search

mitre-attack / mitreattack-python

A python module for working with ATT&CK
https://mitreattack-python.readthedocs.io/
Apache License 2.0
447 stars 103 forks source link

[Request] Retrieve STIX data from NavLayers #156

Closed 3isenHeiM closed 10 months ago

3isenHeiM commented 10 months ago

Is your feature request related to a problem?

The toolset around the navlayers only covers the import and export features.

What if I want to generate a list (excel) of the description of every technique with a score of 1 in my Navigator layer ?

As far as I know, this is not possible at the moment.

Describe the solution you'd like

An ability to load a NavLayer and query STIX elements (tactics present, techniques, ...) and their data from it.

Describe alternatives you've considered

Manually parsing the layer json file and building queries to get stix objects from it.

For example a technique is represented in a layer by this json object

{
    "techniqueID": "T1557",
    "tactic": "credential-access",
    "score": 1,
    "color": "",
    "comment": "",
    "enabled": true,
    "metadata": [],
    "links": [],
    "showSubtechniques": false
},

The only key that can be used to query the corresponding STIX object is techniqueID. However there is no get_technique_by_id function to directly access it.

I will shortly post my code performing this to move things forward.

clemiller commented 10 months ago

Hi @3isenHeiM,

Although the navlayers module itself doesn't have that functionality, I'd recommend checking out the MitreAttackData module in this library, specifically the get_object_by_attack_id() function (defined here). This function will retrieve the STIX object with the given ATT&CK ID and STIX type. Here is an example Python script demonstrating its use. For additional context, the MitreAttackData library provides the ability to query the dataset for objects and their related objects, you can read more about it here. Hopefully this helps!

3isenHeiM commented 10 months ago

Yes that's what I ended doing :)

Here is a full snippet that :

  1. Loads a Navigator layer
  2. Retrieves STIX techniques object from it.
import json
from mitreattack.stix20 import MitreAttackData

mitre_attack_data = MitreAttackData("enterprise-attack.json")

# Load the layer file
lay = open('layer.json')
layer = json.load(lay)

# Get techniques ID whose score = 1
valid_techniques = [t['techniqueID'] for t in layer['techniques'] if "score" in t and t['score'] == 1]
# Remove duplicates
valid_techniques = list(set(valid_techniques))

# Extract the techniques STIX
techniques = [mitre_attack_data.get_object_by_attack_id(t, 'attack-pattern') for t in valid_techniques]

Maybe it can be integrated in the examples if anyone else might be interested.