Getting All Data Components That Detect A Technique

[GabrielSaul]

I am trying to use STIX & MitreAttackData in Python to create a list of data components for each MITRE technique.

Currently, I use a MitreAttackData (https://mitreattack-python.readthedocs.io/en/latest/mitre_attack_data/mitre_attack_data.html) object with the get_datacomponents_detecting_technique(stix_id) function to get all the data components that detect a given technique. I am using the up-to-date JSON file representing STIX data for this (https://raw.githubusercontent.com/mitre-attack/attack-stix-data/refs/heads/master/enterprise-attack/enterprise-attack.json). For each technique, it returns an empty list.

I noticed in the JSON file there is an x_mitre_data_source_ref for each data component in the JSON file, but it is empty for all data components. Additionally, the x_mitre_detection field for each of the attack patterns is also empty. How is the relationship between techniques (attack patterns) and data components possible without a linking reference? I imagine this is what is causing the empty lists.

I can get all data components from the MitreAttackData object, but I cannot get all data components that detect specific techniques. How can I use the enterprise-attack JSON file to do this, or do I need to use a different file and/or a different Python library?

[y0nde]

I believe the only way to associate Data Components with Techniques is by scraping the official MITRE ATT&CK website.

[rubinatorz]

Hi @y0nde and @GabrielSaul

I recently drawn a diagram to visualize how data components are bound to techniques in the new v18 release. Sharing it here, hope it helps you. It's on how data objects are bound within the STIX representation. I don't know how it now works within the mitreattack-python lib.

[GabrielSaul]

I believe the only way to associate Data Components with Techniques is by scraping the official MITRE ATT&CK website.

This would've been the last resort, but thankfully I was able to do it just by using the JSON file.

Hi @y0nde and @GabrielSaul

I recently drawn a diagram to visualize how data components are bound to techniques in the new v18 release. Sharing it here, hope it helps you. It's on how data objects are bound within the STIX representation. I don't know how it now works within the mitreattack-python lib.

Thank you for this. This helped me created a temporary custom solution in Python. I wrote my own functions to query the JSON file and list all data components that are related to the detection of a given technique.

If there is a best practice for doing this using python-stix or another official STIX library, I would prefer that down the line. If there are any resources for this, please provide them. If not, I will close this issue.

[rubinatorz]

I'm not sure if this can be done via python-stix or mitreattack-python or other packages. I always query the STIX myself to have grip on the performance and to not be dependent on (third) party libraries.