### Install ATT&CK Python Client from Source Source: https://github.com/otrf/attack-python-client/blob/master/README.md Clone the repository and install the ATT&CK Python Client locally from the source code. ```bash git clone https://github.com/OTRF/ATTACK-Python-Client cd ATTACK-Python-Client pip install . ``` -------------------------------- ### Get all groups and techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb Initialize MitreAttackClient and retrieve all groups and techniques. ```python from attackcti import MitreAttackClient lift = MitreAttackClient.from_attack_stix_data() groups = lift.get_groups() techniques = lift.get_techniques() ``` -------------------------------- ### Install ATT&CK Python Client via Pip Source: https://github.com/otrf/attack-python-client/blob/master/README.md Install the ATT&CK Python Client using pip for easy integration into your Python projects. ```bash pip install attackcti ``` -------------------------------- ### Initialize Attack Client and Get ICS Techniques Count Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Initializes the attack client and retrieves the total count of ICS techniques. Ensure the attackcti library is installed. ```python from attackcti import attack_client lift = attack_client() ICS_TECHNIQUES = lift.get_ics_techniques() print("Techniques Count:",len(ICS_TECHNIQUES)) ``` -------------------------------- ### Example Relationship Object Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb This is an example of a 'Relationship' object returned by the ATT&CK Python Client, detailing a 'uses' relationship between an intrusion set and an attack pattern. ```text Result: Relationship(type='relationship', spec_version='2.1', id='relationship--000aa4d0-315e-40d7-b2b6-76e91ecf0fe8', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-09-15T18:02:37.631Z', modified='2025-04-28T15:31:30.641Z', relationship_type='uses', description='[Indrik Spider](https://attack.mitre.org/groups/G0119) used [Cobalt Strike](https://attack.mitre.org/software/S0154) to carry out credential dumping using ProcDump.(Citation: Symantec WastedLocker June 2020)', source_ref='intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07', target_ref='attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90', revoked=False, external_references=[ExternalReference(source_name='Symantec WastedLocker June 2020', description='Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.', url='https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='3.2.0', x_mitre_deprecated=False, x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5') ``` -------------------------------- ### Get all techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/3-Export_All_Techniques_To_CSV.ipynb Retrieves all available techniques from the MITRE ATT&CK framework in STIX format. The number of techniques is then displayed. ```python all_techniques = lift.get_techniques() len(all_techniques) ``` -------------------------------- ### Get All Groups and Techniques for a Specific Group Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Use `lift.get_groups()` to retrieve all available groups. Then, select a specific group and use `lift.get_techniques_used_by_group()` to get the techniques associated with that group. If no group name is provided, all groups across all matrices are returned. ```python groups = lift.get_groups() one_group = groups[0] group_techniques = lift.get_techniques_used_by_group(one_group) ``` -------------------------------- ### Initialize MitreAttackClient and Get Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb Initializes the MitreAttackClient from STIX data and retrieves all techniques used by groups. This is useful for a comprehensive overview of group TTPs. ```python from attackcti import MitreAttackClient lift = MitreAttackClient.from_attack_stix_data() %time techniques_used = lift.get_techniques_used_by_all_groups(stix_format=False) ``` -------------------------------- ### Example Result of STIX Object Lookup Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb This is an example of the detailed STIX object data returned when looking up an 'attack-pattern' by its ID. ```text Result: [AttackPattern(type='attack-pattern', spec_version='2.1', id='attack-pattern--317fefa6-46c7-4062-adb6-2008cf6bcb41', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:15.409Z', modified='2025-10-24T17:48:36.436Z', name='AppInit DLLs', description='Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)\n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')], revoked=True, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1103', external_id='T1103'), ExternalReference(source_name='Elastic Process Injection July 2017', description='Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', url='https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'), ExternalReference(source_name='AppInit Registry', description='Microsoft. (2006, October). Working with the AppInit_DLLs registry value. Retrieved July 15, 2015.', url='https://support.microsoft.com/en-us/kb/197571'), ExternalReference(source_name='AppInit Secure Boot', description='Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July 15, 2015.', url='https://msdn.microsoft.com/en-us/library/dn280412'), ExternalReference(source_name='TechNet Autoruns', description='Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', url='https://technet.microsoft.com/en-us/sysinternals/bb963902')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='3.2.0', x_mitre_deprecated=False, x_mitre_detection='', x_mitre_domains=['enterprise-attack'], x_mitre_is_subtechnique=False, x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_platforms=['Windows'], x_mitre_version='1.1')] ``` -------------------------------- ### Clone and Set Up Upstream Remote Source: https://github.com/otrf/attack-python-client/blob/master/CONTRIBUTING.md Clone the repository and add the original project as an 'upstream' remote. This is typically done once when starting a new contribution. ```bash git clone https://github.com//ATTACK-Python-Client.git # Navigate to the project directory. $ cd Hacking-Scripts $ git remote add upstream https://github.com/OTRF/ATTACK-Python-Client.git ``` -------------------------------- ### Get ICS Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all techniques defined in the ICS ATT&CK framework. This is a prerequisite for further analysis of ICS techniques. ```python ics_techniques = lift.get_ics_techniques() ``` -------------------------------- ### Retrieve All Data Components Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Fetches all data components available in the ATT&CK data model. Ensure the attack-python-client library is installed and configured. ```python data_components = lift.get_data_components() ``` -------------------------------- ### Get Mobile ATT&CK Tactics Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all tactics defined in the Mobile ATT&CK framework. Ensure the 'lift' library is imported and initialized. ```python mobile_tactics = lift.get_mobile_tactics() ``` -------------------------------- ### Get All Downloaded File Paths Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Retrieve a dictionary of all downloaded STIX file paths, keyed by domain. ```python stix21_downloader.downloaded_file_paths ``` -------------------------------- ### Get Campaigns Since Time Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb Fetches all campaigns created after a specified timestamp. Useful for tracking recent campaign activity. ```python campaigns_since = lift.get_campaigns_since_time(timestamp="2017-01-31T13:49:53.935Z") len(campaigns_since) ``` -------------------------------- ### Get All Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Retrieves all ATT&CK techniques. By default, it excludes deprecated and revoked techniques and includes all sub-techniques. Use `skip_revoked_deprecated=False` to include them and `include_subtechniques=False` to exclude sub-techniques. ```python techniques = lift.get_techniques() ``` -------------------------------- ### Get All Groups Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Retrieves all available groups from the ATT&CK matrices. ```python groups = lift.get_groups() ``` -------------------------------- ### Get All Campaigns Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb Retrieve all available campaigns (both enterprise and mobile) and check the total count. This provides an overview of all tracked campaigns. ```python all_campaigns = lift.get_campaigns() len(all_campaigns) ``` ```text Result: 55 ``` -------------------------------- ### Retrieve Enterprise Tactics Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Fetches all enterprise tactics available in the MITRE ATT&CK framework. Ensure the attack-python-client library is installed and configured. ```python enterprise_tactics = lift.get_enterprise_tactics() ``` -------------------------------- ### Collect Enterprise Data Sources Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Fetches all enterprise data sources. Use this to get a comprehensive list of data sources within the Enterprise ATT&CK matrix. ```python enterprise_data_sources = lift.get_enterprise_data_sources() ``` -------------------------------- ### Get Techniques by Data Components Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/5-Collect_Techniques_by_Data_Sources.ipynb Retrieves a list of ATT&CK techniques associated with specified data components. This is useful for understanding which techniques interact with particular data sources. ```python techniques = lift.query.techniques.get_techniques_by_data_components("Process", "Network") ``` -------------------------------- ### Get All ATT&CK Relationships Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Retrieves all relationships from all ATT&CK matrices using a single API request. Ensure the `lift` object is initialized. ```python relationships = lift.get_relationships() ``` -------------------------------- ### Inspect First Mobile Malware Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Displays the details of the first malware object from the Mobile ATT&CK data. This example shows the kind of information available for each malware entry. ```python mobile_malware[0] ``` -------------------------------- ### Get Techniques with Detection Enrichment Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb Retrieves ATT&CK techniques and enriches them with detection-related properties such as detection strategies, analytics, and log sources. This is useful for understanding how techniques can be detected. ```python techniques = lift.get_techniques(enrich_detections=True) len(techniques) ``` -------------------------------- ### Get Enterprise Tools Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all tools associated with the Enterprise ATT&CK matrix. This is useful for understanding the software and utilities used in cyber attacks. ```python enterprise_tools = lift.get_enterprise_tools() ``` -------------------------------- ### Get and Print ICS Malware Names Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Retrieves all ICS malware and prints their names. This assumes the attack client has been initialized and ICS malware fetched. ```python ICS_MALWARE = lift.get_ics_malware() for MALWARE in ICS_MALWARE: print(MALWARE['name']) ``` -------------------------------- ### Initialize STIXStore Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Initialize STIXStore with the path to a downloaded STIX file. ```python store = STIXStore(stix21_downloader.downloaded_file_path) ``` -------------------------------- ### Count ICS Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Prints the total number of techniques available in the ICS ATT&CK framework. Note: The example uses 'mobile_techniques' in the print statement, which might be a typo and should likely be 'ics_techniques'. ```python print("Number of Techniques in ICS ATT&CK") len(mobile_techniques) ``` -------------------------------- ### Get Mobile Campaigns Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb Retrieve all mobile campaigns and print the first one to examine its characteristics. This is useful for understanding threats targeting mobile devices. ```python mobile_campaigns = lift.get_mobile_campaigns() len(mobile_campaigns) ``` ```text Result: 3 ``` ```python print(mobile_campaigns[0]) ``` ```json {"type": "campaign", "spec_version": "2.1", "id": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2025-03-28T14:45:30.132Z", "modified": "2025-03-28T15:23:16.915Z", "name": "Operation Triangulation", "description": "[Operation Triangulation](https://attack.mitre.org/campaigns/C0054) is a mobile campaign targeting iOS devices.(Citation: SecureList OpTriangulation 01Jun2023) The unidentified actors used zero-click exploits in iMessage attachments to gain [Initial Access](https://attack.mitre.org/tactics/TA0027), then executed exploits and validators, such as [Binary Validator](https://attack.mitre.org/software/S1215) before finally executing the [TriangleDB](https://attack.mitre.org/software/S1216) implant. ", "aliases": ["Operation Triangulation"], "first_seen": "2019-01-01T08:00:00Z", "last_seen": "2023-06-01T07:00:00Z", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0054", "external_id": "C0054"}, {"source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_first_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)", "x_mitre_last_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0"} ``` -------------------------------- ### Initialize Techniques List Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb Initializes an empty list to store processed ATT&CK techniques. ```python new_techniques = list() ``` -------------------------------- ### Get Technique by Name using TAXII Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Use the `get_technique_by_name` method to retrieve a technique by its name. This method is case-sensitive and queries across all matrices via TAXII. ```python technique_name = lift.get_technique_by_name('Rundll32') ``` -------------------------------- ### Initialize ATT&CK Client Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Initializes the MitreAttackClient and downloads the latest STIX 2.1 data. Reuses existing files if available. ```python from attackcti import MitreAttackClient # Downloads latest STIX 2.1 (enterprise+mobile+ics) to .attackcti/stix-2.1 (reuses files if present) lift = MitreAttackClient.from_attack_stix_data() ``` -------------------------------- ### Initialize ATT&CK Client Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb Initialize the ATT&CK client using data from STIX. ```python lift = MitreAttackClient.from_attack_stix_data() ``` -------------------------------- ### Get Software Used by Group Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Retrieve all software (malware or tool) mapped to a specific Group STIX object. Ensure the 'lift' object is initialized and groups are fetched before calling this function. ```python groups = lift.get_groups() one_group = groups[0] group_software = lift.get_software_used_by_group(one_group) ``` -------------------------------- ### Get ICS Tactics Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all tactics defined within the ICS ATT&CK framework. Use this to understand the high-level goals adversaries aim to achieve in ICS environments. ```python ics_tactics = lift.get_ics_tactics() ``` -------------------------------- ### Retrieve Software and Associated Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Fetches all software objects and then retrieves the techniques used by the first software object in the list. Ensure the 'lift' object is initialized and available. ```python all_software = lift.get_software() one_software = all_software[0] software_techniques = lift.get_techniques_used_by_software(one_software) ``` -------------------------------- ### Import STIXStore Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Import the STIXStore class from the attackcti.utils.storage module. ```python from attackcti.utils.storage import STIXStore ``` -------------------------------- ### Retrieve All Software Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Fetches all Enterprise, Mobile, and ICS software entries from the ATT&CK framework. ```python software = lift.get_software() ``` -------------------------------- ### Get Downloaded File Path Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Retrieve the path of the last downloaded STIX file. ```python stix21_downloader.downloaded_file_path ``` -------------------------------- ### Bar Chart of Techniques by Platform Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb Creates a bar chart visualizing the count of techniques per platform, sorted by technique count in descending order. Requires altair library. ```python alt.Chart(df_platform_counts).mark_bar().encode( x=alt.X('techniques:Q', title='Technique count'), y=alt.Y('platforms:N', sort='-x', title='Platform') ).properties(height=260) ``` -------------------------------- ### Initialize STIX 2.1 Downloader Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Initialize the STIXDownloader for STIX version 2.1, specifying the download directory. ```python stix21_downloader = STIXDownloader(download_dir="./downloads", stix_version="2.1") ``` -------------------------------- ### Print First Enterprise Technique Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb Prints the JSON representation of the first technique in the retrieved list. This helps in inspecting the structure and content of a single technique. ```python print(enterprise_techniques[0]) ``` -------------------------------- ### Get ICS ATT&CK Collection ID Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Retrieve the unique identifier (ID) of the ICS ATT&CK collection. ```python api_root.collections[1].id ``` -------------------------------- ### Initialize STIX 2.0 Downloader Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Initialize the STIXDownloader for STIX version 2.0, specifying the download directory. ```python stix20_downloader = STIXDownloader(download_dir="./downloads", stix_version="2.0") ``` -------------------------------- ### Get Campaign by Alias Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb Retrieves a specific campaign using its alias. Useful for directly accessing known campaign data. ```python lift.get_campaign_by_alias(alias="C0015") ``` -------------------------------- ### Initialize MitreAttackClient Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/3-Export_All_Techniques_To_CSV.ipynb Initializes the MitreAttackClient by downloading the latest STIX 2.1 data (enterprise, mobile, and ICS). It reuses existing files if present. ```python # Downloads latest STIX 2.1 (enterprise+mobile+ics) to .attackcti/stix-2.1 (reuses files if present) lift = MitreAttackClient.from_attack_stix_data() ``` -------------------------------- ### Initialize MitreAttackClient with Local Data Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/11-Initialize_Client_Local_STIX_data.ipynb Initializes the MitreAttackClient using the previously defined local STIX data paths. ```python lift = MitreAttackClient(local_paths=local_paths) ``` -------------------------------- ### Get Group by Alias (TAXII) Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Use this function to retrieve a group's information using its alias. The alias lookup is case-sensitive. ```python group_name = lift.get_group_by_alias('Cozy Bear') ``` -------------------------------- ### Initialize MitreAttackClient Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb Initializes the MitreAttackClient for automatic retrieval of ATT&CK STIX data. ```python from attackcti import MitreAttackClient lift = MitreAttackClient.from_attack_stix_data() ``` -------------------------------- ### Get STIX Object by Attack ID Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Use `get_object_by_attack_id` to retrieve a specific STIX object by its type and ID. The lookup is case-sensitive. ```python object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1103') ``` -------------------------------- ### Select a Technique Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb Selects the first technique from the list of enterprise techniques for further processing. ```python techniques_one = enterprise_techniques[0] ``` -------------------------------- ### Instantiate TAXII Server Object Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Create a Server object pointing to the ATT&CK public TAXII server URL. ```python server = Server("https://attack-taxii.mitre.org/taxii2/") ``` -------------------------------- ### Initialize Group Dictionaries Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb Creates a list of dictionaries, where each dictionary represents a group and is initialized with an empty list to store its associated techniques. This is a preparatory step for organizing technique data by group. ```python groups = lift.get_groups() groups_list = [] for g in groups: group_dict = dict() group_dict[g['name']] = [] groups_list.append(group_dict) groups_list[89] ``` -------------------------------- ### Get Mobile Tools Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all mobile tools listed in the ATT&CK matrix. This function is useful for understanding the landscape of mobile threats. ```python mobile_tools = lift.get_mobile_tools() ``` -------------------------------- ### Get Groups and Relationships by Object Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Retrieves all groups and then fetches relationships for the first group. This is useful for exploring connections between ATT&CK entities. ```python groups = lift.get_groups() one_group = groups[0] relationships = lift.get_relationships_by_object(one_group) ``` -------------------------------- ### Get ICS ATT&CK Collection Title Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Retrieve the title of the ICS ATT&CK collection by accessing its index in the collections list. ```python api_root.collections[1].title ``` -------------------------------- ### Techniques by Platform (With Log Sources) Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb Analyzes and displays the top 15 platforms with the most techniques that have at least one log source reference. It filters the dataframe, explodes the 'platforms' column, and then groups by platform to count techniques. Requires pandas. ```python df_platform = df[df['log_sources_count'] > 0].copy() df_platform = df_platform.explode('platforms') df_platform_counts = df_platform.groupby('platforms', dropna=False).size().reset_index(name='techniques') df_platform_counts = df_platform_counts.sort_values('techniques', ascending=False) df_platform_counts.head(15) ``` -------------------------------- ### Explore Collections within API Root Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Access and iterate through the collections available within a specific API Root to get information about each collection. ```python for collection in api_root.collections: print(collection.title, "->", collection.description) ``` -------------------------------- ### Visualize Techniques With and Without Log Source References Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb Creates a bar chart to show the total count of techniques that either have or do not have log source references. This is a direct visualization of the distribution of techniques based on log source presence. Requires pandas and altair. ```python dist = pd.DataFrame( { 'Techniques': ['Without log sources', 'With log sources'], 'Count': [int((df['log_sources_count'] == 0).sum()), int((df['log_sources_count'] > 0).sum())], } ) bars = alt.Chart(dist).mark_bar().encode(x='Techniques', y='Count', color='Techniques').properties(width=260, height=280) text = bars.mark_text(align='center', baseline='bottom', dy=-2).encode(text='Count') (bars + text) ``` -------------------------------- ### Load and Display Enterprise Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb This snippet loads enterprise techniques and normalizes them into a Pandas DataFrame for easier viewing. It then selects and displays the first 5 entries, showing creation date, name, and platforms. ```python techniques = [] for t in enterprise_techniques: techniques.append(json.loads(t.serialize())) df = pandas.json_normalize(techniques) df.reindex(['created','name', 'x_mitre_platforms'], axis=1)[0:5] ``` -------------------------------- ### Load ATT&CK Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb Loads ATT&CK techniques from a JSON file. This is the initial step before processing or exporting techniques. ```python from stix2 import MemoryStore from pyattck import Attck # Load ATT&CK data from a JSON file attck = Attck(nested=True) attck.load_ அட்டck_from_json(filepath='enterprise-attack.json') # Get all enterprise techniques enterprise_techniques = attck.enterprise_techniques ``` -------------------------------- ### Get Enterprise Relationships Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all relationships within the Enterprise ATT&CK matrix. These relationships can represent links between techniques, software, groups, etc. ```python enterprise_relationships = lift.get_enterprise_relationships() ``` -------------------------------- ### Retrieve Enterprise Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/11-Initialize_Client_Local_STIX_data.ipynb Fetches all enterprise techniques available from the initialized client. ```python enterprise_techniques = lift.get_enterprise_techniques() ``` -------------------------------- ### Inspect First Technique Entry Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb Displays the first technique entry from the retrieved list. This provides a sample of the data structure and content for individual techniques. ```python techniques_used[0] ``` -------------------------------- ### Get Techniques Mitigated by Mitigations Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Use this function to retrieve all techniques that have mitigations mapped to them. This is useful for understanding defensive measures against specific attack patterns. ```python techniques_mitigated = lift.get_techniques_mitigated_by_mitigations() ``` -------------------------------- ### Build Python Package Locally Source: https://github.com/otrf/attack-python-client/wiki/Home Builds the source distribution and wheel for the Python package. ```bash python setup.py sdist bdist_wheel ``` -------------------------------- ### Get and Print ICS Group Names Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Retrieves all ICS groups and prints their names. This assumes the attack client has been initialized and ICS groups fetched. ```python ICS_GROUPS = lift.get_ics_groups() for GROUP in ICS_GROUPS: print(GROUP['name']) ``` -------------------------------- ### Display First Software Entry Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb Access and display the first software entry retrieved for a group. This snippet assumes 'group_software' is a non-empty list obtained from 'get_software_used_by_group'. ```python group_software[0] ``` -------------------------------- ### Retrieve ICS Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Use the query method with a type filter to get all ICS attack patterns. Accessing the first technique in the results is shown. ```python ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter("type", "=", "attack-pattern")) ICS_TECHNIQUES[0] ``` -------------------------------- ### Visualize Techniques With and Without Log Sources Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb Generates a bar chart to visualize the count of techniques with and without log sources. Requires pandas and altair libraries. ```python dist2 = pd.DataFrame( { 'Techniques': ['Without log sources', 'With log sources'], 'Count': [int((df['log_sources_count'] == 0).sum()), int((df['log_sources_count'] > 0).sum())], } ) bars = alt.Chart(dist2).mark_bar().encode(x='Techniques', y='Count', color='Techniques').properties(width=260, height=280) text = bars.mark_text(align='center', baseline='bottom', dy=-2).encode(text='Count') (bars + text) ``` -------------------------------- ### Populate Group Dictionaries with Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb Iterates through the initialized group dictionaries and populates them with technique details obtained from `techniques_used`. Each technique is added as a dictionary containing its ID, name, comment, tactic, and group ID. ```python for group in groups_list: for group_name,techniques_list in group.items(): for gut in techniques_used: if group_name == gut['name']: technique_dict = dict() technique_dict['techniqueId'] = gut['technique_id'] technique_dict['techniqueName'] = gut['technique'] technique_dict['comment'] = gut['relationship_description'] technique_dict['tactic'] = gut['tactic'] technique_dict['group_id'] = gut['external_references'][0]['external_id'] techniques_list.append(technique_dict) groups_list[89] ``` -------------------------------- ### Update Local Branch from Upstream Source: https://github.com/otrf/attack-python-client/blob/master/CONTRIBUTING.md Update your local repository with the latest changes from the upstream repository before starting new work. Ensure you are on the correct branch. ```bash git remote update $ git checkout $ git rebase upstream/ ``` -------------------------------- ### Stage All Changes Source: https://github.com/otrf/attack-python-client/blob/master/CONTRIBUTING.md Add all modified and new files in the current branch to the staging area. This prepares them for the next commit. ```bash # To add all new files to branch Branch_Name $ git add . ``` -------------------------------- ### Get ICS Mitigations Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all mitigations defined in the ICS ATT&CK framework. This function collects mitigation strategies relevant to industrial control systems. ```python ics_mitigations = lift.get_ics_mitigations() ``` -------------------------------- ### Get Mobile Relationships Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all relationships between entities in the mobile ATT&CK matrix. This function is essential for understanding how different mobile threats and tactics are connected. ```python mobile_relationships = lift.get_mobile_relationships() ``` -------------------------------- ### Display First Processed Technique Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb Shows the structure and content of the first technique after processing, useful for verification. ```python new_techniques[0] ``` -------------------------------- ### Download All Domains at Once Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Download ATT&CK data for all domains (enterprise, mobile, ics) for a specified release. ```python stix20_downloader.download_all_domains(release="16.1") ``` -------------------------------- ### Get Campaign by Object ID Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb Retrieves a campaign using its MITRE ATT&CK object ID. Useful for accessing campaign details when only the ID is known. ```python lift.get_object_by_attack_id("campaign", "C0001") ``` -------------------------------- ### Visualize Technique Coverage Across Domains Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb Generates a bar chart visualizing the count of techniques per ATT&CK domain using Altair. This helps in understanding the distribution of techniques across different domains. ```python alt.Chart(domain_counts).mark_bar().encode( x=alt.X('techniques:Q', title='Technique count'), y=alt.Y('domain:N', sort='-x', title='Domain'), color='domain:N' ).properties(height=140) ``` -------------------------------- ### Display Technique Dictionary Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb Displays the serialized technique dictionary. This is useful for inspecting the structure and content of a technique before exporting. ```python technique_dict ``` -------------------------------- ### Get Enterprise Campaigns Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb Retrieve all enterprise campaigns and print the first one to inspect its details. This is useful for understanding financially-motivated campaigns targeting specific industries. ```python enterprise_campaigns = lift.get_enterprise_campaigns() len(enterprise_campaigns) ``` ```text Result: 52 ``` ```python print(enterprise_campaigns[0]) ``` ```json {"type": "campaign", "spec_version": "2.1", "id": "campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2023-06-30T19:28:30.616Z", "modified": "2025-04-16T20:37:45.650Z", "name": "C0027", "description": "[C0027](https://attack.mitre.org/campaigns/C0027) was a financially-motivated campaign linked to [Scattered Spider](https://attack.mitre.org/groups/G1015) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://attack.mitre.org/campaigns/C0027) [Scattered Spider](https://attack.mitre.org/groups/G1015) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n", "aliases": ["C0027"], "first_seen": "2022-06-01T04:00:00Z", "last_seen": "2022-12-01T05:00:00Z", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0027", "external_id": "C0027"}, {"source_name": "Crowdstrike TELCO BPO Campaign December 2022", "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", "url": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_first_seen_citation": "(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "x_mitre_last_seen_citation": "(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0"} ``` -------------------------------- ### Build Table of Log Source References per Technique Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb Iterates through ATT&CK techniques to extract and aggregate information about associated log sources and data components. This data is then compiled into a Pandas DataFrame for further analysis. ```python records = [] for t in techniques: d = json.loads(t.serialize()) if hasattr(t, 'serialize') else t domain = (d.get('x_mitre_domains') or [None])[0] technique_id = d.get('id') technique_name = d.get('name') platforms = d.get('x_mitre_platforms') or [] # Kill chain phases are a list of dicts: {'phase_name': ..., 'kill_chain_name': ...} tactics = [p.get('phase_name') for p in (d.get('kill_chain_phases') or []) if isinstance(p, dict) and p.get('phase_name')] strategies = d.get('x_attackcti_detection_strategies') or [] log_source_names: set[str] = set() data_component_refs: set[str] = set() for strategy in strategies: for analytic in (strategy.get('x_attackcti_analytics') or []): for log_source in (analytic.get('x_attackcti_log_sources') or []): name = log_source.get('name') if isinstance(name, str) and name: log_source_names.add(name) ref = log_source.get('x_mitre_data_component_ref') if isinstance(ref, str) and ref: data_component_refs.add(ref) records.append( { 'domain': domain, 'technique': technique_name, 'technique_id': technique_id, 'platforms': platforms, 'tactics': tactics, 'detection_strategies_count': len(strategies), 'log_sources': sorted(log_source_names) or None, 'log_sources_count': len(log_source_names), 'data_component_refs_count': len(data_component_refs), } ) df = pd.DataFrame.from_records(records) df.head() ``` -------------------------------- ### Inspect First Mobile Group Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Displays the details of the first threat actor group object from the Mobile ATT&CK data. This serves as an example of the information available for each group. ```python mobile_groups[0] ``` -------------------------------- ### Process and Structure Techniques Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb Iterates through enterprise techniques, serializes them, extracts key information like name, description, tactics, and technique ID, and appends them to a new list. This prepares the data for YAML export. ```python for t in enterprise_techniques: td = json.loads(t.serialize()) new_dict = dict() new_dict['name'] = td['name'] new_dict['description'] = td['description'] new_dict['tactics'] = list() for kc in td['kill_chain_phases']: new_dict['tactics'].append(kc['phase_name']) new_dict['technique_id'] = td['external_references'][0]['external_id'] new_techniques.append(new_dict) ``` -------------------------------- ### Inspect First Mobile Mitigation Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Displays the details of the first mitigation object found in the Mobile ATT&CK data. This provides an example of the structure and content of mitigation data. ```python mobile_mitigations[0] ``` -------------------------------- ### Import MitreAttackClient Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/11-Initialize_Client_Local_STIX_data.ipynb Imports the necessary MitreAttackClient class from the attackcti library. ```python from attackcti import MitreAttackClient ``` -------------------------------- ### Get ICS Relationships Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all relationships defined within the ICS ATT&CK framework. Use this to understand connections between different ATT&CK entities in an ICS context. ```python ics_relationships = lift.get_ics_relationships() ``` -------------------------------- ### Import STIXDownloader Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Import the STIXDownloader class from the attackcti.utils.downloader module. ```python from attackcti.utils.downloader import STIXDownloader ``` -------------------------------- ### Count Software Entries Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Prints the total number of software entries collected. ```python print("Number of Software in ATT&CK") len(software) ``` -------------------------------- ### Get ICS Data Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all data related to the ICS (Industrial Control Systems) ATT&CK framework. This function can take time to execute, as indicated by the use of %time. ```python %time all_ics = lift.get_ics() ``` -------------------------------- ### Import STIX2 and TAXII Libraries Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Import necessary classes from stix2 and taxii2client for interacting with TAXII Collection Sources. ```python from stix2 import Filter, TAXIICollectionSource from taxii2client.v21 import Collection ``` -------------------------------- ### Access Individual Technique Details Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/5-Collect_Techniques_by_Data_Sources.ipynb Accesses the first technique object from the retrieved list. This allows for detailed inspection of a specific technique's properties. ```python techniques[0] ``` -------------------------------- ### Access First Enterprise Technique Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Accesses and displays the first technique object from the collected enterprise techniques list. This is useful for inspecting the structure and content of individual technique objects. ```python enterprise_techniques[0] ``` -------------------------------- ### Retrieve ICS Malware Data Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Fetches all malware entries specifically related to the ICS (Industrial Control Systems) domain from the ATT&CK matrix. Ensure the attack-python-client is installed and configured. ```python ics_malware = lift.get_ics_malware() ``` -------------------------------- ### Print Enriched Hierarchy for One Technique Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb This snippet iterates through detection strategies, analytics, and log sources for a given technique to print their details. It requires the technique object to be loaded and assumes it has a 'serialize' method or is already a dictionary. ```python technique = json.loads(techniques[0].serialize()) if hasattr(techniques[0], 'serialize') else techniques[0] details = technique.get('x_attackcti_detection_strategies', []) for strategy in details: print(f"Detection strategy: {strategy.get('name')} ({strategy.get('id')})") for analytic in strategy.get('x_attackcti_analytics', []): print(f" Analytic: {analytic.get('name')} ({analytic.get('id')})") for log_source in analytic.get('x_attackcti_log_sources', []): comp_ref = log_source.get('x_mitre_data_component_ref') print(f" Log source: {log_source.get('name')} - {log_source.get('channel')} (component ref {comp_ref})") ``` -------------------------------- ### Get ICS Groups Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb Retrieves all threat groups associated with the ICS ATT&CK framework. This function collects information about known threat actors targeting industrial control systems. ```python ics_groups = lift.get_ics_groups() ``` -------------------------------- ### List Generated JSON Files Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb Lists all JSON files created in the current directory, which correspond to the Navigator layers generated for each group. ```bash ! ls *.json ``` -------------------------------- ### Download ATT&CK Enterprise v16.1 Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb Download ATT&CK Enterprise data for release 16.1. The output indicates the downloaded file path. ```python stix20_downloader.download_attack_data(domain="enterprise", release="16.1") ``` -------------------------------- ### Import necessary libraries Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/3-Export_All_Techniques_To_CSV.ipynb Imports the required libraries: json for handling JSON data, pandas for data manipulation, and MitreAttackClient for interacting with the MITRE ATT&CK framework. ```python import json import pandas from attackcti import MitreAttackClient ``` -------------------------------- ### Get All ATT&CK Data Sources Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Retrieves all data sources from the ATT&CK knowledge base. This function is useful for accessing information about data sources as they are incorporated into the ATT&CK data model. ```python data_sources = lift.get_data_sources() ``` -------------------------------- ### Import Server Class Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Import the Server class from the taxii2client.v21 library to interact with TAXII servers. ```python from taxii2client.v21 import Server ``` -------------------------------- ### Get Techniques with Data Component Enrichment Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Call `get_techniques` with `enrich_detections` and `enrich_data_components` set to True to embed full data component objects into the technique hierarchy. This is useful when log source references need to be resolved to their full object definitions. ```python techniques = lift.get_techniques(enrich_detections=True, enrich_data_components=True) ``` -------------------------------- ### Process and Display Software Data Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb Converts the collected software data into a JSON format, normalizes it into a pandas DataFrame, and displays the first four entries. ```python software_list = [] for t in software: software_list.append(json.loads(t.serialize())) df = pandas.json_normalize(software_list) df[0:4] ``` -------------------------------- ### Connect to MITRE ATT&CK TAXII 2.1 server Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/12-Local_vs_TAXII_STIX_20_21.ipynb Connects to the MITRE ATT&CK TAXII 2.1 server using `MitreAttackClient.from_taxii()`. This mode is network-backed and subject to rate limits. It demonstrates fetching a single object by its STIX ID. ```python # TAXII mode (STIX 2.1 over TAXII 2.1) taxii = MitreAttackClient.from_taxii() print('mode:', taxii.mode, 'spec_version:', taxii.spec_version) # Example: fetch one object by STIX id (one request) stix_id = 'attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842' obj = taxii.TC_ENTERPRISE_SOURCE.get(stix_id) print(obj['type'], obj['id'], obj.get('spec_version')) ``` -------------------------------- ### Initialize TAXII Collection Source for ICS ATT&CK Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb Construct a Collection object for the ICS ATT&CK and initialize a TAXIICollectionSource to query STIX objects from this collection. ```python ATTACK_STIX_COLLECTIONS = "https://attack-taxii.mitre.org/api/v21/collections/" ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + "/") TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION) ``` -------------------------------- ### Retrieve Techniques with Enriched Data Components Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb This snippet demonstrates how to fetch techniques enriched with full data component objects. It calls `lift.get_techniques` with `enrich_data_components=True` and then iterates through the results to print details, including the nested data component information. ```python techniques_with_components = lift.get_techniques(enrich_data_components=True) technique = json.loads(techniques_with_components[0].serialize()) if hasattr(techniques_with_components[0], 'serialize') else techniques_with_components[0] details = technique.get('x_attackcti_detection_strategies', []) for strategy in details: print(f"Detection strategy: {strategy.get('name')} ({strategy.get('id')})") for analytic in strategy.get('x_attackcti_analytics', []): print(f" Analytic: {analytic.get('name')} ({analytic.get('id')})") for log_source in analytic.get('x_attackcti_log_sources', []): comp_ref = log_source.get('x_mitre_data_component_ref') print(f" Log source: {log_source.get('name')} - {log_source.get('channel')} (component ref {comp_ref})") comp = log_source.get('x_attackcti_data_component') if isinstance(comp, dict): print(f" Data component: {comp.get('name')} ({comp.get('id')})") ``` -------------------------------- ### Load STIX 2.1 bundle locally Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/12-Local_vs_TAXII_STIX_20_21.ipynb Loads a STIX 2.1 bundle from a local file path using `MitreAttackClient.from_local()`. This mode is for offline use. It then queries for 'attack-pattern' objects. ```python # STIX 2.1 local mode # If you downloaded only enterprise above, you can still load just enterprise. client21 = MitreAttackClient.from_local(enterprise=str(stix21_enterprise)) print('mode:', client21.mode, 'spec_version:', client21.spec_version) techniques_21 = client21.TC_ENTERPRISE_SOURCE.query([Filter('type', '=', 'attack-pattern')]) print('enterprise attack-pattern count (2.1):', len(techniques_21)) ```