cti-taxii-server - TAXII2 Server
cti-taxii-client - TAXII2 Client
cti-python-stix2 - STIX2 Bindings (docs: https://stix2.readthedocs.io/en/latest/)
cti-pattern-matcher - Match observed data to patterns
{ | |
"type": "bundle", | |
"kill_chains": [ | |
{ | |
"type": "kill-chain", | |
"id": "kill-chain--47cbe0e4-c4f6-4e0f-a67e-1851168c492b", | |
"spec_version": "2.0", | |
"created_time": "2016-05-27T15:35:07Z", | |
"modified_time": "2016-05-27T15:35:07Z", | |
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", |
from IPython.display import IFrame | |
token = "<your Jupyter Lab token, from startup>" # Get this from the terminal when Jupyter Lab starts up | |
layer_url = "http://localhost:8888/files/layer.json" # Get this from right-clicking the file in the Jupyter Lab file manager and hitting Copy Download URL | |
navigator_url = "https://mitre-attack.github.io/attack-navigator/enterprise/" | |
IFrame(src="{}#layerURL={}?token={}".format(navigator_url, layer_url, token), width='100%', height='500px') |
cti-taxii-server - TAXII2 Server
cti-taxii-client - TAXII2 Client
cti-python-stix2 - STIX2 Bindings (docs: https://stix2.readthedocs.io/en/latest/)
cti-pattern-matcher - Match observed data to patterns
{ | |
"type": "bundle", | |
"objects": [ | |
{ | |
"type": "threat-actor", | |
"spec_version": "2.1", | |
"name": "Evil Org", | |
"modified": "2018-09-27T19:45:38.359000Z", | |
"labels": [ | |
"crime-syndicate" |
A tactic is a column in one or more ATT&CK matrices. It describes the tactical "goal" an adversary might want to achieve by carrying out the techniques under that tactics.
Tactics are not necessarily specific to any given matrix or platform. Some tactics are shared, some are not.
from stix2 import CustomObject, properties, TAXIICollectionSource | |
from taxii2client import Collection | |
@CustomObject('opinion', [ | |
('description', properties.StringProperty()), | |
('authors', properties.StringProperty()), | |
('opinion', properties.EnumProperty(allowed=[ | |
'strongly-disagree', | |
'disagree', | |
'neutral', |
We have good consensus in the community that IEP should be included as part of STIX 2.1. The technical mechanism that we do that (a data marking definition) is very straightforward and is described in the playground. There are several open questions though, that can be resolved as a combination of text in the specification itself, in the conformance section of the specification, or in the interoperability specification.
[ | |
{ | |
"type": "opinion", | |
"id": "opinion--b01efc25-77b4-4003-b18b-f6e24b5cd9f7", | |
"created": "2016-05-12T08:17:27.000Z", | |
"modified": "2016-05-12T08:17:27.000Z", | |
"created_by_ref": "identity--f431f809-377b-45e0-aa1c-6a4751cae5ff", | |
"object_ref": "relationship--16d2358f-3b0d-4c88-b047-0da2f7ed4471", | |
"opinion": "strongly-disagree" | |
}, |