In [8]:
import sys
!{sys.executable} -m pip install neo4j


Collecting neo4j
  Using cached neo4j-5.28.2-py3-none-any.whl.metadata (5.9 kB)
Using cached neo4j-5.28.2-py3-none-any.whl (313 kB)
Installing collected packages: neo4j
Successfully installed neo4j-5.28.2

[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m A new release of pip is available: [0m[31;49m25.0.1[0m[39;49m -> [0m[32;49m25.2[0m
[1m[[0m[34;49mnotice[0m[1;39;49m][0m[39;49m To update, run: [0m[32;49mpip3.12 install --upgrade pip[0m


#### Load Triples into Neo4j from CSV using Python

This script connects to a Neo4j database using the official Python driver, loads a CSV file of triples (head, relation, tail), and inserts them as nodes and relationships. Entities are merged to avoid duplicates, and relationships are created via the APOC apoc.merge.relationship procedure. The query returns the total number of relationships created or updated. The CSV file must be placed inside Neo4j’s import directory and referenced as file:///triples.csv.

In [10]:
from neo4j import GraphDatabase

driver = GraphDatabase.driver("neo4j://localhost:7687", auth=("neo4j","YourStrongPass123!"))

load_csv = """
LOAD CSV WITH HEADERS FROM $url AS row
WITH trim(row.head) AS h, trim(row.relation) AS r, trim(row.tail) AS t
WHERE h <> '' AND r <> '' AND t <> ''
MERGE (hN:Entity {name: h})
MERGE (tN:Entity {name: t})
WITH hN, tN, toUpper(replace(r,' ','_')) AS rtype
CALL apoc.merge.relationship(hN, rtype, {}, {}, tN) YIELD rel
RETURN count(rel) AS relationships_touched
"""

with driver.session() as s:
    print(s.run(load_csv, url="file:///triples.csv").single())


<Record relationships_touched=7893>


In [19]:
# file: load_attack_stix.py
from neo4j import GraphDatabase

URI  = "neo4j://localhost:7687"
AUTH = ("neo4j", "YourStrongPass123!")

driver = GraphDatabase.driver(URI, auth=AUTH)

def run(tx, q, **p):
    return tx.run(q, **p).consume()

def import_bundle(session, path_in_import):
    # 1) Nodes (everything except 'relationship')
    q_nodes = """
    CALL apoc.load.json($path) YIELD value
    UNWIND value.objects AS o
    WITH o WHERE o.type <> 'relationship'
    MERGE (n:Attack {id:o.id})
    SET n.stix_type   = o.type,
        n.name        = coalesce(o.name, o.id),
        n.description = o.description,
        n.created     = datetime(o.created),
        n.modified    = datetime(o.modified),
        n.revoked     = coalesce(o.revoked,false),
        n.deprecated  = coalesce(o.x_mitre_deprecated,false),
        n.platforms   = coalesce(o.x_mitre_platforms,[]),
        n.domains     = coalesce(o.x_mitre_domains,[]),
        // extract only the phase_name/kill_chain_name strings (arrays of primitives)
        n.kc_phases   = [k IN coalesce(o.kill_chain_phases, []) | toLower(k['phase_name'])],
        n.kc_names    = [k IN coalesce(o.kill_chain_phases, []) | toLower(k['kill_chain_name'])],
        n.shortname   = o.x_mitre_shortname
    """
    # 2) Relationships from STIX relationship objects
    q_rels = """
    CALL apoc.load.json($path) YIELD value
    UNWIND value.objects AS o
    WITH o WHERE o.type = 'relationship'
    MATCH (s:Attack {id:o.source_ref})
    MATCH (t:Attack {id:o.target_ref})
    MERGE (s)-[r:ATTACK_REL {id:o.id}]->(t)
    SET r.rel_type    = o.relationship_type,
        r.description = o.description
    """
    # 3) Technique → Tactic join: use the string list we just stored
    q_tech_tactic = """
    MATCH (tech:Attack {stix_type:'attack-pattern'})
    UNWIND coalesce(tech.kc_phases, []) AS phase
    MATCH (tac:Attack {stix_type:'x-mitre-tactic'})
    WHERE toLower(tac.shortname) = phase OR toLower(tac.name) = phase
    MERGE (tech)-[:IN_TACTIC]->(tac)
    """

    session.execute_write(run, "CREATE CONSTRAINT attack_id IF NOT EXISTS FOR (n:Attack) REQUIRE n.id IS UNIQUE")
    session.execute_write(run, q_nodes, path=path_in_import)
    session.execute_write(run, q_rels,  path=path_in_import)
    session.execute_write(run, q_tech_tactic)

if __name__ == "__main__":
    with driver.session() as s:
        # Import just Enterprise first (fast). Add others if you want.
        import_bundle(s, "file:///enterprise-attack/enterprise-attack.json")
        # import_bundle(s, "file:///mobile-attack/mobile-attack.json")
        # import_bundle(s, "file:///ics-attack/ics-attack.json")

        # Quick counts
        res1 = s.run("MATCH (n:Attack) RETURN count(n) AS nodes").single()["nodes"]
        res2 = s.run("MATCH ()-[r:ATTACK_REL]->() RETURN count(r) AS rels").single()["rels"]
        print("Imported:", res1, "nodes,", res2, "relationships")

    driver.close()


Imported: 2242 nodes, 20411 relationships


## Part A - Orientation

#### How big is the graph?

In [40]:
from neo4j import GraphDatabase
import pandas as pd
from typing import Dict, Any, List

# ---------- CONFIG ----------
NEO4J_URI  = "neo4j://localhost:7687"
NEO4J_USER = "neo4j"
NEO4J_PASS = "YourStrongPass123!"

DEFAULTS = {
    "group": "APT29",
    "tech": "Credential Dumping",
    "tactic": "defense-evasion",
    "g1": "APT29",
    "g2": "FIN7",
    "software": "Mimikatz",
    "recent_days": 180,
}

# ---------- UTILS ----------

driver = GraphDatabase.driver("neo4j://localhost:7687", auth=("neo4j","YourStrongPass123!"))

def close():
    driver.close()

def df_from_result(result) -> pd.DataFrame:
    rows = [dict(r) for r in result]
    return pd.DataFrame(rows)


def query(q: str, **params) -> pd.DataFrame:
    with driver.session() as s:
        res = s.run(q, **params)
        return df_from_result(res)

In [30]:
# MATCH (n:Attack) RETURN count(n) AS nodes;
# MATCH ()-[r:ATTACK_REL]->() RETURN count(r) AS relationships;

In [42]:
def A1_counts():
    q1 = "MATCH (n:Attack) RETURN count(n) AS nodes"
    q2 = "MATCH ()-[r:ATTACK_REL]->() RETURN count(r) AS relationships"
    return query(q1), query(q2)

In [44]:
nodes_df, rels_df = A1_counts()

_print_section("A1 counts — nodes", nodes_df)
_print_section("A1 counts — relationships", rels_df)

\n=== A1 counts — nodes ===
 nodes
  2242
\n=== A1 counts — relationships ===
 relationships
         20411


#### A2. What kinds of objects do we have? (techniques, malware, groups…)

In [46]:
def A2_object_types():
    q = """
    MATCH (n:Attack)
    RETURN n.stix_type AS type, count(*) AS n
    ORDER BY n DESC
    """
    return query(q)

In [48]:
_print_section("A2 object types", A2_object_types())


\n=== A2 object types ===
                  type   n
        attack-pattern 823
               malware 667
      course-of-action 268
         intrusion-set 181
x-mitre-data-component 109
                  tool  91
              campaign  47
   x-mitre-data-source  38
        x-mitre-tactic  14
    x-mitre-collection   1
        x-mitre-matrix   1
              identity   1
    marking-definition   1


#### A3. What relationship types are most common?

In [53]:
def A3_relationship_types():
    q = """
    MATCH ()-[r:ATTACK_REL]->()
    RETURN r.rel_type AS rel_type, count(*) AS n
    ORDER BY n DESC
    """
    return query(q)

_print_section("A3 relationship types", A3_relationship_types())


\n=== A3 relationship types ===
       rel_type     n
           uses 16241
        detects  2116
      mitigates  1421
subtechnique-of   470
     revoked-by   140
  attributed-to    23


#### A4. Which tactics have the most techniques?

In [57]:
def A4_tactic_technique_counts():
    q = """
    MATCH (tac:Attack {stix_type:'x-mitre-tactic'})<-[:IN_TACTIC]-(tech:Attack {stix_type:'attack-pattern'})
    RETURN tac.shortname AS tactic, count(tech) AS techniques
    ORDER BY techniques DESC
    """
    return query(q)

_print_section("A4 tactic -> technique counts", A4_tactic_technique_counts())


\n=== A4 tactic -> technique counts ===
              tactic  techniques
     defense-evasion         258
         persistence         180
privilege-escalation         139
   credential-access          80
           execution          67
 command-and-control          55
           discovery          48
resource-development          47
      reconnaissance          44
          collection          40
              impact          38
    lateral-movement          34
      initial-access          25
        exfiltration          21


#### A5. Active vs deprecated/revoked techniques

In [62]:
def A5_active_vs_inactive():
    q = """
    MATCH (t:Attack {stix_type:'attack-pattern'})
    RETURN
      sum(CASE WHEN coalesce(t.deprecated,false) OR coalesce(t.revoked,false) THEN 1 ELSE 0 END) AS inactive,
      sum(CASE WHEN NOT coalesce(t.deprecated,false) AND NOT coalesce(t.revoked,false) THEN 1 ELSE 0 END) AS active
    """
    return query(q)

_print_section("A5 techniques active vs inactive", A5_active_vs_inactive())


\n=== A5 techniques active vs inactive ===
 inactive  active
      144     679


## Part B — Threat-intel pivots (Who does what?)

#### B1. Techniques used by a specific group

In [65]:
def B1_group_techniques(group=DEFAULTS["group"]):
    q = """
    WITH toLower($group) AS g
    MATCH (grp:Attack {stix_type:'intrusion-set'})
    WHERE toLower(grp.name) CONTAINS g
    MATCH (grp)-[:ATTACK_REL {rel_type:'uses'}]->(tech:Attack {stix_type:'attack-pattern'})
    OPTIONAL MATCH (tech)-[:IN_TACTIC]->(tac:Attack {stix_type:'x-mitre-tactic'})
    RETURN tac.shortname AS tactic, tech.name AS technique
    ORDER BY tactic, technique
    LIMIT 150
    """
    return query(q, group=group)

_print_section("B1 techniques used by group", B1_group_techniques(DEFAULTS["group"]))


\n=== B1 techniques used by group ===
              tactic                                             technique
          collection                                Data from Local System
          collection                               Remote Email Collection
 command-and-control                                       Domain Fronting
 command-and-control                                    Dynamic Resolution
 command-and-control                                     Encrypted Channel
 command-and-control                                        External Proxy
 command-and-control                                   Hide Infrastructure
 command-and-control                                 Ingress Tool Transfer
 command-and-control                                       Multi-hop Proxy
   credential-access                                       Hybrid Identity
   credential-access                                           LSA Secrets
   credential-access        Multi-Factor Authentication Reques

#### B2. Software a group uses (tools & malware)

In [70]:
def B2_group_software(group=DEFAULTS["group"]):
    q = """
    WITH toLower($group) AS g
    MATCH (grp:Attack {stix_type:'intrusion-set'})
    WHERE toLower(grp.name) CONTAINS g
    MATCH (grp)-[:ATTACK_REL {rel_type:'uses'}]->(s:Attack)
    WHERE s.stix_type IN ['tool','malware']
    RETURN s.stix_type AS kind, s.name AS software
    ORDER BY kind, software
    LIMIT 100
    """
    return query(q, group=group)

_print_section("B2 software used by group", B2_group_software(DEFAULTS["group"]))


\n=== B2 software used by group ===
   kind      software
malware       BoomBox
malware     CloudDuke
malware Cobalt Strike
malware    CosmicDuke
malware       CozyCar
malware     EnvyScout
malware       FatDuke
malware      FoggyWeb
malware    GeminiDuke
malware    GoldFinder
malware       GoldMax
malware    HAMMERTOSS
malware      LiteDuke
malware      MiniDuke
malware    NativeZone
malware     OnionDuke
malware       POSHSPY
malware     PinchDuke
malware  PolyglotDuke
malware     PowerDuke
malware     QUIETEXIT
malware      Raindrop
malware       RegDuke
malware      SUNBURST
malware       SUNSPOT
malware       SeaDuke
malware         Sibot
malware      SoreFang
malware      TEARDROP
malware   TrailBlazer
malware     VaporRage
malware      WellMail
malware      WellMess
malware       reGeorg
   tool  AADInternals
   tool        AdFind
   tool    BloodHound
   tool      Impacket
   tool      Mimikatz
   tool           Net
   tool        PsExec
   tool     ROADTools
   tool       SDel

#### B3. Techniques used via software (2-hop)

In [76]:
def B3_group_techniques_via_software(group=DEFAULTS["group"]):
    q = """
    WITH toLower($group) AS g
    MATCH (grp:Attack {stix_type:'intrusion-set'})
    WHERE toLower(grp.name) CONTAINS g
    MATCH (grp)-[:ATTACK_REL {rel_type:'uses'}]->(s:Attack)
    WHERE s.stix_type IN ['tool','malware']
    MATCH (s)-[:ATTACK_REL {rel_type:'uses'}]->(tech:Attack {stix_type:'attack-pattern'})
    WITH s, collect(DISTINCT tech.name) AS techniques
    RETURN s.name AS software, techniques
    ORDER BY size(techniques) DESC
    LIMIT 20
    """
    return query(q, group=group)

_print_section("B3 techniques via software", B3_group_techniques_via_software(DEFAULTS["group"]))


\n=== B3 techniques via software ===
     software                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      

#### B4. Which groups use a given technique?

In [79]:
def B4_technique_users(self, tech=DEFAULTS["tech"]):
    q = """
    WITH toLower($tech) AS t
    MATCH (tech:Attack {stix_type:'attack-pattern'})
    WHERE toLower(tech.name) CONTAINS t
    MATCH (grp:Attack {stix_type:'intrusion-set'})-[:ATTACK_REL {rel_type:'uses'}]->(tech)
    RETURN tech.name AS technique, collect(DISTINCT grp.name) AS groups
    LIMIT 10
    """
    return query(q, tech=tech)

_print_section("B4 groups that use a technique", B4_technique_users(DEFAULTS["tech"]))


\n=== B4 groups that use a technique ===
            technique                                                                                                      groups
OS Credential Dumping [Suckfly, Ember Bear, APT28, APT39, APT32, Leviathan, BlackByte, Tonto Team, Axiom, Sowbug, Poseidon Group]


#### B5. Top groups by number of techniques

In [83]:
def B5_top_groups_by_techniques():
    q = """
    MATCH (g:Attack {stix_type:'intrusion-set'})-[:ATTACK_REL {rel_type:'uses'}]->(t:Attack {stix_type:'attack-pattern'})
    RETURN g.name AS group, count(DISTINCT t) AS techniques
    ORDER BY techniques DESC LIMIT 20
    """
    return query(q)

_print_section("B5 top groups by techniques", B5_top_groups_by_techniques())


\n=== B5 top groups by techniques ===
            group  techniques
          Kimsuky         103
    Lazarus Group          92
            APT28          91
            APT41          82
     Volt Typhoon          81
    Sandworm Team          79
      Magic Hound          79
            APT32          78
           OilRig          76
            Turla          68
            APT29          66
    Wizard Spider          64
          Chimera          59
       MuddyWater          58
Threat Group-3390          57
        Dragonfly          56
  Gamaredon Group          55
            APT38          55
          TeamTNT          54
             FIN7          53


#### B6. Shortest connection between two groups (via techniques/software)

In [88]:
def B6_shortest_connection_between_groups(g1=DEFAULTS["g1"], g2=DEFAULTS["g2"]):
    q = """
    MATCH (a:Attack {stix_type:'intrusion-set'}), (b:Attack {stix_type:'intrusion-set'})
    WHERE toLower(a.name) CONTAINS toLower($g1) AND toLower(b.name) CONTAINS toLower($g2)
    MATCH p = shortestPath((a)-[:ATTACK_REL*..6]-(b))
    RETURN p
    """
    return query(q, g1=g1, g2=g2)


_print_section("B6 shortest connection between groups", B6_shortest_connection_between_groups(DEFAULTS["g1"], DEFAULTS["g2"]))


\n=== B6 shortest connection between groups ===
                                                         p
((rel_type, description, id), (rel_type, description, id))


## Part C — Defense: mitigations & detections

##### C1. Mitigations for a group’s techniques

In [92]:
def C1_group_mitigations(group=DEFAULTS["group"]):
    q = """
    WITH toLower($group) AS g
    MATCH (grp:Attack {stix_type:'intrusion-set'}) WHERE toLower(grp.name) CONTAINS g
    MATCH (grp)-[:ATTACK_REL {rel_type:'uses'}]->(tech:Attack {stix_type:'attack-pattern'})
    MATCH (co:Attack {stix_type:'course-of-action'})<-[:ATTACK_REL {rel_type:'mitigates'}]-(tech)
    RETURN tech.name AS technique, collect(DISTINCT co.name) AS mitigations
    ORDER BY technique LIMIT 50
    """
    return query(q, group=group)

_print_section("C1 mitigations for group's techniques", C1_group_mitigations(DEFAULTS["group"]))


\n=== C1 mitigations for group's techniques ===
(empty)


#### C2. Coverage gaps: techniques used by the group with no mitigations

In [96]:
def C2_group_mitigation_gaps(group=DEFAULTS["group"]):
    q = """
    WITH toLower($group) AS g
    MATCH (grp:Attack {stix_type:'intrusion-set'}) WHERE toLower(grp.name) CONTAINS g
    MATCH (grp)-[:ATTACK_REL {rel_type:'uses'}]->(tech:Attack {stix_type:'attack-pattern'})
    OPTIONAL MATCH (co:Attack {stix_type:'course-of-action'})<-[:ATTACK_REL {rel_type:'mitigates'}]-(tech)
    WITH tech, count(co) AS c WHERE c = 0
    RETURN tech.name AS unmitigated ORDER BY unmitigated LIMIT 50
    """
    return query(q, group=group)

_print_section("C2 mitigation gaps", C2_group_mitigation_gaps(DEFAULTS["group"]))

\n=== C2 mitigation gaps ===
                                   unmitigated
                        Accessibility Features
         Additional Email Delegate Permissions
                                Binary Padding
          Boot or Logon Initialization Scripts
                   Bypass User Account Control
                                     Cloud API
                                 Cloud Account
                                 Cloud Account
                                Cloud Accounts
                                Cloud Accounts
                  Cloud Administration Command
                                Cloud Services
                        Data from Local System
                           Device Registration
                          Digital Certificates
                  Disable or Modify Cloud Logs
                               Domain Fronting
                            Dynamic Resolution
                                Email Accounts
                             En

#### C3. Detection coverage (if your dataset has data components)

In [98]:
def C3_detection_coverage_top(limit=25):
    q = """
    MATCH (tech:Attack {stix_type:'attack-pattern'})
    OPTIONAL MATCH (dc:Attack {stix_type:'x-mitre-data-component'})-[:ATTACK_REL {rel_type:'detects'}]->(tech)
    RETURN tech.name AS technique, count(dc) AS detectors
    ORDER BY detectors DESC
    LIMIT $limit
    """
    return query(q, limit=limit)

_print_section("C3 detection coverage (top techniques)", C3_detection_coverage_top(25))


\n=== C3 detection coverage (top techniques) ===
                          technique  detectors
                    Impair Defenses         19
Modify Cloud Compute Infrastructure         15
                  Indicator Removal         14
      Modify Authentication Process         13
                     Hide Artifacts         13
                       Masquerading         12
    Create or Modify System Process         11
                     User Execution         11
  Boot or Logon Autostart Execution         10
                    Windows Service         10
    Obfuscated Files or Information         10
              OS Credential Dumping         10
                   Data Destruction         10
        System Owner/User Discovery          9
                 Resource Hijacking          9
          Event Triggered Execution          9
                      Input Capture          9
                     Domain Account          8
  Abuse Elevation Control Mechanism          8
           

#### C4. Data components & sources that detect a named technique

In [103]:
def C4_detections_for_tech(tech=DEFAULTS["tech"]):
    q = """
    WITH toLower($tech) AS t
    MATCH (tech:Attack {stix_type:'attack-pattern'}) WHERE toLower(tech.name) CONTAINS t
    OPTIONAL MATCH (dc:Attack {stix_type:'x-mitre-data-component'})-[:ATTACK_REL {rel_type:'detects'}]->(tech)
    OPTIONAL MATCH (ds:Attack {stix_type:'x-mitre-data-source'})-[:ATTACK_REL {rel_type:'detects'}]->(tech)
    RETURN tech.name, collect(DISTINCT dc.name) AS data_components, collect(DISTINCT ds.name) AS data_sources
    """
    return query(q, tech=tech)

_print_section("C4 data components/sources for technique", C4_detections_for_tech(DEFAULTS["tech"]))


\n=== C4 data components/sources for technique ===
            tech.name                                                                                                                                                                                                 data_components data_sources
OS Credential Dumping [Network Traffic Content, Active Directory Object Access, Windows Registry Key Access, Process Creation, Process Access, File Access, Network Traffic Flow, Command Execution, File Creation, OS API Execution]           []


### Part D — Structure & taxonomy (tactics, subtechniques, platforms)

#### D1. Technique ↔ tactic mapping for a named tactic

In [108]:
def D1_tactic_mapping(tactic=DEFAULTS["tactic"]):
    q = """
    WITH toLower($tactic) AS tac
    MATCH (t:Attack {stix_type:'x-mitre-tactic'})
    WHERE toLower(t.shortname) = tac OR toLower(t.name) CONTAINS tac
    MATCH (tech:Attack {stix_type:'attack-pattern'})-[:IN_TACTIC]->(t)
    RETURN t.shortname AS tactic, collect(tech.name)[0..25] AS sample_techniques, count(tech) AS total
    """
    return query(q, tactic=tactic)

_print_section("D1 tactic mapping", D1_tactic_mapping(DEFAULTS["tactic"]))

\n=== D1 tactic mapping ===
         tactic                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    sample_techniques  total
defense-evasion [Extra Window Memory Injection, Socket Filters, Indicator Removal from Tools, Fileless Storage, Rundll32, Hidden Window, Embedded Payloads, Plist Modification, Pluggable Authentication Modules, Revert Cloud Instance, HISTCONTROL, File/Path Exclusions, Linux and Mac File and Directory Permissions Modification, PubPrn, Path Interception by PATH Environ

#### D2. Parent technique → subtechniques

In [111]:
def D2_subtechniques():
    q = """
    MATCH (sub:Attack {stix_type:'attack-pattern'})-[:ATTACK_REL {rel_type:'subtechnique-of'}]->(parent:Attack {stix_type:'attack-pattern'})
    RETURN parent.name AS technique, collect(sub.name) AS subtechniques
    ORDER BY size(subtechniques) DESC
    LIMIT 20
    """
    return query(q)

_print_section("D2 parent -> subtechniques", D2_subtechniques())


\n=== D2 parent -> subtechniques ===
                        technique                                                                                                                                                                                                                                                                                                                                                                                               subtechniques
  Obfuscated Files or Information                                                                 [Fileless Storage, Embedded Payloads, Encrypted/Encoded File, Stripped Payloads, Binary Padding, Junk Code Insertion, SVG Smuggling, LNK Icon Smuggling, Indicator Removal from Tools, Polymorphic Code, Steganography, Compile After Delivery, HTML Smuggling, Command Obfuscation, Software Packing, Dynamic API Resolution, Compression]
        Event Triggered Execution [PowerShell Profile, LC_LOAD_DYLIB Addition, Application Shimming, Tr

#### D3. Techniques by platform (Windows, Linux, Cloud, etc.)

In [115]:
def D3_techniques_by_platform():
    q = """
    UNWIND ['windows','linux','macos','azure','aws','gcp','saas','office 365','network'] AS platform
    MATCH (tech:Attack {stix_type:'attack-pattern'})
    WHERE platform IN [p IN coalesce(tech.platforms,[]) | toLower(p)]
    RETURN platform, count(tech) AS technique_count
    ORDER BY technique_count DESC
    """
    return query(q)

_print_section("D3 techniques by platform", D3_techniques_by_platform())


\n=== D3 techniques by platform ===
  platform  technique_count
   windows              568
     macos              423
     linux              400
      saas               68
office 365                3


### D4. Domain breakdown (enterprise / mobile / ics)

In [118]:
def D4_domain_breakdown():
    q = """
    UNWIND ['enterprise-attack','mobile-attack','ics-attack'] AS dom
    MATCH (n:Attack)
    WHERE dom IN [d IN coalesce(n.domains,[]) | toLower(d)]
    RETURN dom AS domain, count(n) AS nodes
    ORDER BY nodes DESC
    """
    return query(q)

_print_section("D4 domain breakdown", D4_domain_breakdown())


\n=== D4 domain breakdown ===
           domain  nodes
enterprise-attack   2239
       ics-attack     79
    mobile-attack     30


#### D5. What changed recently? (techniques modified in last 180 days)

In [121]:
def D5_recently_modified(recent_days=DEFAULTS["recent_days"]):
    q = """
    MATCH (t:Attack {stix_type:'attack-pattern'})
    WHERE t.modified >= datetime() - duration({days:$days})
    RETURN t.name AS technique, t.modified
    ORDER BY t.modified DESC
    LIMIT 25
    """
    return query(q, days=recent_days)

_print_section("D5 recently modified techniques", D5_recently_modified(DEFAULTS["recent_days"]))


\n=== D5 recently modified techniques ===
                                            technique                          t.modified
                               Remote Access Hardware 2025-05-02T19:13:42.314000000+00:00
                             Malicious Copy and Paste 2025-04-30T17:53:48.667000000+00:00
                                 Windows Admin Shares 2025-04-25T15:16:26.092000000+00:00
                                          InstallUtil 2025-04-25T15:16:24.168000000+00:00
                  Custom Command and Control Protocol 2025-04-25T15:16:23.937000000+00:00
                                           PowerShell 2025-04-25T15:16:22.903000000+00:00
                                    Service Execution 2025-04-25T15:16:22.595000000+00:00
                                 NTFS File Attributes 2025-04-25T15:16:22.196000000+00:00
                                    Fallback Channels 2025-04-25T15:16:21.879000000+00:00
                                Dynamic Data Exchange 2025

## Part E — “Put it all together” mini-scenarios
### E1. Build a mitigation backlog for a target group

- Run B1 to list techniques;

- Run C1 to collect mitigations;

- Run C2 to flag gaps → prioritize gaps first.

### E2. Choose detections for a critical tactic

- Use D1 to get all techniques in the tactic (e.g., defense-evasion), then C3/C4 to pick the most detectable ones for quick wins.

### E3. Software pivot

- Given a tool/malware name, list all groups that use it and the techniques it enables:

#### Please solve E1, and E2 by yourself.

In [128]:
def E3_software_pivot(software=DEFAULTS["software"]):
    q = """
    WITH toLower($software) AS q
    MATCH (s:Attack) WHERE s.stix_type IN ['tool','malware'] AND toLower(s.name) CONTAINS q
    OPTIONAL MATCH (g:Attack {stix_type:'intrusion-set'})-[:ATTACK_REL {rel_type:'uses'}]->(s)
    OPTIONAL MATCH (s)-[:ATTACK_REL {rel_type:'uses'}]->(tech:Attack {stix_type:'attack-pattern'})
    RETURN s.name AS software, collect(DISTINCT g.name) AS groups, collect(DISTINCT tech.name)[0..25] AS techniques
    """
    return query(q, software=software)

_print_section("E3 software pivot", E3_software_pivot(DEFAULTS["software"]))


\n=== E3 software pivot ===
software                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   groups                                                                                                                                                                                                                                                                                                                                                                          techniques
Mimikatz [APT38, menuPass, APT39, PittyTiger, Blue Mockingbird, Kimsuky, Volt Typhoon,