic.transpose()
tactic.columns=["external_id","name","url","created","modified"]
tactic