Custom Objects

Note: This section includes nonessential information that is only relevant to users who want a more advanced understanding of how this library is implemented.

ATT&CK uses a mix of predefined and custom STIX objects to implement ATT&CK concepts. More information about the mapping of ATT&CK concepts to STIX 2.0 objects can be found in the the ATT&CK Data Model documentation. The MitreAttackData library implements the following custom STIX object types:

class mitreattack.stix20.Matrix(**kwargs)

Custom Properties:

  • tactic_refs (list[str]) - The matrix array that contains an ordered list of x-mitre-tactic STIX IDs corresponding to the tactics of the matrix. The order of tactic_refs determines the order the tactics should appear within the matrix.

class mitreattack.stix20.Tactic(**kwargs)

Custom Properties:

  • x_mitre_shortname (str) - The shortname of the tactic that is used for mapping techniques to the tactic. This corresponds to the kill_chain_phases.phase_name of the techniques in the tactic.

class mitreattack.stix20.DataSource(**kwargs)

Custom Properties:

  • x_mitre_platforms (list[str]) - The list of platforms that apply to the data source.

  • x_mitre_collection_layers (list[str]) - The list of places the data can be collected from.

class mitreattack.stix20.DataComponent(**kwargs)

Custom Properties:

  • x_mitre_data_source_ref (str) - The STIX ID of the data source this component is a part of.

class mitreattack.stix20.Asset(**kwargs)

Custom Properties:

  • x_mitre_platforms (list[str]) - The list of platforms that apply to the asset.

  • x_mitre_related_assets (list[dict]) - The list of related assets.

STIX Object Factory

The return type of the MitreAttackData methods are determined by the StixObjectFactory method, which converts STIX 2.0 content into a stix2 Custom Object or returns a STIX 2.0 Domain Object.

stix20.StixObjectFactory() CustomStixObject | _DomainObject | dict[str, Any]

Convert STIX 2 content into a STIX object (factory method).

Parameters:

data (dict) – the STIX 2 object content to instantiate, typically the result of a stix2 query

Returns:

If the input data is a recognized custom ATT&CK object type, returns an instance of the corresponding CustomStixObject subclass (e.g., Matrix, Tactic, DataSource, DataComponent, Asset). Otherwise, returns the original dictionary.

Return type:

CustomStixObject | dict

This allows users to work with custom MITRE ATT&CK objects by parsing and accessing an object’s attributes in the same way as a stix2 Domain Object:

from mitreattack.stix20 import MitreAttackData

# build the source data
mitre_attack_data = MitreAttackData("enterprise-attack.json")

# retrieve group G0019 by STIX ID (stix2 Domain Object)
group = mitre_attack_data.get_object_by_stix_id("intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050") # G0019
print(group.aliases) # ['Naikon']

# retrieve tactic TA0001 (stix2 Custom Object)
tactic = mitre_attack_data.get_object_by_attack_id("TA0001")
print(tactic.name) # 'Initial Access'