Closed 3isenHeiM closed 10 months ago
Hi @3isenHeiM,
Although the navlayers
module itself doesn't have that functionality, I'd recommend checking out the MitreAttackData
module in this library, specifically the get_object_by_attack_id()
function (defined here). This function will retrieve the STIX object with the given ATT&CK ID and STIX type. Here is an example Python script demonstrating its use. For additional context, the MitreAttackData
library provides the ability to query the dataset for objects and their related objects, you can read more about it here. Hopefully this helps!
Yes that's what I ended doing :)
Here is a full snippet that :
import json
from mitreattack.stix20 import MitreAttackData
mitre_attack_data = MitreAttackData("enterprise-attack.json")
# Load the layer file
lay = open('layer.json')
layer = json.load(lay)
# Get techniques ID whose score = 1
valid_techniques = [t['techniqueID'] for t in layer['techniques'] if "score" in t and t['score'] == 1]
# Remove duplicates
valid_techniques = list(set(valid_techniques))
# Extract the techniques STIX
techniques = [mitre_attack_data.get_object_by_attack_id(t, 'attack-pattern') for t in valid_techniques]
Maybe it can be integrated in the examples if anyone else might be interested.
Is your feature request related to a problem?
The toolset around the navlayers only covers the import and export features.
What if I want to generate a list (excel) of the description of every technique with a score of 1 in my Navigator layer ?
As far as I know, this is not possible at the moment.
Describe the solution you'd like
An ability to load a NavLayer and query STIX elements (tactics present, techniques, ...) and their data from it.
Describe alternatives you've considered
Manually parsing the layer json file and building queries to get stix objects from it.
For example a technique is represented in a layer by this json object
The only key that can be used to query the corresponding STIX object is
techniqueID
. However there is noget_technique_by_id
function to directly access it.I will shortly post my code performing this to move things forward.