From 91d78eee73761f516baffb98ce6b34bb054397ef Mon Sep 17 00:00:00 2001 From: Isabel Tuson Date: Mon, 3 Aug 2020 10:13:17 -0400 Subject: [PATCH 1/3] update usage for #97 --- USAGE.md | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/USAGE.md b/USAGE.md index b2e07525b4..823ce492c4 100644 --- a/USAGE.md +++ b/USAGE.md @@ -377,7 +377,39 @@ See [The ATT&CK data model](#The-ATTCK-Data-Model) for mappings of ATT&CK type t ```python # use the appropriate STIX type in the query according to the desired ATT&CK type -techniques = src.query([ stix2.Filter("type", "=", "attack-pattern") ]) +groups = src.query([ stix2.Filter("type", "=", "intrusion-set") ]) +``` + +#### Getting Techniques or Sub-Techniques +ATT&CK Techniques and sub-techniques are both represented as `attack-pattern` objects. Therefore further parsing is necessary to get specifically techniques or sub-techniques. + +```python +def get_techniques_or_subtechniques(src, include="both"): + """Filter Techniques or Sub-Techniques from ATT&CK Enterprise Domain. + include argument has three options: "techniques", "subtechniques", or "both" + depending on the intended behavior.""" + if include == "techniques": + query_results = src.query([ + stix2.Filter('type', '=', 'attack-pattern'), + stix2.Filter('x_mitre_is_subtechnique', '=', False) + ]) + elif include == "subtechniques": + query_results = src.query([ + stix2.Filter('type', '=', 'attack-pattern'), + stix2.Filter('x_mitre_is_subtechnique', '=', True) + ]) + elif include == "both": + query_results = src.query([ + stix2.Filter('type', '=', 'attack-pattern') + ]) + else: + raise RuntimeError("Unknown option %s!" % include) + + return query_results + + +subtechniques = get_techniques_or_subtechniques(src, "subtechniques") +subtechniques = remove_revoked_deprecated(techniques) # see https://github.com/mitre/cti/blob/master/USAGE.md#removing-revoked-and-deprecated-objects ``` ### Objects by content From c14cedf9319c8aaf1d45acb1b964929142d1ceea Mon Sep 17 00:00:00 2001 From: Isabel Tuson Date: Mon, 3 Aug 2020 10:19:32 -0400 Subject: [PATCH 2/3] updated section title capitalization --- USAGE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/USAGE.md b/USAGE.md index 823ce492c4..8b5231c5e1 100644 --- a/USAGE.md +++ b/USAGE.md @@ -380,7 +380,7 @@ See [The ATT&CK data model](#The-ATTCK-Data-Model) for mappings of ATT&CK type t groups = src.query([ stix2.Filter("type", "=", "intrusion-set") ]) ``` -#### Getting Techniques or Sub-Techniques +#### Getting techniques or sub-techniques ATT&CK Techniques and sub-techniques are both represented as `attack-pattern` objects. Therefore further parsing is necessary to get specifically techniques or sub-techniques. ```python From 67607bda12a94ff935d0355d3a84eac3eed3ea24 Mon Sep 17 00:00:00 2001 From: Isabel Tuson Date: Mon, 3 Aug 2020 13:02:43 -0400 Subject: [PATCH 3/3] fixed sub-techniques snippet --- USAGE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/USAGE.md b/USAGE.md index 8b5231c5e1..69ff6494f0 100644 --- a/USAGE.md +++ b/USAGE.md @@ -409,7 +409,7 @@ def get_techniques_or_subtechniques(src, include="both"): subtechniques = get_techniques_or_subtechniques(src, "subtechniques") -subtechniques = remove_revoked_deprecated(techniques) # see https://github.com/mitre/cti/blob/master/USAGE.md#removing-revoked-and-deprecated-objects +subtechniques = remove_revoked_deprecated(subtechniques) # see https://github.com/mitre/cti/blob/master/USAGE.md#removing-revoked-and-deprecated-objects ``` ### Objects by content