or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

cli-tools.mdcollections.mdexcel-export.mdindex.mdnavigation-layers.mdstix20-data-access.mdversion-comparison.mdversion-management.md

index.mddocs/

0
# MITRE ATT&CK Python Library
1


2
A comprehensive Python library for accessing, querying, and manipulating MITRE ATT&CK threat intelligence data. This library provides programmatic access to the ATT&CK framework in STIX 2.0 format, enabling security researchers, analysts, and developers to integrate ATT&CK knowledge into their security tools, threat hunting workflows, and defensive strategies.
3


4
## Package Information
5


6
- **Package Name**: mitreattack-python
7
- **Language**: Python
8
- **Installation**: `pip install mitreattack-python`
9
- **Requirements**: Python >=3.11,<4.0
10


11
## Core Imports
12


13
```python
14
import mitreattack
15
```
16


17
For specific functionality:
18


19
```python
20
from mitreattack.stix20 import MitreAttackData
21
from mitreattack import attackToExcel, collections, navlayers
22
```
23


24
## Basic Usage
25


26
```python
27
from mitreattack.stix20 import MitreAttackData
28
from mitreattack.attackToExcel import get_stix_data
29


30
# Load Enterprise ATT&CK data
31
data_store = get_stix_data("enterprise-attack")
32
attack_data = MitreAttackData(src=data_store)
33


34
# Get all techniques
35
techniques = attack_data.get_techniques()
36
print(f"Found {len(techniques)} techniques")
37


38
# Get specific technique by ATT&CK ID
39
technique = attack_data.get_object_by_attack_id("T1055")
40
print(f"Technique: {attack_data.get_name(technique)}")
41


42
# Get all groups and their techniques
43
groups = attack_data.get_groups() 
44
for group in groups[:3]:  # First 3 groups
45
    group_name = attack_data.get_name(group)
46
    group_techniques = attack_data.get_techniques_used_by_group(group)
47
    print(f"{group_name}: {len(group_techniques)} techniques")
48
```
49


50
## Architecture
51


52
The library is organized into several key modules:
53


54
- **STIX20 Data Access**: Core `MitreAttackData` class providing 90+ query methods for filtering and relationship mapping
55
- **Excel Export**: Convert ATT&CK data to structured spreadsheets with customizable formatting  
56
- **Navigation Layers**: Create and manipulate ATT&CK Navigator layer files for visualization
57
- **Collections**: Manage ATT&CK Collections and generate documentation
58
- **Version Management**: Download specific ATT&CK releases and compare versions
59
- **CLI Tools**: 7 command-line utilities for common workflows
60


61
## Capabilities
62


63
### STIX 2.0 Data Access and Querying
64


65
Core functionality for loading, querying, and analyzing MITRE ATT&CK data using the STIX 2.0 format. Provides comprehensive access to all ATT&CK objects and their relationships through 90+ specialized methods.
66


67
```python { .api }
68
class MitreAttackData:
69
    def __init__(self, stix_filepath_or_url: str = None, stix_version: str = "2.0"): ...
70
    def get_techniques(self, remove_revoked_deprecated: bool = True) -> List: ...
71
    def get_groups(self, remove_revoked_deprecated: bool = True) -> List: ...
72
    def get_software(self, remove_revoked_deprecated: bool = True) -> List: ...
73
    def get_object_by_attack_id(self, attack_id: str) -> dict: ...
74
    def get_techniques_used_by_group(self, group_stix) -> List: ...
75
```
76


77
[STIX 2.0 Data Access](./stix20-data-access.md)
78


79
### Excel Export and Data Conversion
80


81
Convert ATT&CK STIX data into structured Excel spreadsheets with multiple worksheets for different object types. Includes pandas DataFrame operations and customizable output formatting.
82


83
```python { .api }
84
def get_stix_data(domain: str, version: str = None, remote: bool = None, stix_file: str = None) -> dict: ...
85
def build_dataframes(src: dict, domain: str) -> dict: ...
86
def write_excel(dataframes: dict, domain: str, version: str = None, output_dir: str = ".") -> None: ...
87
def export() -> None: ...
88
```
89


90
[Excel Export](./excel-export.md)
91


92
### ATT&CK Navigator Layers
93


94
Create, manipulate, and export ATT&CK Navigator layer files for data visualization. Supports layer generation, SVG export, Excel export, and programmatic layer manipulation.
95


96
```python { .api }
97
class Layer:
98
    def __init__(self, name: str = "", description: str = ""): ...
99
    def from_file(self, filepath: str): ...
100
    def to_file(self, filepath: str): ...
101
    def to_excel(self, path: str, **kwargs): ...
102
    def to_svg(self, path: str, **kwargs): ...
103


104
class OverviewLayerGenerator:
105
    def generate_overview_layers(self, data: MitreAttackData): ...
106
```
107


108
[Navigation Layers](./navigation-layers.md)
109


110
### Collections Management
111


112
Tools for working with ATT&CK Collections, converting between collection formats, and generating documentation from collection data.
113


114
```python { .api }
115
class CollectionToIndex:
116
    def convert(self, collection_file: str, output_file: str): ...
117


118
class IndexToMarkdown:
119
    def convert(self, index_file: str, output_file: str): ...
120
```
121


122
[Collections](./collections.md)
123


124
### Version Management and Data Download
125


126
Download specific ATT&CK releases, manage version information, and compare different ATT&CK versions for change analysis.
127


128
```python { .api }
129
def download_stix(stix_version: str, domain: str, download_dir: str, release: str, known_hash: str): ...
130
def download_domains(domains: List[str], download_dir: str, all_versions: bool, stix_version: str): ...
131
def get_attack_version(domain: str, stix_version: str = "2.0", stix_file: str = None, stix_content: str = None) -> str: ...
132
```
133


134
[Version Management](./version-management.md)
135


136
### Version Comparison and Diff Analysis  
137


138
Compare different versions of ATT&CK data and generate detailed changelog reports showing additions, modifications, and removals between releases.
139


140
```python { .api }
141
class DiffStix:
142
    def __init__(self, old_data: dict, new_data: dict): ...
143
    def generate_changelog(self) -> dict: ...
144
    def export_changelog(self, output_file: str): ...
145
```
146


147
[Version Comparison](./version-comparison.md)
148


149
### Command Line Interface
150


151
Seven CLI tools for common ATT&CK data workflows including Excel export, layer generation, collection management, and data download.
152


153
```bash
154
# Export ATT&CK data to Excel
155
attackToExcel_cli --domain enterprise-attack --output ./output
156


157
# Generate Navigator layers  
158
layerGenerator_cli --data-source enterprise-attack --output ./layers
159


160
# Download ATT&CK STIX data
161
download_attack_stix --domains enterprise-attack mobile-attack --version 2.1
162
```
163


164
[Command Line Tools](./cli-tools.md)
165


166
## Constants and Utilities
167


168
### Framework Constants
169


170
```python { .api }
171
MITRE_ATTACK_ID_SOURCE_NAMES: List[str]  # Valid ATT&CK ID source names
172
MITRE_ATTACK_DOMAIN_STRINGS: List[str]   # Valid domain strings  
173
PLATFORMS_LOOKUP: Dict[str, List[str]]   # Domain to platforms mapping
174
```
175


176
### Release Information
177


178
```python { .api }
179
LATEST_VERSION: str = "17.1"             # Current ATT&CK version
180
STIX20: Dict[str, str]                   # SHA256 hashes for STIX 2.0 releases
181
STIX21: Dict[str, str]                   # SHA256 hashes for STIX 2.1 releases
182
```