MitreAttackData

The MitreAttackData library is used to read in and work with MITRE ATT&CK STIX 2.0 content. The latest MITRE ATT&CK data files can be found here:

Note: this library currently only supports STIX 2.0

Usage

This library provides the ability to query the dataset for objects and their related objects. Additional examples of retrieving data by STIX ID, ATT&CK ID, type, etc. can be found in the Examples section.

Example: Retrieving a technique by its ATT&CK ID

from mitreattack.stix20 import MitreAttackData

mitre_attack_data = MitreAttackData("enterprise-attack.json")
technique = mitre_attack_data.get_object_by_attack_id('T1134', 'attack-pattern')

Example: Retrieving all group objects

from mitreattack.stix20 import MitreAttackData

mitre_attack_data = MitreAttackData("enterprise-attack.json")
groups = mitre_attack_data.get_groups()

A large part of working with ATT&CK revolves around parsing relationships between objects. It is useful to track not only the related object but the relationship itself because a description is often present to contextualize the nature of the relationship. This library can be used to build a lookup table of STIX ID to related objects and relationships.

Example: Retrieving relationships between groups and software

from mitreattack.stix20 import MitreAttackData

mitre_attack_data = MitreAttackData("enterprise-attack.json")
group_id_to_software = mitre_attack_data.get_software_used_by_groups()
print(group_id_to_software["intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050"])  # G0019
# [
#     {
#         "object": Malware, # S0061
#         "relationships": Relationship[] # relationships between G0019 and S0061
#     },
#     {
#         ...
#     }
# ]

When working with functions to return objects based on a set of characteristics, it is likely that a few objects may be returned which are no longer maintained by ATT&CK. These are objects marked as deprecated or revoked. We recommend filtering out revoked and deprecated objects whenever possible since they are no longer maintained by ATT&CK.

Example: Removing revoked and deprecated objects

from mitreattack.stix20 import MitreAttackData

mitre_attack_data = MitreAttackData("enterprise-attack.json")
mitigations = mitre_attack_data.get_mitigations(remove_revoked_deprecated=True)

To separately remove revoked and deprecated objects from the results of a method:

from mitreattack.stix20 import MitreAttackData

mitre_attack_data = MitreAttackData("enterprise-attack.json")
mitigations = mitre_attack_data.get_mitigations()
mitigations = mitre_attack_data.remove_revoked_deprecated(mitigations)

Please refer to the STIX2 Python API Documentation for more information on how to work with STIX programmatically. We also recommend reading the ATT&CK Design and Philosophy Paper, which describes high-level overall approach, intention, and usage of ATT&CK.

API Reference

class mitreattack.stix20.MitreAttackData(stix_filepath: str | None = None, src: MemoryStore | None = None)

Central class for querying, analyzing, and mapping relationships between STIX 2.0 objects in the MITRE ATT&CK framework.

This class provides methods to retrieve, filter, and relate ATT&CK objects such as techniques, software, groups, campaigns, mitigations, assets, data sources, and data components. It supports querying by type, content, platform, relationships, and more, with options to filter out revoked or deprecated objects.

Parameters:

stix_filepath (str | None, optional) – Filepath to a STIX 2.0 bundle. Mutually exclusive with src.
src (stix2.MemoryStore | None, optional) – A STIX 2.0 bundle already loaded into memory. Mutually exclusive with stix_filepath.

Raises:

TypeError – If neither or both of stix_filepath and src are provided, or if stix_filepath is not a string.

add_inherited_campaign_relationships(related_campaigns, inherited_campaign_relationships, object_relationships) → dict[str, list[RelationshipEntry[T]]]

Add inherited relationships to list of [{“object”: object, “relationships”: [relationship]}].

Parameters:

related_campaigns (RelationshipMapT[Any]) – Campaigns related to the object: [object_stix_id => [RelationshipEntry[Campaign]]].
inherited_campaign_relationships (RelationshipMapT[Any]) – Relationships to be inherited from campaigns: [campaign_id => [RelationshipEntry[Any]]].
object_relationships (RelationshipMapT[Any]) – Direct relationships with the object itself: [object_stix_id => [RelationshipEntry[Any]]].

Returns:

Relationship mapping with inherited campaign relationships added.

Return type:

RelationshipMapT[T]

get_all_assets_targeted_by_all_techniques() → dict[str, list[~mitreattack.stix20.MitreAttackData.RelationshipEntry[~stix2.custom._custom_object_builder.<locals>._CustomObject]]]

Get all assets targeted by all techniques.

Returns:: Mapping of technique_stix_id to RelationshipEntry[Asset] for each asset targeted by the technique.
Return type:: RelationshipMapT[Asset]

get_all_campaigns_attributed_to_all_groups() → dict[str, list[RelationshipEntry[Campaign]]]

Get all campaigns attributed to all groups.

Returns:: Mapping of group_stix_id to RelationshipEntry[Campaign] for each campaign attributed to the group.
Return type:: RelationshipMapT[Campaign]

get_all_campaigns_using_all_software() → dict[str, list[RelationshipEntry[Campaign]]]

Get all campaigns using all software.

Returns:: Mapping of software_stix_id to RelationshipEntry[Campaign] for each campaign using the software.
Return type:: RelationshipMapT[Campaign]

get_all_campaigns_using_all_techniques() → dict[str, list[RelationshipEntry[Campaign]]]

Get all campaigns using all techniques.

Returns:: Mapping of technique_stix_id to RelationshipEntry[Campaign] for each campaign using the technique.
Return type:: RelationshipMapT[Campaign]

get_all_datacomponents_detecting_all_techniques() → dict[str, list[~mitreattack.stix20.MitreAttackData.RelationshipEntry[~stix2.custom._custom_object_builder.<locals>._CustomObject]]]

Get all data components detecting all techniques.

Returns:: Mapping of technique_stix_id to RelationshipEntry[DataComponent] describing the data components that can detect the technique.
Return type:: RelationshipMapT[DataComponent]

get_all_detection_strategies_detecting_all_techniques() → dict[str, list[~mitreattack.stix20.MitreAttackData.RelationshipEntry[~stix2.custom._custom_object_builder.<locals>._CustomObject]]]

Get all detection strategies detecting all techniques.

Returns:: Mapping of asset_stix_id to RelationshipEntry[DetectionStrategy] for each detection strategy detecting the technique.
Return type:: RelationshipMapT[DetectionStrategy]

get_all_groups_attributing_to_all_campaigns() → dict[str, list[RelationshipEntry[IntrusionSet]]]

Get all groups attributing to all campaigns.

Returns:: Mapping of campaign_stix_id to RelationshipEntry[Group] for each group attributing to the campaign.
Return type:: RelationshipMapT[Group]

get_all_groups_using_all_software() → dict[str, list[RelationshipEntry[IntrusionSet]]]

Get all groups using all software.

Returns:: Mapping of software_stix_id to RelationshipEntry[Group] for each group using the software and each attributed campaign using the software.
Return type:: RelationshipMapT[Group]

get_all_groups_using_all_techniques() → dict[str, list[RelationshipEntry[IntrusionSet]]]

Get all groups using all techniques.

Returns:: Mapping of technique_stix_id to RelationshipEntry[Group] for each group using the technique and each campaign attributed to groups using the technique.
Return type:: RelationshipMapT[Group]

get_all_mitigations_mitigating_all_techniques() → dict[str, list[RelationshipEntry[CourseOfAction]]]

Get all mitigations mitigating all techniques.

Returns:: Mapping of technique_stix_id to RelationshipEntry[Mitigation] for each mitigation mitigating the technique.
Return type:: RelationshipMapT[Mitigation]

get_all_parent_techniques_of_all_subtechniques() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all parent techniques of all sub-techniques.

Returns:: Mapping of subtechnique_stix_id to RelationshipEntry[Technique] describing the parent technique of the subtechnique.
Return type:: RelationshipMapT[Technique]

get_all_software_used_by_all_campaigns() → dict[str, list[RelationshipEntry[Malware | Tool]]]

Get all software used by all campaigns.

Returns:: Mapping of campaign_stix_id to RelationshipEntry[Software] for each software used by the campaign.
Return type:: RelationshipMapT[Software]

get_all_software_used_by_all_groups() → dict[str, list[RelationshipEntry[Malware | Tool]]]

Retrieve all software used by all groups.

Returns:: Mapping of group_stix_id to RelationshipEntry[Software] for each software used by the group and each software used by campaigns attributed to the group.
Return type:: RelationshipMapT[Software]

get_all_software_using_all_techniques() → dict[str, list[RelationshipEntry[Malware | Tool]]]

Get all software using all techniques.

Returns:: Mapping of technique_stix_id to RelationshipEntry[Software] for each software using the technique.
Return type:: RelationshipMapT[Software]

get_all_subtechniques_of_all_techniques() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all subtechniques of all parent techniques.

Returns:: Mapping of technique_stix_id to RelationshipEntry[Technique] for each subtechnique of the technique.
Return type:: RelationshipMapT[Technique]

get_all_techniques_detected_by_all_datacomponents() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all techniques detected by all data components.

Returns:: Mapping of datacomponent_stix_id to RelationshipEntry[Technique] describing the detections of the data component.
Return type:: RelationshipMapT[Technique]

get_all_techniques_detected_by_all_detection_strategies() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all techniques detected by all detection strategies.

Returns:: Mapping of detection_strategy_stix_id to RelationshipEntry[Technique] for each technique detected by the detection strategy.
Return type:: RelationshipMapT[Technique]

get_all_techniques_mitigated_by_all_mitigations() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all techniques mitigated by all mitigations.

Returns:: Mapping of mitigation_stix_id to RelationshipEntry[Technique] for each technique mitigated by the mitigation.
Return type:: RelationshipMapT[Technique]

get_all_techniques_targeting_all_assets() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all techniques targeting all assets.

Returns:: Mapping of asset_stix_id to RelationshipEntry[Technique] for each technique targeting the asset.
Return type:: RelationshipMapT[Technique]

get_all_techniques_used_by_all_campaigns() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all techniques used by all campaigns.

Returns:: Mapping of campaign_stix_id to RelationshipEntry[Technique] for each technique used by the campaign.
Return type:: RelationshipMapT[Technique]

get_all_techniques_used_by_all_groups() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all techniques used by all groups.

Returns:: Mapping of group_stix_id to RelationshipEntry[Technique] for each technique used by the group and each technique used by campaigns attributed to the group.
Return type:: RelationshipMapT[Technique]

get_all_techniques_used_by_all_software() → dict[str, list[RelationshipEntry[AttackPattern]]]

Get all techniques used by all software.

Returns:: Mapping of software_stix_id to RelationshipEntry[Technique] for each technique used by the software.
Return type:: RelationshipMapT[Technique]

get_analytics(remove_revoked_deprecated: bool = False) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve all analytic objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Analytic objects.
Return type:: list[Analytic]

get_analytics_by_detection_strategy(detection_strategy_stix_id: str, remove_revoked_deprecated: bool = False) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve analytics for a detection strategy.

Parameters:

detection_strategy_stix_id (str) – Detection Strategy to search.
remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.

Returns:

A list of Analytic objects referenced by the given detection strategy.

Return type:

list[Analytic]

Raises:

ValueError – If no detection strategy with the given STIX ID is found.

get_assets(remove_revoked_deprecated: bool = False) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve all asset objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Asset objects.
Return type:: list[Asset]

get_assets_targeted_by_technique(technique_stix_id: str) → list[~mitreattack.stix20.MitreAttackData.RelationshipEntry[~stix2.custom._custom_object_builder.<locals>._CustomObject]]

Get all assets targeted by a technique.

Parameters:: technique_stix_id (str) – The STIX ID of the technique.
Returns:: List of RelationshipEntry[Asset] for each asset targeted by the technique.
Return type:: list[RelationshipEntry[Asset]]

get_attack_id(stix_id: str) → str | None

Get the object’s ATT&CK ID.

Parameters:: stix_id (str) – The STIX ID of the object.
Returns:: The ATT&CK ID of the object, or None if not found.
Return type:: str | None

get_campaigns(remove_revoked_deprecated: bool = False) → list[Campaign]

Retrieve all campaign objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Campaign objects.
Return type:: list[Campaign]

get_campaigns_attributed_to_group(group_stix_id: str) → list[RelationshipEntry[Campaign]]

Get all campaigns attributed to a group.

Parameters:: group_stix_id (str) – The STIX ID of the group.
Returns:: List of RelationshipEntry[Campaign] for each campaign attributed to the group.
Return type:: list[RelationshipEntry[Campaign]]

get_campaigns_by_alias(alias: str) → list[Campaign]

Retrieve the campaigns corresponding to a given alias.

Note: the query by alias is case sensitive.

Parameters:: alias (str) – The alias of the campaign.
Returns:: A list of Campaign objects corresponding to the alias.
Return type:: list[Campaign]

get_campaigns_using_software(software_stix_id: str) → list[RelationshipEntry[Campaign]]

Get all campaigns using a software.

Parameters:: software_stix_id (str) – The STIX ID of the software.
Returns:: List of RelationshipEntry[Campaign] for each campaign using the software.
Return type:: list[RelationshipEntry[Campaign]]

get_campaigns_using_technique(technique_stix_id: str) → list[RelationshipEntry[Campaign]]

Get all campaigns using a technique.

Parameters:: technique_stix_id (str) – The STIX ID of the technique.
Returns:: List of RelationshipEntry[Campaign] for each campaign using the technique.
Return type:: list[RelationshipEntry[Campaign]]

get_datacomponents(remove_revoked_deprecated: bool = False) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve all data component objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of DataComponent objects.
Return type:: list[DataComponent]

get_datacomponents_detecting_technique(technique_stix_id: str) → list[~mitreattack.stix20.MitreAttackData.RelationshipEntry[~stix2.custom._custom_object_builder.<locals>._CustomObject]]

Get all data components detecting a technique.

Parameters:: technique_stix_id (str) – The STIX ID of the technique.
Returns:: List of RelationshipEntry[DataComponent] describing the data components that can detect the technique.
Return type:: list[RelationshipEntry[DataComponent]]

get_datasources(remove_revoked_deprecated: bool = False) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve all data source objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of DataSource objects.
Return type:: list[DataSource]

get_detection_strategies_detecting_technique(technique_stix_id: str) → list[~mitreattack.stix20.MitreAttackData.RelationshipEntry[~stix2.custom._custom_object_builder.<locals>._CustomObject]]

Get all detection strategies detecting a technique.

Parameters:: technique_stix_id (str) – The STIX ID of the technique.
Returns:: List of RelationshipEntry[DetectionStrategy] for each detection strategy detecting the technique.
Return type:: list[RelationshipEntry[DetectionStrategy]]

get_detectionstrategies(remove_revoked_deprecated: bool = False) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve all detection strategy objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of DetectionStrategy objects.
Return type:: list[DetectionStrategy]

static get_field(obj, field, default=None)

Get a field from a dict or object.

Parameters:

obj (dict or object with attributes) – Source to retrieve the field from.
field (str) – Field name or key.
default (any, optional) – Value to return if field is missing, by default None.

Returns:

Field value or default.

Return type:

Any

get_groups(remove_revoked_deprecated: bool = False) → list[IntrusionSet]

Retrieve all group objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Group objects.
Return type:: list[Group]

get_groups_attributing_to_campaign(campaign_stix_id: str) → list[RelationshipEntry[IntrusionSet]]

Get all groups attributing to a campaign.

Parameters:: campaign_stix_id (str) – The STIX ID of the campaign.
Returns:: List of RelationshipEntry[Group] for each group attributing to the campaign.
Return type:: list[RelationshipEntry[Group]]

get_groups_by_alias(alias: str) → list[IntrusionSet]

Retrieve the groups corresponding to a given alias.

Note: the query by alias is case sensitive.

Parameters:: alias (str) – The alias of the group.
Returns:: A list of Group objects corresponding to the alias.
Return type:: list[Group]

get_groups_using_software(software_stix_id: str) → list[RelationshipEntry[IntrusionSet]]

Get all groups using a software.

Parameters:: software_stix_id (str) – The STIX ID of the software.
Returns:: List of RelationshipEntry[Group] for each group using the software and each attributed campaign using the software.
Return type:: list[RelationshipEntry[Group]]

get_groups_using_technique(technique_stix_id: str) → list[RelationshipEntry[IntrusionSet]]

Get all groups using a technique.

Parameters:: technique_stix_id (str) – The STIX ID of the technique.
Returns:: List of RelationshipEntry[Group] for each group using the technique and each campaign attributed to groups using the technique.
Return type:: list[RelationshipEntry[Group]]

get_matrices(remove_revoked_deprecated: bool = False) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve all matrix objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Matrix objects.
Return type:: list[Matrix]

get_mitigations(remove_revoked_deprecated: bool = False) → list[CourseOfAction]

Retrieve all mitigation objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Mitigation objects.
Return type:: list[Mitigation]

get_mitigations_mitigating_technique(technique_stix_id: str) → list[RelationshipEntry[CourseOfAction]]

Get all mitigations mitigating a technique.

Parameters:: technique_stix_id (str) – The STIX ID of the technique.
Returns:: List of RelationshipEntry[Mitigation] for each mitigation mitigating the technique.
Return type:: list[RelationshipEntry[Mitigation]]

get_name(stix_id: str) → str | None

Get the object’s name.

Parameters:: stix_id (str) – The STIX ID of the object.
Returns:: The value of the ‘name’ property of the STIX object, or None if not present.
Return type:: str | None

get_object_by_attack_id(attack_id: str, stix_type: str) → CustomStixObject | _DomainObject | None

Retrieve a single object by its ATT&CK ID.

Note: In prior versions of ATT&CK, mitigations had 1:1 relationships with techniques and shared their technique’s ID. Searching by ATT&CK ID alone does not work properly for techniques since technique ATT&CK IDs are not truly unique. The STIX type must be specified when searching by ATT&CK ID to avoid this issue.

Parameters:

attack_id (str) – The ATT&CK ID of the object to retrieve.
stix_type (str) – The object STIX type (must be one of self.stix_types).

Returns:

The STIX Domain Object specified by the ATT&CK ID, or None if not found.

Return type:

AttackStixObject | None

Raises:

ValueError – If stix_type is not a valid STIX type.

get_object_by_stix_id(stix_id: str) → CustomStixObject | _DomainObject

Retrieve a single object by STIX ID.

Parameters:: stix_id (str) – The STIX ID of the object to retrieve.
Returns:: The STIX Domain Object specified by the STIX ID.
Return type:: AttackStixObject
Raises:: ValueError – If no object with the given STIX ID is found.

get_objects_by_content(content: str, object_type: str | None = None, remove_revoked_deprecated: bool = False) → list[CustomStixObject | _DomainObject]

Retrieve objects by the content of their description.

Note: the query by content is not case sensitive.

Parameters:

content (str) – The content string to search for.
object_type (str | None, optional) – The STIX object type (must be one of self.stix_types or ‘relationship’).
remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.

Returns:

A list of objects where the given content string appears in the description.

Return type:

list[AttackStixObject]

Raises:

ValueError – If object_type is not a valid STIX type or ‘relationship’.

get_objects_by_name(name: str, stix_type: str) → list[CustomStixObject | _DomainObject]

Retrieve objects by name.

Note: the query by name is case sensitive.

Parameters:

name (str) – The name of the object to retrieve.
stix_type (str) – The STIX object type (must be one of self.stix_types).

Returns:

A list of STIX Domain Objects specified by the name and type.

Return type:

list[AttackStixObject]

Raises:

ValueError – If stix_type is not a valid STIX type.

get_objects_by_type(stix_type: str, remove_revoked_deprecated: bool = False) → list[CustomStixObject | _DomainObject]

Retrieve objects by STIX type.

Parameters:

stix_type (str) – The STIX type of the objects to retrieve.
remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.

Returns:

A list of STIX 2.0 Domain Objects or Custom ATT&CK objects.

Return type:

list[AttackStixObject]

get_objects_created_after(timestamp: str, remove_revoked_deprecated: bool = False) → list[CustomStixObject | _DomainObject]

Retrieve objects which have been created after a given time.

Parameters:

timestamp (str) – Timestamp to search (e.g. “2018-10-01T00:14:20.652Z”).
remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.

Returns:

A list of AttackStixObject objects created after the given time.

Return type:

list[AttackStixObject]

get_objects_modified_after(date: str, remove_revoked_deprecated: bool = False) → list[CustomStixObject | _DomainObject]

Retrieve objects which have been modified after a given time.

Parameters:

date (str) – Date to search (e.g. “2022-10-01”, “2022-10-01T00:00:00.000Z”, “October 1, 2022”, etc.).
remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.

Returns:

A list of AttackStixObject objects modified after the given time.

Return type:

list[AttackStixObject]

get_parent_technique_of_subtechnique(subtechnique_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get the parent technique of a sub-technique.

Parameters:: subtechnique_stix_id (str) – The STIX ID of the sub-technique.
Returns:: List of RelationshipEntry[Technique] describing the parent technique of the sub-technique.
Return type:: list[RelationshipEntry[Technique]]

get_procedure_examples_by_technique(stix_id: str) → list[Relationship]

Retrieve the list of procedure examples by technique.

Parameters:: stix_id (str) – The STIX ID of the technique.
Returns:: A list of Relationship objects describing the software, groups, and campaigns using the technique.
Return type:: list[Relationship]

get_related(source_type: str, relationship_type: str, target_type: str, reverse: bool = False) → dict[str, list[RelationshipEntry[CustomStixObject | _DomainObject]]]

Build relationship mappings.

Parameters:

source_type (str) – Source type for the relationships, e.g. ‘intrusion-set’.
relationship_type (str) – Relationship type for the relationships, e.g. ‘uses’.
target_type (str) – Target type for the relationships, e.g. ‘attack-pattern’.
reverse (bool, optional) – Build reverse mapping of target to source, by default False.

Returns:

If reverse=False, relationship mapping of source_object_id => [RelationshipEntry[AttackStixObject]]; if reverse=True, relationship mapping of target_object_id => [RelationshipEntry[AttackStixObject]].

Return type:

RelationshipMapT[AttackStixObject]

get_revoking_object(revoked_stix_id: str = '') → CustomStixObject | _DomainObject | None

Given the STIX ID of a revoked object, retrieve the STIX object that replaced (“revoked”) it.

Parameters:: revoked_stix_id (str) – The STIX ID of the object that has been revoked.
Returns:: The object that replaced (“revoked”) it, or None if not found.
Return type:: AttackStixObject | None

get_software(remove_revoked_deprecated: bool = False) → list[Malware | Tool]

Retrieve all software objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Software (Tool and Malware) objects.
Return type:: list[Software]

get_software_by_alias(alias: str) → list[Malware | Tool]

Retrieve the software corresponding to a given alias.

Note: the query by alias is case sensitive.

Parameters:: alias (str) – The alias of the software.
Returns:: A list of Software objects corresponding to the alias.
Return type:: list[Software]

get_software_used_by_campaign(campaign_stix_id: str) → list[RelationshipEntry[Malware | Tool]]

Get all software used by a campaign.

Parameters:: campaign_stix_id (str) – The STIX ID of the campaign.
Returns:: List of RelationshipEntry[Software] for each software used by the campaign.
Return type:: list[RelationshipEntry[Software]]

get_software_used_by_group(group_stix_id: str) → list[RelationshipEntry[Malware | Tool]]

Get all software used by a group.

Parameters:: group_stix_id (str) – The STIX ID of the group.
Returns:: List of RelationshipEntry[Software] for each software used by the group including software used by campaigns attributed to the group.
Return type:: list[RelationshipEntry[Software]]

get_software_using_technique(technique_stix_id: str) → list[RelationshipEntry[Malware | Tool]]

Get all software using a technique.

Parameters:: technique_stix_id (str) – The STIX ID of the technique.
Returns:: List of RelationshipEntry[Software] for each software using the technique.
Return type:: list[RelationshipEntry[Software]]

get_stix_type(stix_id: str) → str

Get the object’s STIX type.

Parameters:: stix_id (str) – The STIX ID of the object.
Returns:: The STIX type of the object.
Return type:: str

get_subtechniques(remove_revoked_deprecated: bool = False) → list[AttackPattern]

Retrieve all sub-technique objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Technique objects that are sub-techniques.
Return type:: list[Technique]

get_subtechniques_of_technique(technique_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get all subtechniques of a technique.

Parameters:: technique_stix_id (str) – The STIX ID of the technique.
Returns:: List of RelationshipEntry[Technique] for each subtechnique of the technique.
Return type:: list[RelationshipEntry[Technique]]

get_tactics(remove_revoked_deprecated: bool = False) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve all tactic objects.

Parameters:: remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.
Returns:: A list of Tactic objects.
Return type:: list[Tactic]

get_tactics_by_matrix() → dict[str, list[~stix2.custom._custom_object_builder.<locals>._CustomObject]]

Retrieve the structured list of tactics within each matrix.

The order of the tactics in the list matches the ordering of tactics in that matrix.

Returns:: A mapping of matrix name to a list of Tactic objects.
Return type:: dict[str, list[Tactic]]

get_tactics_by_technique(stix_id: str) → list[~stix2.custom._custom_object_builder.<locals>._CustomObject]

Retrieve the list of tactics within a particular technique.

Parameters:: stix_id (str) – The STIX ID of the technique to be queried.
Returns:: A list of Tactic objects that the technique contains.
Return type:: list[Tactic]

get_techniques(include_subtechniques: bool = True, remove_revoked_deprecated: bool = False) → list[AttackPattern]

Retrieve all technique objects.

Parameters:

include_subtechniques (bool, optional) – Include sub-techniques in the result, by default True.
remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.

Returns:

A list of Technique objects.

Return type:

list[Technique]

get_techniques_by_platform(platform: str, remove_revoked_deprecated: bool = False) → list[AttackPattern]

Retrieve techniques under a specific platform.

Parameters:

platform (str) – Platform to search.
remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.

Returns:

A list of Technique objects under the given platform.

Return type:

list[Technique]

get_techniques_by_tactic(tactic_shortname: str, domain: str, remove_revoked_deprecated: bool = False) → list[AttackPattern]

Retrieve techniques by tactic.

Parameters:

tactic_shortname (str) – The x_mitre_shortname of the tactic (e.g. ‘defense-evasion’).
domain (str) – Domain of the tactic (must be ‘enterprise-attack’, ‘mobile-attack’, or ‘ics-attack’).
remove_revoked_deprecated (bool, optional) – Remove revoked or deprecated objects from the query, by default False.

Returns:

A list of Technique objects under the given tactic.

Return type:

list[Technique]

get_techniques_detected_by_datacomponent(datacomponent_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get all techniques detected by a data component.

Parameters:: datacomponent_stix_id (str) – The STIX ID of the data component.
Returns:: List of RelationshipEntry[Technique] describing the detections of the data component.
Return type:: list[RelationshipEntry[Technique]]

get_techniques_detected_by_detection_strategy(detection_strategy_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get all techniques detected by a detection strategy.

Parameters:: detection_strategy_stix_id (str) – The STIX ID of the detection strategy.
Returns:: List of RelationshipEntry[Technique] for each technique detected by the detection strategy.
Return type:: list[RelationshipEntry[Technique]]

get_techniques_mitigated_by_mitigation(mitigation_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get all techniques being mitigated by a mitigation.

Parameters:: mitigation_stix_id (str) – The STIX ID of the mitigation.
Returns:: List of RelationshipEntry[Technique] for each technique mitigated by the mitigation.
Return type:: list[RelationshipEntry[Technique]]

get_techniques_targeting_asset(asset_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get all techniques targeting an asset.

Parameters:: asset_stix_id (str) – The STIX ID of the asset.
Returns:: List of RelationshipEntry[Technique] for each technique targeting the asset.
Return type:: list[RelationshipEntry[Technique]]

get_techniques_used_by_campaign(campaign_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get all techniques used by a campaign.

Parameters:: campaign_stix_id (str) – The STIX ID of the campaign.
Returns:: List of RelationshipEntry[Technique] for each technique used by the campaign.
Return type:: list[RelationshipEntry[Technique]]

get_techniques_used_by_group(group_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get all techniques used by a group.

Parameters:: group_stix_id (str) – The STIX ID of the group.
Returns:: List of RelationshipEntry[Technique] for each technique used by the group and each technique used by campaigns attributed to the group.
Return type:: list[RelationshipEntry[Technique]]

get_techniques_used_by_group_software(group_stix_id: str) → list[AttackPattern]

Get techniques used by a group’s software.

Because a group uses software, and software uses techniques, groups can be considered indirect users of techniques used by their software. These techniques are oftentimes distinct from the techniques used directly by a group, although there are occasionally intersections in these two sets of techniques.

Parameters:: group_stix_id (str) – The STIX ID of the group object.
Returns:: A list of Technique objects used by the group’s software.
Return type:: list[Technique]

get_techniques_used_by_software(software_stix_id: str) → list[RelationshipEntry[AttackPattern]]

Get all techniques used by a software.

Parameters:: software_stix_id (str) – The STIX ID of the software.
Returns:: List of RelationshipEntry[Technique] for each technique used by the software.
Return type:: list[RelationshipEntry[Technique]]

merge(map_a: dict[str, list[RelationshipEntry[T]]], map_b: dict[str, list[RelationshipEntry[T]]]) → dict[str, list[RelationshipEntry[T]]]

Merge two relationship mappings resulting from get_related().

Parameters:

map_a (RelationshipMapT[T]) – The first relationship mapping.
map_b (RelationshipMapT[T]) – The second relationship mapping.

Returns:

The merged relationship mapping.

Return type:

RelationshipMapT[T]

print_stix_object(obj: CustomStixObject | _DomainObject, pretty: bool = True)

Print a STIX object.

Parameters:

obj (AttackStixObject) – The object to print.
pretty (bool, optional) – Pretty print the object, by default True.

remove_duplicates(relationship_map) → dict[str, list[RelationshipEntry[T]]]

Remove duplicate objects in a list of RelationshipEntry[T].

Parameters:: relationship_map (RelationshipMapT[T]) – The relationship mapping to deduplicate.
Returns:: Deduplicated relationship mapping.
Return type:: RelationshipMapT[T]

remove_revoked_deprecated(stix_objects: list[T]) → list[T]

Remove revoked or deprecated objects from queries made to the data source.

Parameters:: stix_objects (list[T]) – List of STIX objects from a query made to the data source.
Returns:: List of STIX objects with revoked and deprecated objects filtered out.
Return type:: list[T]