### Install ATT&CK Python Client from Source
Source: https://github.com/otrf/attack-python-client/blob/master/README.md
Clone the repository and install the ATT&CK Python Client locally from the source code.
```bash
git clone https://github.com/OTRF/ATTACK-Python-Client
cd ATTACK-Python-Client
pip install .
```
--------------------------------
### Get all groups and techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb
Initialize MitreAttackClient and retrieve all groups and techniques.
```python
from attackcti import MitreAttackClient
lift = MitreAttackClient.from_attack_stix_data()
groups = lift.get_groups()
techniques = lift.get_techniques()
```
--------------------------------
### Install ATT&CK Python Client via Pip
Source: https://github.com/otrf/attack-python-client/blob/master/README.md
Install the ATT&CK Python Client using pip for easy integration into your Python projects.
```bash
pip install attackcti
```
--------------------------------
### Initialize Attack Client and Get ICS Techniques Count
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Initializes the attack client and retrieves the total count of ICS techniques. Ensure the attackcti library is installed.
```python
from attackcti import attack_client
lift = attack_client()
ICS_TECHNIQUES = lift.get_ics_techniques()
print("Techniques Count:",len(ICS_TECHNIQUES))
```
--------------------------------
### Example Relationship Object
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
This is an example of a 'Relationship' object returned by the ATT&CK Python Client, detailing a 'uses' relationship between an intrusion set and an attack pattern.
```text
Result:
Relationship(type='relationship', spec_version='2.1', id='relationship--000aa4d0-315e-40d7-b2b6-76e91ecf0fe8', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2021-09-15T18:02:37.631Z', modified='2025-04-28T15:31:30.641Z', relationship_type='uses', description='[Indrik Spider](https://attack.mitre.org/groups/G0119) used [Cobalt Strike](https://attack.mitre.org/software/S0154) to carry out credential dumping using ProcDump.(Citation: Symantec WastedLocker June 2020)', source_ref='intrusion-set--01e28736-2ffc-455b-9880-ed4d1407ae07', target_ref='attack-pattern--65f2d882-3f41-4d48-8a06-29af77ec9f90', revoked=False, external_references=[ExternalReference(source_name='Symantec WastedLocker June 2020', description='Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.', url='https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='3.2.0', x_mitre_deprecated=False, x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5')
```
--------------------------------
### Get all techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/3-Export_All_Techniques_To_CSV.ipynb
Retrieves all available techniques from the MITRE ATT&CK framework in STIX format. The number of techniques is then displayed.
```python
all_techniques = lift.get_techniques()
len(all_techniques)
```
--------------------------------
### Get All Groups and Techniques for a Specific Group
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Use `lift.get_groups()` to retrieve all available groups. Then, select a specific group and use `lift.get_techniques_used_by_group()` to get the techniques associated with that group. If no group name is provided, all groups across all matrices are returned.
```python
groups = lift.get_groups()
one_group = groups[0]
group_techniques = lift.get_techniques_used_by_group(one_group)
```
--------------------------------
### Initialize MitreAttackClient and Get Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb
Initializes the MitreAttackClient from STIX data and retrieves all techniques used by groups. This is useful for a comprehensive overview of group TTPs.
```python
from attackcti import MitreAttackClient
lift = MitreAttackClient.from_attack_stix_data()
%time techniques_used = lift.get_techniques_used_by_all_groups(stix_format=False)
```
--------------------------------
### Example Result of STIX Object Lookup
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
This is an example of the detailed STIX object data returned when looking up an 'attack-pattern' by its ID.
```text
Result:
[AttackPattern(type='attack-pattern', spec_version='2.1', id='attack-pattern--317fefa6-46c7-4062-adb6-2008cf6bcb41', created_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', created='2017-05-31T21:31:15.409Z', modified='2025-10-24T17:48:36.436Z', name='AppInit DLLs', description='Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows or HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)\n\nThe AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)', kill_chain_phases=[KillChainPhase(kill_chain_name='mitre-attack', phase_name='persistence'), KillChainPhase(kill_chain_name='mitre-attack', phase_name='privilege-escalation')], revoked=True, external_references=[ExternalReference(source_name='mitre-attack', url='https://attack.mitre.org/techniques/T1103', external_id='T1103'), ExternalReference(source_name='Elastic Process Injection July 2017', description='Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017.', url='https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process'), ExternalReference(source_name='AppInit Registry', description='Microsoft. (2006, October). Working with the AppInit_DLLs registry value. Retrieved July 15, 2015.', url='https://support.microsoft.com/en-us/kb/197571'), ExternalReference(source_name='AppInit Secure Boot', description='Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July 15, 2015.', url='https://msdn.microsoft.com/en-us/library/dn280412'), ExternalReference(source_name='TechNet Autoruns', description='Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.', url='https://technet.microsoft.com/en-us/sysinternals/bb963902')], object_marking_refs=['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'], x_mitre_attack_spec_version='3.2.0', x_mitre_deprecated=False, x_mitre_detection='', x_mitre_domains=['enterprise-attack'], x_mitre_is_subtechnique=False, x_mitre_modified_by_ref='identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5', x_mitre_platforms=['Windows'], x_mitre_version='1.1')]
```
--------------------------------
### Clone and Set Up Upstream Remote
Source: https://github.com/otrf/attack-python-client/blob/master/CONTRIBUTING.md
Clone the repository and add the original project as an 'upstream' remote. This is typically done once when starting a new contribution.
```bash
git clone https://github.com//ATTACK-Python-Client.git
# Navigate to the project directory.
$ cd Hacking-Scripts
$ git remote add upstream https://github.com/OTRF/ATTACK-Python-Client.git
```
--------------------------------
### Get ICS Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all techniques defined in the ICS ATT&CK framework. This is a prerequisite for further analysis of ICS techniques.
```python
ics_techniques = lift.get_ics_techniques()
```
--------------------------------
### Retrieve All Data Components
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Fetches all data components available in the ATT&CK data model. Ensure the attack-python-client library is installed and configured.
```python
data_components = lift.get_data_components()
```
--------------------------------
### Get Mobile ATT&CK Tactics
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all tactics defined in the Mobile ATT&CK framework. Ensure the 'lift' library is imported and initialized.
```python
mobile_tactics = lift.get_mobile_tactics()
```
--------------------------------
### Get All Downloaded File Paths
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Retrieve a dictionary of all downloaded STIX file paths, keyed by domain.
```python
stix21_downloader.downloaded_file_paths
```
--------------------------------
### Get Campaigns Since Time
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb
Fetches all campaigns created after a specified timestamp. Useful for tracking recent campaign activity.
```python
campaigns_since = lift.get_campaigns_since_time(timestamp="2017-01-31T13:49:53.935Z")
len(campaigns_since)
```
--------------------------------
### Get All Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Retrieves all ATT&CK techniques. By default, it excludes deprecated and revoked techniques and includes all sub-techniques. Use `skip_revoked_deprecated=False` to include them and `include_subtechniques=False` to exclude sub-techniques.
```python
techniques = lift.get_techniques()
```
--------------------------------
### Get All Groups
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Retrieves all available groups from the ATT&CK matrices.
```python
groups = lift.get_groups()
```
--------------------------------
### Get All Campaigns
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb
Retrieve all available campaigns (both enterprise and mobile) and check the total count. This provides an overview of all tracked campaigns.
```python
all_campaigns = lift.get_campaigns()
len(all_campaigns)
```
```text
Result:
55
```
--------------------------------
### Retrieve Enterprise Tactics
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Fetches all enterprise tactics available in the MITRE ATT&CK framework. Ensure the attack-python-client library is installed and configured.
```python
enterprise_tactics = lift.get_enterprise_tactics()
```
--------------------------------
### Collect Enterprise Data Sources
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Fetches all enterprise data sources. Use this to get a comprehensive list of data sources within the Enterprise ATT&CK matrix.
```python
enterprise_data_sources = lift.get_enterprise_data_sources()
```
--------------------------------
### Get Techniques by Data Components
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/5-Collect_Techniques_by_Data_Sources.ipynb
Retrieves a list of ATT&CK techniques associated with specified data components. This is useful for understanding which techniques interact with particular data sources.
```python
techniques = lift.query.techniques.get_techniques_by_data_components("Process", "Network")
```
--------------------------------
### Get All ATT&CK Relationships
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Retrieves all relationships from all ATT&CK matrices using a single API request. Ensure the `lift` object is initialized.
```python
relationships = lift.get_relationships()
```
--------------------------------
### Inspect First Mobile Malware
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Displays the details of the first malware object from the Mobile ATT&CK data. This example shows the kind of information available for each malware entry.
```python
mobile_malware[0]
```
--------------------------------
### Get Techniques with Detection Enrichment
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
Retrieves ATT&CK techniques and enriches them with detection-related properties such as detection strategies, analytics, and log sources. This is useful for understanding how techniques can be detected.
```python
techniques = lift.get_techniques(enrich_detections=True)
len(techniques)
```
--------------------------------
### Get Enterprise Tools
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all tools associated with the Enterprise ATT&CK matrix. This is useful for understanding the software and utilities used in cyber attacks.
```python
enterprise_tools = lift.get_enterprise_tools()
```
--------------------------------
### Get and Print ICS Malware Names
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Retrieves all ICS malware and prints their names. This assumes the attack client has been initialized and ICS malware fetched.
```python
ICS_MALWARE = lift.get_ics_malware()
for MALWARE in ICS_MALWARE:
print(MALWARE['name'])
```
--------------------------------
### Initialize STIXStore
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Initialize STIXStore with the path to a downloaded STIX file.
```python
store = STIXStore(stix21_downloader.downloaded_file_path)
```
--------------------------------
### Count ICS Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Prints the total number of techniques available in the ICS ATT&CK framework. Note: The example uses 'mobile_techniques' in the print statement, which might be a typo and should likely be 'ics_techniques'.
```python
print("Number of Techniques in ICS ATT&CK")
len(mobile_techniques)
```
--------------------------------
### Get Mobile Campaigns
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb
Retrieve all mobile campaigns and print the first one to examine its characteristics. This is useful for understanding threats targeting mobile devices.
```python
mobile_campaigns = lift.get_mobile_campaigns()
len(mobile_campaigns)
```
```text
Result:
3
```
```python
print(mobile_campaigns[0])
```
```json
{"type": "campaign", "spec_version": "2.1", "id": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2025-03-28T14:45:30.132Z", "modified": "2025-03-28T15:23:16.915Z", "name": "Operation Triangulation", "description": "[Operation Triangulation](https://attack.mitre.org/campaigns/C0054) is a mobile campaign targeting iOS devices.(Citation: SecureList OpTriangulation 01Jun2023) The unidentified actors used zero-click exploits in iMessage attachments to gain [Initial Access](https://attack.mitre.org/tactics/TA0027), then executed exploits and validators, such as [Binary Validator](https://attack.mitre.org/software/S1215) before finally executing the [TriangleDB](https://attack.mitre.org/software/S1216) implant. ", "aliases": ["Operation Triangulation"], "first_seen": "2019-01-01T08:00:00Z", "last_seen": "2023-06-01T07:00:00Z", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0054", "external_id": "C0054"}, {"source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_first_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)", "x_mitre_last_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0"}
```
--------------------------------
### Initialize Techniques List
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb
Initializes an empty list to store processed ATT&CK techniques.
```python
new_techniques = list()
```
--------------------------------
### Get Technique by Name using TAXII
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Use the `get_technique_by_name` method to retrieve a technique by its name. This method is case-sensitive and queries across all matrices via TAXII.
```python
technique_name = lift.get_technique_by_name('Rundll32')
```
--------------------------------
### Initialize ATT&CK Client
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Initializes the MitreAttackClient and downloads the latest STIX 2.1 data. Reuses existing files if available.
```python
from attackcti import MitreAttackClient
# Downloads latest STIX 2.1 (enterprise+mobile+ics) to .attackcti/stix-2.1 (reuses files if present)
lift = MitreAttackClient.from_attack_stix_data()
```
--------------------------------
### Initialize ATT&CK Client
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb
Initialize the ATT&CK client using data from STIX.
```python
lift = MitreAttackClient.from_attack_stix_data()
```
--------------------------------
### Get Software Used by Group
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Retrieve all software (malware or tool) mapped to a specific Group STIX object. Ensure the 'lift' object is initialized and groups are fetched before calling this function.
```python
groups = lift.get_groups()
one_group = groups[0]
group_software = lift.get_software_used_by_group(one_group)
```
--------------------------------
### Get ICS Tactics
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all tactics defined within the ICS ATT&CK framework. Use this to understand the high-level goals adversaries aim to achieve in ICS environments.
```python
ics_tactics = lift.get_ics_tactics()
```
--------------------------------
### Retrieve Software and Associated Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Fetches all software objects and then retrieves the techniques used by the first software object in the list. Ensure the 'lift' object is initialized and available.
```python
all_software = lift.get_software()
one_software = all_software[0]
software_techniques = lift.get_techniques_used_by_software(one_software)
```
--------------------------------
### Import STIXStore
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Import the STIXStore class from the attackcti.utils.storage module.
```python
from attackcti.utils.storage import STIXStore
```
--------------------------------
### Retrieve All Software
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Fetches all Enterprise, Mobile, and ICS software entries from the ATT&CK framework.
```python
software = lift.get_software()
```
--------------------------------
### Get Downloaded File Path
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Retrieve the path of the last downloaded STIX file.
```python
stix21_downloader.downloaded_file_path
```
--------------------------------
### Bar Chart of Techniques by Platform
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
Creates a bar chart visualizing the count of techniques per platform, sorted by technique count in descending order. Requires altair library.
```python
alt.Chart(df_platform_counts).mark_bar().encode(
x=alt.X('techniques:Q', title='Technique count'),
y=alt.Y('platforms:N', sort='-x', title='Platform')
).properties(height=260)
```
--------------------------------
### Initialize STIX 2.1 Downloader
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Initialize the STIXDownloader for STIX version 2.1, specifying the download directory.
```python
stix21_downloader = STIXDownloader(download_dir="./downloads", stix_version="2.1")
```
--------------------------------
### Print First Enterprise Technique
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb
Prints the JSON representation of the first technique in the retrieved list. This helps in inspecting the structure and content of a single technique.
```python
print(enterprise_techniques[0])
```
--------------------------------
### Get ICS ATT&CK Collection ID
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Retrieve the unique identifier (ID) of the ICS ATT&CK collection.
```python
api_root.collections[1].id
```
--------------------------------
### Initialize STIX 2.0 Downloader
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Initialize the STIXDownloader for STIX version 2.0, specifying the download directory.
```python
stix20_downloader = STIXDownloader(download_dir="./downloads", stix_version="2.0")
```
--------------------------------
### Get Campaign by Alias
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb
Retrieves a specific campaign using its alias. Useful for directly accessing known campaign data.
```python
lift.get_campaign_by_alias(alias="C0015")
```
--------------------------------
### Initialize MitreAttackClient
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/3-Export_All_Techniques_To_CSV.ipynb
Initializes the MitreAttackClient by downloading the latest STIX 2.1 data (enterprise, mobile, and ICS). It reuses existing files if present.
```python
# Downloads latest STIX 2.1 (enterprise+mobile+ics) to .attackcti/stix-2.1 (reuses files if present)
lift = MitreAttackClient.from_attack_stix_data()
```
--------------------------------
### Initialize MitreAttackClient with Local Data
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/11-Initialize_Client_Local_STIX_data.ipynb
Initializes the MitreAttackClient using the previously defined local STIX data paths.
```python
lift = MitreAttackClient(local_paths=local_paths)
```
--------------------------------
### Get Group by Alias (TAXII)
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Use this function to retrieve a group's information using its alias. The alias lookup is case-sensitive.
```python
group_name = lift.get_group_by_alias('Cozy Bear')
```
--------------------------------
### Initialize MitreAttackClient
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb
Initializes the MitreAttackClient for automatic retrieval of ATT&CK STIX data.
```python
from attackcti import MitreAttackClient
lift = MitreAttackClient.from_attack_stix_data()
```
--------------------------------
### Get STIX Object by Attack ID
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Use `get_object_by_attack_id` to retrieve a specific STIX object by its type and ID. The lookup is case-sensitive.
```python
object_by_id = lift.get_object_by_attack_id('attack-pattern', 'T1103')
```
--------------------------------
### Select a Technique
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb
Selects the first technique from the list of enterprise techniques for further processing.
```python
techniques_one = enterprise_techniques[0]
```
--------------------------------
### Instantiate TAXII Server Object
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Create a Server object pointing to the ATT&CK public TAXII server URL.
```python
server = Server("https://attack-taxii.mitre.org/taxii2/")
```
--------------------------------
### Initialize Group Dictionaries
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb
Creates a list of dictionaries, where each dictionary represents a group and is initialized with an empty list to store its associated techniques. This is a preparatory step for organizing technique data by group.
```python
groups = lift.get_groups()
groups_list = []
for g in groups:
group_dict = dict()
group_dict[g['name']] = []
groups_list.append(group_dict)
groups_list[89]
```
--------------------------------
### Get Mobile Tools
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all mobile tools listed in the ATT&CK matrix. This function is useful for understanding the landscape of mobile threats.
```python
mobile_tools = lift.get_mobile_tools()
```
--------------------------------
### Get Groups and Relationships by Object
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Retrieves all groups and then fetches relationships for the first group. This is useful for exploring connections between ATT&CK entities.
```python
groups = lift.get_groups()
one_group = groups[0]
relationships = lift.get_relationships_by_object(one_group)
```
--------------------------------
### Get ICS ATT&CK Collection Title
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Retrieve the title of the ICS ATT&CK collection by accessing its index in the collections list.
```python
api_root.collections[1].title
```
--------------------------------
### Techniques by Platform (With Log Sources)
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
Analyzes and displays the top 15 platforms with the most techniques that have at least one log source reference. It filters the dataframe, explodes the 'platforms' column, and then groups by platform to count techniques. Requires pandas.
```python
df_platform = df[df['log_sources_count'] > 0].copy()
df_platform = df_platform.explode('platforms')
df_platform_counts = df_platform.groupby('platforms', dropna=False).size().reset_index(name='techniques')
df_platform_counts = df_platform_counts.sort_values('techniques', ascending=False)
df_platform_counts.head(15)
```
--------------------------------
### Explore Collections within API Root
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Access and iterate through the collections available within a specific API Root to get information about each collection.
```python
for collection in api_root.collections:
print(collection.title, "->", collection.description)
```
--------------------------------
### Visualize Techniques With and Without Log Source References
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
Creates a bar chart to show the total count of techniques that either have or do not have log source references. This is a direct visualization of the distribution of techniques based on log source presence. Requires pandas and altair.
```python
dist = pd.DataFrame(
{
'Techniques': ['Without log sources', 'With log sources'],
'Count': [int((df['log_sources_count'] == 0).sum()), int((df['log_sources_count'] > 0).sum())],
}
)
bars = alt.Chart(dist).mark_bar().encode(x='Techniques', y='Count', color='Techniques').properties(width=260, height=280)
text = bars.mark_text(align='center', baseline='bottom', dy=-2).encode(text='Count')
(bars + text)
```
--------------------------------
### Load and Display Enterprise Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
This snippet loads enterprise techniques and normalizes them into a Pandas DataFrame for easier viewing. It then selects and displays the first 5 entries, showing creation date, name, and platforms.
```python
techniques = []
for t in enterprise_techniques:
techniques.append(json.loads(t.serialize()))
df = pandas.json_normalize(techniques)
df.reindex(['created','name', 'x_mitre_platforms'], axis=1)[0:5]
```
--------------------------------
### Load ATT&CK Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb
Loads ATT&CK techniques from a JSON file. This is the initial step before processing or exporting techniques.
```python
from stix2 import MemoryStore
from pyattck import Attck
# Load ATT&CK data from a JSON file
attck = Attck(nested=True)
attck.load_ அட்டck_from_json(filepath='enterprise-attack.json')
# Get all enterprise techniques
enterprise_techniques = attck.enterprise_techniques
```
--------------------------------
### Get Enterprise Relationships
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all relationships within the Enterprise ATT&CK matrix. These relationships can represent links between techniques, software, groups, etc.
```python
enterprise_relationships = lift.get_enterprise_relationships()
```
--------------------------------
### Retrieve Enterprise Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/11-Initialize_Client_Local_STIX_data.ipynb
Fetches all enterprise techniques available from the initialized client.
```python
enterprise_techniques = lift.get_enterprise_techniques()
```
--------------------------------
### Inspect First Technique Entry
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb
Displays the first technique entry from the retrieved list. This provides a sample of the data structure and content for individual techniques.
```python
techniques_used[0]
```
--------------------------------
### Get Techniques Mitigated by Mitigations
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Use this function to retrieve all techniques that have mitigations mapped to them. This is useful for understanding defensive measures against specific attack patterns.
```python
techniques_mitigated = lift.get_techniques_mitigated_by_mitigations()
```
--------------------------------
### Build Python Package Locally
Source: https://github.com/otrf/attack-python-client/wiki/Home
Builds the source distribution and wheel for the Python package.
```bash
python setup.py sdist bdist_wheel
```
--------------------------------
### Get and Print ICS Group Names
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Retrieves all ICS groups and prints their names. This assumes the attack client has been initialized and ICS groups fetched.
```python
ICS_GROUPS = lift.get_ics_groups()
for GROUP in ICS_GROUPS:
print(GROUP['name'])
```
--------------------------------
### Display First Software Entry
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/8-Lookup_Functions.ipynb
Access and display the first software entry retrieved for a group. This snippet assumes 'group_software' is a non-empty list obtained from 'get_software_used_by_group'.
```python
group_software[0]
```
--------------------------------
### Retrieve ICS Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Use the query method with a type filter to get all ICS attack patterns. Accessing the first technique in the results is shown.
```python
ICS_TECHNIQUES = TC_ICS_SOURCE.query(Filter("type", "=", "attack-pattern"))
ICS_TECHNIQUES[0]
```
--------------------------------
### Visualize Techniques With and Without Log Sources
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
Generates a bar chart to visualize the count of techniques with and without log sources. Requires pandas and altair libraries.
```python
dist2 = pd.DataFrame(
{
'Techniques': ['Without log sources', 'With log sources'],
'Count': [int((df['log_sources_count'] == 0).sum()), int((df['log_sources_count'] > 0).sum())],
}
)
bars = alt.Chart(dist2).mark_bar().encode(x='Techniques', y='Count', color='Techniques').properties(width=260, height=280)
text = bars.mark_text(align='center', baseline='bottom', dy=-2).encode(text='Count')
(bars + text)
```
--------------------------------
### Populate Group Dictionaries with Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb
Iterates through the initialized group dictionaries and populates them with technique details obtained from `techniques_used`. Each technique is added as a dictionary containing its ID, name, comment, tactic, and group ID.
```python
for group in groups_list:
for group_name,techniques_list in group.items():
for gut in techniques_used:
if group_name == gut['name']:
technique_dict = dict()
technique_dict['techniqueId'] = gut['technique_id']
technique_dict['techniqueName'] = gut['technique']
technique_dict['comment'] = gut['relationship_description']
technique_dict['tactic'] = gut['tactic']
technique_dict['group_id'] = gut['external_references'][0]['external_id']
techniques_list.append(technique_dict)
groups_list[89]
```
--------------------------------
### Update Local Branch from Upstream
Source: https://github.com/otrf/attack-python-client/blob/master/CONTRIBUTING.md
Update your local repository with the latest changes from the upstream repository before starting new work. Ensure you are on the correct branch.
```bash
git remote update
$ git checkout
$ git rebase upstream/
```
--------------------------------
### Stage All Changes
Source: https://github.com/otrf/attack-python-client/blob/master/CONTRIBUTING.md
Add all modified and new files in the current branch to the staging area. This prepares them for the next commit.
```bash
# To add all new files to branch Branch_Name
$ git add .
```
--------------------------------
### Get ICS Mitigations
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all mitigations defined in the ICS ATT&CK framework. This function collects mitigation strategies relevant to industrial control systems.
```python
ics_mitigations = lift.get_ics_mitigations()
```
--------------------------------
### Get Mobile Relationships
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all relationships between entities in the mobile ATT&CK matrix. This function is essential for understanding how different mobile threats and tactics are connected.
```python
mobile_relationships = lift.get_mobile_relationships()
```
--------------------------------
### Display First Processed Technique
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb
Shows the structure and content of the first technique after processing, useful for verification.
```python
new_techniques[0]
```
--------------------------------
### Download All Domains at Once
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Download ATT&CK data for all domains (enterprise, mobile, ics) for a specified release.
```python
stix20_downloader.download_all_domains(release="16.1")
```
--------------------------------
### Get Campaign by Object ID
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb
Retrieves a campaign using its MITRE ATT&CK object ID. Useful for accessing campaign details when only the ID is known.
```python
lift.get_object_by_attack_id("campaign", "C0001")
```
--------------------------------
### Visualize Technique Coverage Across Domains
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
Generates a bar chart visualizing the count of techniques per ATT&CK domain using Altair. This helps in understanding the distribution of techniques across different domains.
```python
alt.Chart(domain_counts).mark_bar().encode(
x=alt.X('techniques:Q', title='Technique count'),
y=alt.Y('domain:N', sort='-x', title='Domain'),
color='domain:N'
).properties(height=140)
```
--------------------------------
### Display Technique Dictionary
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb
Displays the serialized technique dictionary. This is useful for inspecting the structure and content of a technique before exporting.
```python
technique_dict
```
--------------------------------
### Get Enterprise Campaigns
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/9-Explore_Campaigns.ipynb
Retrieve all enterprise campaigns and print the first one to inspect its details. This is useful for understanding financially-motivated campaigns targeting specific industries.
```python
enterprise_campaigns = lift.get_enterprise_campaigns()
len(enterprise_campaigns)
```
```text
Result:
52
```
```python
print(enterprise_campaigns[0])
```
```json
{"type": "campaign", "spec_version": "2.1", "id": "campaign--df74f7ad-b10d-431c-9f1d-a2bc18dadefa", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2023-06-30T19:28:30.616Z", "modified": "2025-04-16T20:37:45.650Z", "name": "C0027", "description": "[C0027](https://attack.mitre.org/campaigns/C0027) was a financially-motivated campaign linked to [Scattered Spider](https://attack.mitre.org/groups/G1015) that targeted telecommunications and business process outsourcing (BPO) companies from at least June through December of 2022. During [C0027](https://attack.mitre.org/campaigns/C0027) [Scattered Spider](https://attack.mitre.org/groups/G1015) used various forms of social engineering, performed SIM swapping, and attempted to leverage access from victim environments to mobile carrier networks.(Citation: Crowdstrike TELCO BPO Campaign December 2022)\n", "aliases": ["C0027"], "first_seen": "2022-06-01T04:00:00Z", "last_seen": "2022-12-01T05:00:00Z", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0027", "external_id": "C0027"}, {"source_name": "Crowdstrike TELCO BPO Campaign December 2022", "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", "url": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack"], "x_mitre_first_seen_citation": "(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "x_mitre_last_seen_citation": "(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0"}
```
--------------------------------
### Build Table of Log Source References per Technique
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
Iterates through ATT&CK techniques to extract and aggregate information about associated log sources and data components. This data is then compiled into a Pandas DataFrame for further analysis.
```python
records = []
for t in techniques:
d = json.loads(t.serialize()) if hasattr(t, 'serialize') else t
domain = (d.get('x_mitre_domains') or [None])[0]
technique_id = d.get('id')
technique_name = d.get('name')
platforms = d.get('x_mitre_platforms') or []
# Kill chain phases are a list of dicts: {'phase_name': ..., 'kill_chain_name': ...}
tactics = [p.get('phase_name') for p in (d.get('kill_chain_phases') or []) if isinstance(p, dict) and p.get('phase_name')]
strategies = d.get('x_attackcti_detection_strategies') or []
log_source_names: set[str] = set()
data_component_refs: set[str] = set()
for strategy in strategies:
for analytic in (strategy.get('x_attackcti_analytics') or []):
for log_source in (analytic.get('x_attackcti_log_sources') or []):
name = log_source.get('name')
if isinstance(name, str) and name:
log_source_names.add(name)
ref = log_source.get('x_mitre_data_component_ref')
if isinstance(ref, str) and ref:
data_component_refs.add(ref)
records.append(
{
'domain': domain,
'technique': technique_name,
'technique_id': technique_id,
'platforms': platforms,
'tactics': tactics,
'detection_strategies_count': len(strategies),
'log_sources': sorted(log_source_names) or None,
'log_sources_count': len(log_source_names),
'data_component_refs_count': len(data_component_refs),
}
)
df = pd.DataFrame.from_records(records)
df.head()
```
--------------------------------
### Inspect First Mobile Group
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Displays the details of the first threat actor group object from the Mobile ATT&CK data. This serves as an example of the information available for each group.
```python
mobile_groups[0]
```
--------------------------------
### Process and Structure Techniques
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/10-Export_All_Techniques_To_YAML.ipynb
Iterates through enterprise techniques, serializes them, extracts key information like name, description, tactics, and technique ID, and appends them to a new list. This prepares the data for YAML export.
```python
for t in enterprise_techniques:
td = json.loads(t.serialize())
new_dict = dict()
new_dict['name'] = td['name']
new_dict['description'] = td['description']
new_dict['tactics'] = list()
for kc in td['kill_chain_phases']:
new_dict['tactics'].append(kc['phase_name'])
new_dict['technique_id'] = td['external_references'][0]['external_id']
new_techniques.append(new_dict)
```
--------------------------------
### Inspect First Mobile Mitigation
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Displays the details of the first mitigation object found in the Mobile ATT&CK data. This provides an example of the structure and content of mitigation data.
```python
mobile_mitigations[0]
```
--------------------------------
### Import MitreAttackClient
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/11-Initialize_Client_Local_STIX_data.ipynb
Imports the necessary MitreAttackClient class from the attackcti library.
```python
from attackcti import MitreAttackClient
```
--------------------------------
### Get ICS Relationships
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all relationships defined within the ICS ATT&CK framework. Use this to understand connections between different ATT&CK entities in an ICS context.
```python
ics_relationships = lift.get_ics_relationships()
```
--------------------------------
### Import STIXDownloader
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Import the STIXDownloader class from the attackcti.utils.downloader module.
```python
from attackcti.utils.downloader import STIXDownloader
```
--------------------------------
### Count Software Entries
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Prints the total number of software entries collected.
```python
print("Number of Software in ATT&CK")
len(software)
```
--------------------------------
### Get ICS Data
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all data related to the ICS (Industrial Control Systems) ATT&CK framework. This function can take time to execute, as indicated by the use of %time.
```python
%time all_ics = lift.get_ics()
```
--------------------------------
### Import STIX2 and TAXII Libraries
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Import necessary classes from stix2 and taxii2client for interacting with TAXII Collection Sources.
```python
from stix2 import Filter, TAXIICollectionSource
from taxii2client.v21 import Collection
```
--------------------------------
### Access Individual Technique Details
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/5-Collect_Techniques_by_Data_Sources.ipynb
Accesses the first technique object from the retrieved list. This allows for detailed inspection of a specific technique's properties.
```python
techniques[0]
```
--------------------------------
### Access First Enterprise Technique
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Accesses and displays the first technique object from the collected enterprise techniques list. This is useful for inspecting the structure and content of individual technique objects.
```python
enterprise_techniques[0]
```
--------------------------------
### Retrieve ICS Malware Data
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Fetches all malware entries specifically related to the ICS (Industrial Control Systems) domain from the ATT&CK matrix. Ensure the attack-python-client is installed and configured.
```python
ics_malware = lift.get_ics_malware()
```
--------------------------------
### Print Enriched Hierarchy for One Technique
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
This snippet iterates through detection strategies, analytics, and log sources for a given technique to print their details. It requires the technique object to be loaded and assumes it has a 'serialize' method or is already a dictionary.
```python
technique = json.loads(techniques[0].serialize()) if hasattr(techniques[0], 'serialize') else techniques[0]
details = technique.get('x_attackcti_detection_strategies', [])
for strategy in details:
print(f"Detection strategy: {strategy.get('name')} ({strategy.get('id')})")
for analytic in strategy.get('x_attackcti_analytics', []):
print(f" Analytic: {analytic.get('name')} ({analytic.get('id')})")
for log_source in analytic.get('x_attackcti_log_sources', []):
comp_ref = log_source.get('x_mitre_data_component_ref')
print(f" Log source: {log_source.get('name')} - {log_source.get('channel')} (component ref {comp_ref})")
```
--------------------------------
### Get ICS Groups
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/2-Collect_Matrix_Specific_Functions.ipynb
Retrieves all threat groups associated with the ICS ATT&CK framework. This function collects information about known threat actors targeting industrial control systems.
```python
ics_groups = lift.get_ics_groups()
```
--------------------------------
### List Generated JSON Files
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/7-Export_Groups_Navigator_Layers.ipynb
Lists all JSON files created in the current directory, which correspond to the Navigator layers generated for each group.
```bash
! ls *.json
```
--------------------------------
### Download ATT&CK Enterprise v16.1
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/0-Download-ATTACK-STIX-Data.ipynb
Download ATT&CK Enterprise data for release 16.1. The output indicates the downloaded file path.
```python
stix20_downloader.download_attack_data(domain="enterprise", release="16.1")
```
--------------------------------
### Import necessary libraries
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/3-Export_All_Techniques_To_CSV.ipynb
Imports the required libraries: json for handling JSON data, pandas for data manipulation, and MitreAttackClient for interacting with the MITRE ATT&CK framework.
```python
import json
import pandas
from attackcti import MitreAttackClient
```
--------------------------------
### Get All ATT&CK Data Sources
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Retrieves all data sources from the ATT&CK knowledge base. This function is useful for accessing information about data sources as they are incorporated into the ATT&CK data model.
```python
data_sources = lift.get_data_sources()
```
--------------------------------
### Import Server Class
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Import the Server class from the taxii2client.v21 library to interact with TAXII servers.
```python
from taxii2client.v21 import Server
```
--------------------------------
### Get Techniques with Data Component Enrichment
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Call `get_techniques` with `enrich_detections` and `enrich_data_components` set to True to embed full data component objects into the technique hierarchy. This is useful when log source references need to be resolved to their full object definitions.
```python
techniques = lift.get_techniques(enrich_detections=True, enrich_data_components=True)
```
--------------------------------
### Process and Display Software Data
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/1-Collect_All_Functions.ipynb
Converts the collected software data into a JSON format, normalizes it into a pandas DataFrame, and displays the first four entries.
```python
software_list = []
for t in software:
software_list.append(json.loads(t.serialize()))
df = pandas.json_normalize(software_list)
df[0:4]
```
--------------------------------
### Connect to MITRE ATT&CK TAXII 2.1 server
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/12-Local_vs_TAXII_STIX_20_21.ipynb
Connects to the MITRE ATT&CK TAXII 2.1 server using `MitreAttackClient.from_taxii()`. This mode is network-backed and subject to rate limits. It demonstrates fetching a single object by its STIX ID.
```python
# TAXII mode (STIX 2.1 over TAXII 2.1)
taxii = MitreAttackClient.from_taxii()
print('mode:', taxii.mode, 'spec_version:', taxii.spec_version)
# Example: fetch one object by STIX id (one request)
stix_id = 'attack-pattern--ad255bfe-a9e6-4b52-a258-8d3462abe842'
obj = taxii.TC_ENTERPRISE_SOURCE.get(stix_id)
print(obj['type'], obj['id'], obj.get('spec_version'))
```
--------------------------------
### Initialize TAXII Collection Source for ICS ATT&CK
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/6-Explore_ICS_Attack.ipynb
Construct a Collection object for the ICS ATT&CK and initialize a TAXIICollectionSource to query STIX objects from this collection.
```python
ATTACK_STIX_COLLECTIONS = "https://attack-taxii.mitre.org/api/v21/collections/"
ICS_COLLECTION = Collection(ATTACK_STIX_COLLECTIONS + ICS_ATTACK + "/")
TC_ICS_SOURCE = TAXIICollectionSource(ICS_COLLECTION)
```
--------------------------------
### Retrieve Techniques with Enriched Data Components
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/4-Explore_Data_Sources.ipynb
This snippet demonstrates how to fetch techniques enriched with full data component objects. It calls `lift.get_techniques` with `enrich_data_components=True` and then iterates through the results to print details, including the nested data component information.
```python
techniques_with_components = lift.get_techniques(enrich_data_components=True)
technique = json.loads(techniques_with_components[0].serialize()) if hasattr(techniques_with_components[0], 'serialize') else techniques_with_components[0]
details = technique.get('x_attackcti_detection_strategies', [])
for strategy in details:
print(f"Detection strategy: {strategy.get('name')} ({strategy.get('id')})")
for analytic in strategy.get('x_attackcti_analytics', []):
print(f" Analytic: {analytic.get('name')} ({analytic.get('id')})")
for log_source in analytic.get('x_attackcti_log_sources', []):
comp_ref = log_source.get('x_mitre_data_component_ref')
print(f" Log source: {log_source.get('name')} - {log_source.get('channel')} (component ref {comp_ref})")
comp = log_source.get('x_attackcti_data_component')
if isinstance(comp, dict):
print(f" Data component: {comp.get('name')} ({comp.get('id')})")
```
--------------------------------
### Load STIX 2.1 bundle locally
Source: https://github.com/otrf/attack-python-client/blob/master/docs/playground/12-Local_vs_TAXII_STIX_20_21.ipynb
Loads a STIX 2.1 bundle from a local file path using `MitreAttackClient.from_local()`. This mode is for offline use. It then queries for 'attack-pattern' objects.
```python
# STIX 2.1 local mode
# If you downloaded only enterprise above, you can still load just enterprise.
client21 = MitreAttackClient.from_local(enterprise=str(stix21_enterprise))
print('mode:', client21.mode, 'spec_version:', client21.spec_version)
techniques_21 = client21.TC_ENTERPRISE_SOURCE.query([Filter('type', '=', 'attack-pattern')])
print('enterprise attack-pattern count (2.1):', len(techniques_21))
```