attack-stix-data icon indicating copy to clipboard operation
attack-stix-data copied to clipboard
verified publisher icon mitre-attack

Getting All Data Components That Detect A Technique

Open GabrielSaul opened this issue 2 months ago • 4 comments

I am trying to use STIX & MitreAttackData in Python to create a list of data components for each MITRE technique.

Currently, I use a MitreAttackData (https://mitreattack-python.readthedocs.io/en/latest/mitre_attack_data/mitre_attack_data.html) object with the get_datacomponents_detecting_technique(stix_id) function to get all the data components that detect a given technique. I am using the up-to-date JSON file representing STIX data for this (https://raw.githubusercontent.com/mitre-attack/attack-stix-data/refs/heads/master/enterprise-attack/enterprise-attack.json). For each technique, it returns an empty list.

I noticed in the JSON file there is an x_mitre_data_source_ref for each data component in the JSON file, but it is empty for all data components. Additionally, the x_mitre_detection field for each of the attack patterns is also empty. How is the relationship between techniques (attack patterns) and data components possible without a linking reference? I imagine this is what is causing the empty lists.

I can get all data components from the MitreAttackData object, but I cannot get all data components that detect specific techniques. How can I use the enterprise-attack JSON file to do this, or do I need to use a different file and/or a different Python library?

GabrielSaul avatar Oct 28 '25 17:10 GabrielSaul

I believe the only way to associate Data Components with Techniques is by scraping the official MITRE ATT&CK website.

y0nde avatar Oct 29 '25 05:10 y0nde

Hi @y0nde and @GabrielSaul

I recently drawn a diagram to visualize how data components are bound to techniques in the new v18 release. Sharing it here, hope it helps you. It's on how data objects are bound within the STIX representation. I don't know how it now works within the mitreattack-python lib.

Image

rubinatorz avatar Oct 29 '25 09:10 rubinatorz

I believe the only way to associate Data Components with Techniques is by scraping the official MITRE ATT&CK website.

This would've been the last resort, but thankfully I was able to do it just by using the JSON file.

Hi @y0nde and @GabrielSaul

I recently drawn a diagram to visualize how data components are bound to techniques in the new v18 release. Sharing it here, hope it helps you. It's on how data objects are bound within the STIX representation. I don't know how it now works within the mitreattack-python lib.

Image

Thank you for this. This helped me created a temporary custom solution in Python. I wrote my own functions to query the JSON file and list all data components that are related to the detection of a given technique.

If there is a best practice for doing this using python-stix or another official STIX library, I would prefer that down the line. If there are any resources for this, please provide them. If not, I will close this issue.

GabrielSaul avatar Oct 29 '25 13:10 GabrielSaul

I'm not sure if this can be done via python-stix or mitreattack-python or other packages. I always query the STIX myself to have grip on the performance and to not be dependent on (third) party libraries.

rubinatorz avatar Oct 29 '25 14:10 rubinatorz