In [1]:
import pandas as pd
import requests
import yaml
import janitor as jn
import matplotlib.pyplot as plt
%matplotlib inline 
#from tqdm.notebook import tqdm_notebook
import ipywidgets as widgets
#from tqdm import tqdm
#from IPython.display import display
#import csv
import plotly.express as px
import plotly.io as pio
#import seaborn as sns

In [2]:
# Pandas
pd.set_option('display.max_rows', None)
pd.set_option('display.max_columns', None)
pd.set_option('display.width', None)

# Plotly
pio.renderers.default = "browser" #'notebook' # 'notebook_connected' # 'notebook_connected'

In [3]:
# Download OSSEM data set and convert it to a Pandas data frame. 
url_ossem = 'https://raw.githubusercontent.com/OTRF/OSSEM-DM/main/use-cases/mitre_attack/techniques_to_events_mapping.yaml'
yamlContent = requests.get(url_ossem)
yamlMapping = yaml.safe_load(yamlContent.text)
df_ossem = pd.json_normalize(yamlMapping)

In [4]:
df = df_ossem.copy()

In [5]:
#Drops Rows with Linux Sysmon and MDE sa Log Provider
df.drop(df[(df['log_provider'] == 'Linux-Sysmon') | (df['log_provider'] == 'Microsoft Defender for Endpoint')].index, inplace=True)

In [6]:
df['log_provider'].value_counts()

Microsoft-Windows-Security-Auditing                          3656
Microsoft-Windows-Sysmon                                     2509
Microsoft-Windows-PowerShell                                  480
Eventlog                                                      114
Service Control Manager                                        10
Microsoft-Windows-WMI-Activity                                 10
Microsoft-Windows-Windows Firewall With Advanced Security       8
Windows Firewall With Advanced Security                         2
Name: log_provider, dtype: int64

---
#### OSSEM: Count of Techniques by Log Provider
- This graph shows the number of techniques by log provider. 

In [86]:
lp = df[['log_provider','technique_id']].drop_duplicates().groupby(['log_provider']).size().reset_index()
#lp = lp[lp['is_subtechnique']==True]
lp.columns = lp.columns.map(str)
lp = lp.rename(columns={"0": "count"})

In [87]:
count_of_te_by_lp = px.bar(lp, x='log_provider',
                           y='count',
                           title='OSSEM: Count of MITRE ATT&CK Techniques by Log Provider',
                           labels={'log_provider':'Log Provider','count':'Techniques'});
count_of_te_by_lp.update_xaxes(type='category');
count_of_te_by_lp.update_xaxes(categoryorder='total descending');

---
#### OSSEM: Count of Techniques by Log Provider including Data Sources
- This graph shows the number of techniques by log provider and includes data sources

In [88]:
lp_ds = df[['log_provider','data_source','technique_id']].drop_duplicates().groupby(['log_provider','data_source']).size().reset_index()
#lp = lp[lp['is_subtechnique']==True]
lp_ds.columns = lp_ds.columns.map(str)
lp_ds = lp_ds.rename(columns={"0": "count"})

In [89]:
count_of_te_by_lp_and_ds = px.bar(lp_ds, 
                                  x='log_provider',
                                  y='count', 
                                  color='data_source',
                                  title='OSSEM: Count of MITRE ATT&CK Techniques by Log Provider',
                                  labels={'log_provider':'Log Provider',
                                          'count':'Techniques',
                                          'data_source':'Data Source'});
count_of_te_by_lp_and_ds.update_xaxes(type='category');
count_of_te_by_lp_and_ds.update_xaxes(categoryorder='total descending');

---
#### OSSEM: Count of Techniques by Data Source

In [90]:
ds = df[['data_source','technique_id']].drop_duplicates().groupby(['data_source']).size().reset_index()
ds.columns = ds.columns.map(str)
ds = ds.rename(columns={"0": "count"})

In [91]:
count_of_te_by_ds = px.bar(ds, x='data_source',y='count',title='OSSEM: Count of MITRE ATT&CK Techniques by Data Source',labels={'data_source':'Data Source','count':'Techniques'});
count_of_te_by_ds.update_xaxes(type='category');
count_of_te_by_ds.update_xaxes(categoryorder='total descending');

---
#### OSSEM: Count of MITRE ATT&CK Techniques by Data Component

In [92]:
dc = df[['data_component','technique_id']].drop_duplicates().groupby(['data_component']).size().reset_index()
dc.columns = dc.columns.map(str)
dc = dc.rename(columns={"0": "count"})

In [93]:
count_of_te_by_dc = px.bar(dc, x='data_component',
                           y='count',
                           title='OSSEM: Count of MITRE ATT&CK Techniques by Data Component',
                           labels={'data_component':'Data Component','count':'Techniques'});
count_of_te_by_dc.update_xaxes(type='category');
count_of_te_by_dc.update_xaxes(categoryorder='total descending');

---
#### OSSEM: Count of MITRE ATT&CK Techniques by Data Component including Log Provider

In [94]:
dc_lp = df[['data_component','technique_id','log_provider']].drop_duplicates().groupby(['data_component','log_provider']).size().reset_index()
dc_lp.columns = dc_lp.columns.map(str)
dc_lp = dc_lp.rename(columns={"0": "count"})

In [95]:
count_of_te_by_dc_and_lp = px.bar(dc_lp, x='data_component',
                                  y='count',
                                  color='log_provider',
                                  title='OSSEM: Count of MITRE ATT&CK Techniques by Data Component',
                                  labels={'data_component':'Data Component','count':'Techniques','log_provider':'Log Provider'})
count_of_te_by_dc_and_lp.update_xaxes(type='category');
count_of_te_by_dc_and_lp.update_xaxes(categoryorder='total descending');

In [96]:
count_of_te_by_dc_and_lp_grouped = px.bar(dc_lp, x='data_component',
                                  y='count',
                                  color='log_provider',
                                  title='OSSEM: Count of MITRE ATT&CK Techniques by Data Component (Grouped Bar Chart)',
                                  labels={'data_component':'Data Component','count':'Techniques','log_provider':'Log Provider'},
                                  barmode='group');
count_of_te_by_dc_and_lp_grouped.update_xaxes(type='category');
count_of_te_by_dc_and_lp_grouped.update_xaxes(categoryorder='total descending');

---
#### OSSEM: Count of MITRE ATT&CK Techniques by Event ID

In [97]:
count_of_te_by_evt = df.groupby(['event_id','technique_id']).size().reset_index()
#count_of_te_by_evt.head()
count_of_te_by_evt.columns = count_of_te_by_evt.columns.map(str)
count_of_te_by_evt = count_of_te_by_evt.rename(columns={"0": "count"})

In [98]:
count_of_te_by_evt = count_of_te_by_evt.groupby('event_id').sum().reset_index()

In [99]:
fig_count_of_te_by_evt  = px.bar(count_of_te_by_evt, x='event_id',
                                  y='count',
                                  #color='log_provider',
                                  title='OSSEM: Count of MITRE ATT&CK Techniques by Event ID',
                                  labels={'event_id':'Event ID','count':'Techniques','log_provider':'Log Provider'})
fig_count_of_te_by_evt.update_xaxes(type='category');
fig_count_of_te_by_evt.update_xaxes(categoryorder='total descending');

---
#### OSSEM: Count of MITRE ATT&CK Techniques by Event ID (Added Detail)

In [130]:
df['event_id'] = df['event_id'].astype(str)
df['event_name'] = df['event_name'].astype(str)
df['event_long'] = df['event_id'] + ': ' + df['event_name']

In [220]:
count_of_te_by_evt_long = df[['event_long','technique_id','log_provider']].drop_duplicates().groupby(['event_long','log_provider']).size().reset_index()
count_of_te_by_evt_long['event_long'] = count_of_te_by_evt_long['event_long'].astype('category')
count_of_te_by_evt.head()
count_of_te_by_evt_long.columns = count_of_te_by_evt_long.columns.map(str)
count_of_te_by_evt_long = count_of_te_by_evt_long.rename(columns={"0": "count"})

In [224]:
fig_count_of_te_by_evt_long  = px.bar(count_of_te_by_evt_long.sort_values('count', ascending=False).head(50), x='event_long',
                                  y='count',
                                  color='log_provider',
                                  title='OSSEM: Count of MITRE ATT&CK Techniques by Event ID and Log Provider',
                                  labels={'event_long':'Event ID','count':'Techniques','log_provider':'Log Provider'},
                                     height=1000)
fig_count_of_te_by_evt_long.update_xaxes(type='category');
fig_count_of_te_by_evt_long.update_xaxes(categoryorder='total descending');
fig_count_of_te_by_evt_long.update_layout(margin=dict(l=20, r=20, t=40, b=20),paper_bgcolor="LightSteelBlue",
);
#fig_count_of_te_by_evt_long.update_layout(autosize=False, width=500, height=500)

# DATA VISUALIZATIONS

In [128]:
count_of_te_by_lp.show()

In [49]:
count_of_te_by_lp_and_ds.show()

In [None]:
count_of_te_by_ds.show()

In [129]:
count_of_te_by_dc.show()

In [None]:
count_of_te_by_dc_and_lp.show()

In [127]:
fig_count_of_te_by_evt.show() # needs to be updated

In [225]:
fig_count_of_te_by_evt_long.show()

#### References
- https://ossemproject.com/intro.html