-
Notifications
You must be signed in to change notification settings - Fork 1
/
get_techniques_all.py
57 lines (46 loc) · 1.49 KB
/
get_techniques_all.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
import os
from stix2 import MemoryStore
from stix2 import Filter
from pprint import pprint
'''
Get ATT&CK STIX data for a given domain and version
'''
def get_attack_version(domain, version):
ms = MemoryStore()
ms.load_from_file(os.path.join(domain, f"{domain}-{version}.json"))
return ms
'''
Remove any revoked or deprecated objects from the data source
'''
def remove_revoked_deprecated(stix_objects):
return list(
filter(
lambda x: x.get("x_mitre_deprecated", False) is False and x.get("revoked", False) is False,
stix_objects
)
)
'''
Get all techniques and/or sub-techniques (as STIX objects)
We can filter on "techniques", "subtechniques", or "both"
'''
def get_all_techniques(dataset, include="both"):
if include == "techniques":
return dataset.query([
Filter('type', '=', 'attack-pattern'),
Filter('x_mitre_is_subtechnique', '=', False)
])
elif include == "subtechniques":
return dataset.query([
Filter('type', '=', 'attack-pattern'),
Filter('x_mitre_is_subtechnique', '=', True)
])
elif include == "both":
return dataset.query([
Filter('type', '=', 'attack-pattern')
])
# Define the dataset
dataset = get_attack_version("enterprise-attack", "12.1")
# Retrieve all groups as STIX objects
techniques_stix_objects = remove_revoked_deprecated(get_all_techniques(dataset, "both"))
# Display the result:
pprint(techniques_stix_objects)