In [101]:
from stix2 import TAXIICollectionSource, Filter
from taxii2client.v20 import Collection
import pandas as pd

# Initialize dictionary to hold Enterprise ATT&CK content
attack = {}
# Establish TAXII2 Collection instance for Enterprise ATT&CK collection
collection = Collection("https://cti-taxii.mitre.org/stix/collections/95ecc380-afe9-11e4-9b6c-751b66dd541e/")
# Supply the collection to TAXIICollection
tc_source = TAXIICollectionSource(collection)

In [None]:
# Create filters to retrieve content from Enterprise ATT&CK based on type
filter_objs = {
    "techniques": Filter("type", "=", "attack-pattern"),
    "mitigations": Filter("type", "=", "course-of-action"),
    "groups": Filter("type", "=", "intrusion-set"),
    "malware": Filter("type", "=", "malware"),
    "tools": Filter("type", "=", "tool"),
    "relationships": Filter("type", "=", "relationship"),
    "tactics": Filter("type", "=", "x-mitre-tactic"),
    "matrix": Filter("type", "=", "x-mitre-matrix"),
    "identity": Filter("type", "=", "identity"),
    "marking-definition": Filter("type", "=", "marking-definition")
}

# Retrieve all Enterprise ATT&CK content
# for key in filter_objs:
#           attack[key] = tc_source.query(filter_objs[key])

# print(attack["techniques"])
# print(attack["mitigations"])
# print(attack["groups"])
# print(attack["malware"])
# print(attack["tools"])
# print(attack["relationships"])

# For visual purposes, print the first technique received from the server
# print(attack["techniques"][0])

In [None]:
def get_datasources():
    """returns all data sources in Enterprise ATT&CK"""

    all_data_srcs = []

    # Get all techniques in Enterprise ATT&CK
    techniques = tc_source.query([Filter("type", "=", "attack-pattern")])

    # Get all data sources in Enterprise ATT&CK
    for tech in techniques:
        if 'x_mitre_data_sources' in tech:
            all_data_srcs += [
                data_src for data_src in tech.x_mitre_data_sources
                if data_src not in all_data_srcs
            ]
    
    return all_data_srcs

datasource = pd.DataFrame(get_datasources())
datasource.transpose()
datasource.columns=["x_mitre_data_source"]
datasource

In [None]:
def get_technique_datasource():
    """returns all technique to data sources mappings in Enterprise ATT&CK"""

    tech_datasource = []

    # Get all techniques in Enterprise ATT&CK
    techniques = tc_source.query([Filter("type", "=", "attack-pattern")])

    # Get all data sources in Enterprise ATT&CK
    for tech in techniques:
        if 'x_mitre_data_sources' in tech:
            for data_src in tech.x_mitre_data_sources:
                tech_datasource += [
                    [tech.external_references[0].external_id, data_src]
                ]
    
    return tech_datasource
    
technique_datasource = pd.DataFrame(get_technique_datasource())
technique_datasource.transpose()
technique_datasource.columns=["external_id", "x_mitre_data_source"]
technique_datasource

In [None]:
def get_techniques():
    """returns all techniques in Enterprise ATT&CK"""

    all_techniques = []

    # Get all techniques in Enterprise ATT&CK
    techniques = tc_source.query([Filter("type", "=", "attack-pattern")])

    # Get all techniques in Enterprise ATT&CK
    for tech in techniques:

        if 'x_mitre_deprecated' in tech:
            deprecated = "true"
        else:
            deprecated = "false"

        all_techniques += [
            [
                tech.external_references[0].external_id,
                tech.name,
                deprecated,
                tech.external_references[0].url,
                tech.created,
                tech.modified
            ]
        ]
    
    return all_techniques

technique = pd.DataFrame(get_techniques())
technique.transpose()
technique.columns=["external_id","name","deprecated","url","created","modified"]
technique.sort_values(by=['deprecated'])

In [162]:
def get_tactics():
    """returns all techniques in Enterprise ATT&CK"""

    all_tactics = []

    # Get all techniques in Enterprise ATT&CK
    tactics = tc_source.query([Filter("type", "=", "x-mitre-tactic")])

    # Get all techniques in Enterprise ATT&CK
    for tactic in tactics:

        all_tactics += [
            [
                tactic['external_references'][0]['external_id'],
                tactic['name'],
                tactic['external_references'][0]['url'],
                tactic['created'],
                tactic['modified']
            ]
        ]
    
    return all_tactics

get_tactics()

tactic = pd.DataFrame(get_tactics())
tactic.transpose()
tactic.columns=["external_id","name","url","created","modified"]
tactic

Unnamed: 0,external_id,name,url,created,modified
0,TA0043,Reconnaissance,https://attack.mitre.org/tactics/TA0043,2020-10-02T14:48:41.809Z,2020-10-18T02:04:50.842Z
1,TA0042,Resource Development,https://attack.mitre.org/tactics/TA0042,2020-09-30T16:11:59.650Z,2020-09-30T16:31:36.322Z
2,TA0040,Impact,https://attack.mitre.org/tactics/TA0040,2019-03-14T18:44:44.639Z,2019-07-25T18:42:23.222Z
3,TA0005,Defense Evasion,https://attack.mitre.org/tactics/TA0005,2018-10-17T00:14:20.652Z,2019-07-19T17:43:23.473Z
4,TA0001,Initial Access,https://attack.mitre.org/tactics/TA0001,2018-10-17T00:14:20.652Z,2019-07-19T17:41:41.425Z
5,TA0007,Discovery,https://attack.mitre.org/tactics/TA0007,2018-10-17T00:14:20.652Z,2019-07-19T17:44:13.228Z
6,TA0008,Lateral Movement,https://attack.mitre.org/tactics/TA0008,2018-10-17T00:14:20.652Z,2019-07-19T17:44:36.953Z
7,TA0009,Collection,https://attack.mitre.org/tactics/TA0009,2018-10-17T00:14:20.652Z,2019-07-19T17:44:53.176Z
8,TA0002,Execution,https://attack.mitre.org/tactics/TA0002,2018-10-17T00:14:20.652Z,2019-07-19T17:42:06.909Z
9,TA0003,Persistence,https://attack.mitre.org/tactics/TA0003,2018-10-17T00:14:20.652Z,2019-07-19T17:42:33.899Z


In [149]:
print(attack["tactics"][0])

{'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], 'external_references': [{'external_id': 'TA0043', 'source_name': 'mitre-attack', 'url': 'https://attack.mitre.org/tactics/TA0043'}], 'name': 'Reconnaissance', 'description': 'The adversary is trying to gather information they can use to plan future operations.\n\nReconnaissance consists of techniques that involve adversaries actively or passively gathering information that can be used to support targeting. Such information may include details of the victim organization, infrastructure, or staff/personnel. This information can be leveraged by the adversary to aid in other phases of the adversary lifecycle, such as using gathered information to plan and execute Initial Access, to scope and prioritize post-compromise objectives, or to drive and lead further Reconnaissance efforts.', 'id': 'x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e