hot fixes - version 0.3.4.3

+ fix #22 + Updated Notebooks + Created ICS ATT&Ck Exploration Notebook + Updated Revoke and Deprecated functions (Removed Extract parameter for both and created additional functions) + New functions extract_revoked and extract_deprecated. They export STIX objects that have been deprecated or revoked for additional analysis. + Added Warnings messages for all PRE ATT&CK
OTRF · Nov 24, 2020 · 8922324 · 8922324
1 parent c204e31
commit 8922324
Show file tree

Hide file tree

Showing 10 changed files with 5,871 additions and 5,657 deletions.
diff --git a/README.md b/README.md
@@ -1,6 +1,8 @@
 # ATT&CK Python Client
 
 [![Binder](https://mybinder.org/badge_logo.svg)](https://mybinder.org/v2/gh/OTRF/ATTACK-Python-Client/master)
+[![Open_Threat_Research Community](https://img.shields.io/badge/Open_Threat_Research-Community-brightgreen.svg)](https://twitter.com/OTR_Community)
+[![Open Source Love svg1](https://badges.frapsoft.com/os/v3/open-source.svg?v=103)](https://github.com/ellerbrock/open-source-badges/)
 
 A Python module to access up to date ATT&CK content available in STIX via public TAXII server. This project leverages the python classes and functions of the [cti-python-stix2](https://github.com/oasis-open/cti-python-stix2) and [cti-taxii-client](https://github.com/oasis-open/cti-taxii-client) libraries developed by MITRE.
 
@@ -16,10 +18,6 @@ A Python module to access up to date ATT&CK content available in STIX via public
 
 The project is currently in a Production/Stable stage, which means that the current main functions are more stable. I would love to get your feedback to make it a better project.
 
-## Updates
-
-* 11/23/2020 - Added ICS ATT&CK functionality (PRE-ATTACK is deprecated but still available through the library to not break current deployments that leverage it)
-
 ## Resources
 
 * [MITRE CTI](https://github.com/mitre/cti)

diff --git a/attackcti/attack_api.py b/attackcti/attack_api.py
@@ -14,6 +14,7 @@
 from taxii2client.v20 import Collection
 import json
 import os
+import warnings
 
 ATTACK_STIX_COLLECTIONS = "https://cti-taxii.mitre.org/stix/collections/"
 ENTERPRISE_ATTACK = "95ecc380-afe9-11e4-9b6c-751b66dd541e"
@@ -244,37 +245,37 @@ def handle_list(list_object, object_type):
             stix_objects_list.append(obj_dict)
         return stix_objects_list
 
-    def remove_revoked(self, stix_objects, extract=False):
-        handle_revoked = list()
+    def remove_revoked(self, stix_objects):
+        non_revoked = list()
         for obj in stix_objects:
-            if 'revoked' in obj.keys():
-                if extract:
-                    if obj['revoked']:
-                        handle_revoked.append(obj)
-                    else:
-                        continue
-                else:
-                    if obj['revoked'] == False:
-                        handle_revoked.append(obj)
+            if 'revoked' in obj.keys() and obj['revoked'] == True:
+                continue
             else:
-                handle_revoked.append(obj)
-        return handle_revoked
+                non_revoked.append(obj)
+        return non_revoked
 
-    def remove_deprecated(self, stix_objects, extract=False):
-        handle_deprecated = list()
+    def extract_revoked(self, stix_objects):
+        revoked = list()
         for obj in stix_objects:
-            if 'x_mitre_deprecated' in obj.keys():
-                if extract:
-                    if obj['x_mitre_deprecated']:
-                        handle_deprecated.append(obj)
-                    else:
-                        continue
-                else:
-                    if obj['x_mitre_deprecated'] == False:
-                        handle_deprecated.append(obj)
+            if 'revoked' in obj.keys() and obj['revoked'] == True:
+                revoked.append(obj)
+        return revoked
+
+    def remove_deprecated(self, stix_objects):
+        non_deprecated = list()
+        for obj in stix_objects:
+            if 'x_mitre_deprecated' in obj.keys() and obj['x_mitre_deprecated'] == True:
+                continue
             else:
-                handle_deprecated.append(obj)
-        return handle_deprecated
+                non_deprecated.append(obj)
+        return non_deprecated
+
+    def extract_deprecated(self, stix_objects):
+        deprecated = list()
+        for obj in stix_objects:
+            if 'x_mitre_deprecated' in obj.keys() and obj['x_mitre_deprecated'] == True:
+                deprecated.append(obj)
+        return deprecated
 
     # ******** Enterprise ATT&CK Technology Domain  *******
     def get_enterprise(self, stix_format=True):
@@ -421,6 +422,9 @@ def get_pre(self, stix_format=True):
             List of STIX objects
         
         """
+
+        warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
+
         pre_filter_objects = {
             "techniques": Filter("type", "=", "attack-pattern"),
             "groups": Filter("type", "=", "intrusion-set"),
@@ -434,7 +438,7 @@ def get_pre(self, stix_format=True):
         for key in pre_filter_objects:
             pre_stix_objects[key] = self.TC_PRE_SOURCE.query(pre_filter_objects[key])
             if not stix_format:
-                pre_stix_objects[key] = self.translate_stix_objects(pre_stix_objects[key])           
+                pre_stix_objects[key] = self.translate_stix_objects(pre_stix_objects[key])          
         return pre_stix_objects
 
     def get_pre_techniques(self, stix_format=True):
@@ -447,6 +451,9 @@ def get_pre_techniques(self, stix_format=True):
             List of STIX objects
         
         """
+
+        warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
+
         pre_techniques = self.TC_PRE_SOURCE.query(Filter("type", "=", "attack-pattern"))
         if not stix_format:
             pre_techniques = self.translate_stix_objects(pre_techniques)
@@ -462,6 +469,9 @@ def get_pre_groups(self, stix_format=True):
             List of STIX objects
         
         """
+
+        warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
+
         pre_groups = self.TC_PRE_SOURCE.query(Filter("type", "=", "intrusion-set"))
         if not stix_format:
             pre_groups = self.translate_stix_objects(pre_groups)
@@ -477,6 +487,9 @@ def get_pre_relationships(self, stix_format=True):
             List of STIX objects
         
         """
+
+        warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
+
         pre_relationships = self.TC_PRE_SOURCE.query(Filter("type", "=", "relationship"))
         if not stix_format:
             pre_relationships = self.translate_stix_objects(pre_relationships)
@@ -492,6 +505,9 @@ def get_pre_tactics(self, stix_format=True):
             List of STIX objects
         
         """
+
+        warnings.warn("PRE ATT&CK is deprecated. It will be removed in future versions. Consider adjusting your application")
+
         pre_tactics = self.TC_PRE_SOURCE.query(Filter("type", "=", "x-mitre-tactic"))
         if not stix_format:
             pre_tactics = self.translate_stix_objects(pre_tactics)
@@ -508,6 +524,7 @@ def get_mobile(self, stix_format=True):
             List of STIX objects
         
         """
+
         mobile_filter_objects = {
             "techniques": Filter("type", "=", "attack-pattern"),
             "mitigations": Filter("type", "=", "course-of-action"),