0
# Collections Management
1
2
Tools for working with ATT&CK Collections, converting between collection formats, and generating documentation from collection data. ATT&CK Collections are curated sets of ATT&CK techniques, groups, software, and other objects organized around specific themes, threat actors, or analytical frameworks.
3
4
## Capabilities
5
6
### Collection to Index Conversion
7
8
Convert ATT&CK Collection files to index format for easier processing and analysis.
9
10
```python { .api }
11
class CollectionToIndex:
12
def __init__(self):
13
"""
14
Initialize collection to index converter.
15
"""
16
17
def convert(self, collection_file: str, output_file: str) -> None:
18
"""
19
Convert ATT&CK Collection file to index format.
20
21
Args:
22
collection_file (str): Path to input ATT&CK Collection JSON file
23
output_file (str): Path to output index file
24
"""
25
26
def parse_collection(self, collection_data: dict) -> dict:
27
"""
28
Parse collection data into structured index format.
29
30
Args:
31
collection_data (dict): Raw collection data from JSON file
32
33
Returns:
34
dict: Structured index data with metadata and object listings
35
"""
36
37
def extract_objects(self, collection_data: dict) -> Dict[str, List[dict]]:
38
"""
39
Extract and categorize objects from collection.
40
41
Args:
42
collection_data (dict): Collection data
43
44
Returns:
45
Dict[str, List[dict]]: Objects organized by type (techniques, groups, etc.)
46
"""
47
48
def validate_collection(self, collection_data: dict) -> bool:
49
"""
50
Validate collection format and required fields.
51
52
Args:
53
collection_data (dict): Collection data to validate
54
55
Returns:
56
bool: True if valid, False otherwise
57
"""
58
```
59
60
### Index to Markdown Conversion
61
62
Generate comprehensive Markdown documentation from collection index files.
63
64
```python { .api }
65
class IndexToMarkdown:
66
def __init__(self):
67
"""
68
Initialize index to markdown converter.
69
"""
70
71
def convert(self, index_file: str, output_file: str) -> None:
72
"""
73
Convert collection index to Markdown documentation.
74
75
Args:
76
index_file (str): Path to collection index file
77
output_file (str): Path to output Markdown file
78
"""
79
80
def generate_overview(self, index_data: dict) -> str:
81
"""
82
Generate overview section with collection metadata.
83
84
Args:
85
index_data (dict): Index data from collection
86
87
Returns:
88
str: Markdown overview section
89
"""
90
91
def generate_object_tables(self, index_data: dict) -> str:
92
"""
93
Generate tables for each object type in the collection.
94
95
Args:
96
index_data (dict): Index data with object listings
97
98
Returns:
99
str: Markdown tables for techniques, groups, software, etc.
100
"""
101
102
def generate_relationships_section(self, index_data: dict) -> str:
103
"""
104
Generate section documenting relationships between objects.
105
106
Args:
107
index_data (dict): Index data with relationship information
108
109
Returns:
110
str: Markdown section with relationship mappings
111
"""
112
113
def format_technique_table(self, techniques: List[dict]) -> str:
114
"""
115
Format techniques as Markdown table.
116
117
Args:
118
techniques (List[dict]): List of technique objects
119
120
Returns:
121
str: Markdown table with technique details
122
"""
123
124
def format_group_table(self, groups: List[dict]) -> str:
125
"""
126
Format groups as Markdown table.
127
128
Args:
129
groups (List[dict]): List of group objects
130
131
Returns:
132
str: Markdown table with group details
133
"""
134
135
def format_software_table(self, software: List[dict]) -> str:
136
"""
137
Format software as Markdown table.
138
139
Args:
140
software (List[dict]): List of software objects
141
142
Returns:
143
str: Markdown table with software details
144
"""
145
```
146
147
### CLI Functions
148
149
Command-line interfaces for collection processing workflows.
150
151
```python { .api }
152
def collection_to_index_main(args: List[str]) -> None:
153
"""
154
CLI entry point for collectionToIndex_cli command.
155
156
Args:
157
args (List[str]): Command-line arguments
158
--input: Input collection file path
159
--output: Output index file path
160
--validate: Validate collection format
161
"""
162
163
def index_to_markdown_main(args: List[str]) -> None:
164
"""
165
CLI entry point for indexToMarkdown_cli command.
166
167
Args:
168
args (List[str]): Command-line arguments
169
--input: Input index file path
170
--output: Output markdown file path
171
--template: Markdown template to use
172
--include-relationships: Include relationship mappings
173
"""
174
```
175
176
## Usage Examples
177
178
### Converting Collections to Index Format
179
180
```python
181
from mitreattack.collections import CollectionToIndex
182
183
# Initialize converter
184
converter = CollectionToIndex()
185
186
# Convert collection file to index
187
converter.convert(
188
collection_file="apt29_collection.json",
189
output_file="apt29_index.json"
190
)
191
192
print("Collection converted to index format")
193
```
194
195
### Working with Collection Data
196
197
```python
198
import json
199
from mitreattack.collections import CollectionToIndex
200
201
# Load and parse collection manually
202
converter = CollectionToIndex()
203
204
with open("threat_collection.json", "r") as f:
205
collection_data = json.load(f)
206
207
# Validate collection
208
if converter.validate_collection(collection_data):
209
print("Collection format is valid")
210
211
# Extract objects by type
212
objects_by_type = converter.extract_objects(collection_data)
213
214
print(f"Techniques: {len(objects_by_type.get('techniques', []))}")
215
print(f"Groups: {len(objects_by_type.get('groups', []))}")
216
print(f"Software: {len(objects_by_type.get('software', []))}")
217
218
# Convert to structured index
219
index_data = converter.parse_collection(collection_data)
220
221
with open("structured_index.json", "w") as f:
222
json.dump(index_data, f, indent=2)
223
else:
224
print("Collection format is invalid")
225
```
226
227
### Generating Markdown Documentation
228
229
```python
230
from mitreattack.collections import IndexToMarkdown
231
232
# Initialize markdown generator
233
generator = IndexToMarkdown()
234
235
# Convert index to markdown documentation
236
generator.convert(
237
index_file="apt29_index.json",
238
output_file="apt29_report.md"
239
)
240
241
print("Markdown documentation generated")
242
```
243
244
### Custom Markdown Generation
245
246
```python
247
import json
248
from mitreattack.collections import IndexToMarkdown
249
250
# Load index data
251
with open("threat_index.json", "r") as f:
252
index_data = json.load(f)
253
254
generator = IndexToMarkdown()
255
256
# Generate individual sections
257
overview = generator.generate_overview(index_data)
258
object_tables = generator.generate_object_tables(index_data)
259
relationships = generator.generate_relationships_section(index_data)
260
261
# Combine into custom report
262
custom_report = f"""
263
# Threat Intelligence Report
264
265
{overview}
266
267
## Detailed Analysis
268
269
{object_tables}
270
271
## Relationship Analysis
272
273
{relationships}
274
275
## Appendix
276
277
Additional analysis and recommendations...
278
"""
279
280
with open("custom_threat_report.md", "w") as f:
281
f.write(custom_report)
282
```
283
284
### Working with Specific Object Types
285
286
```python
287
import json
288
from mitreattack.collections import IndexToMarkdown
289
290
# Load index data
291
with open("collection_index.json", "r") as f:
292
index_data = json.load(f)
293
294
generator = IndexToMarkdown()
295
296
# Generate tables for specific object types
297
if "techniques" in index_data:
298
techniques_table = generator.format_technique_table(index_data["techniques"])
299
print("Techniques Table:")
300
print(techniques_table)
301
302
if "groups" in index_data:
303
groups_table = generator.format_group_table(index_data["groups"])
304
print("\\nGroups Table:")
305
print(groups_table)
306
307
if "software" in index_data:
308
software_table = generator.format_software_table(index_data["software"])
309
print("\\nSoftware Table:")
310
print(software_table)
311
```
312
313
### CLI Usage Examples
314
315
```bash
316
# Convert ATT&CK Collection to index format
317
collectionToIndex_cli --input apt29_collection.json --output apt29_index.json --validate
318
319
# Generate comprehensive markdown report
320
indexToMarkdown_cli --input apt29_index.json --output apt29_report.md --include-relationships
321
322
# Batch process multiple collections
323
for collection in collections/*.json; do
324
base_name=$(basename "$collection" .json)
325
collectionToIndex_cli --input "$collection" --output "indices/${base_name}_index.json"
326
indexToMarkdown_cli --input "indices/${base_name}_index.json" --output "reports/${base_name}_report.md"
327
done
328
```
329
330
### Collection Validation and Quality Checks
331
332
```python
333
import json
334
from mitreattack.collections import CollectionToIndex
335
336
def analyze_collection_quality(collection_file):
337
"""Analyze collection for completeness and quality."""
338
339
converter = CollectionToIndex()
340
341
with open(collection_file, "r") as f:
342
collection_data = json.load(f)
343
344
# Basic validation
345
is_valid = converter.validate_collection(collection_data)
346
print(f"Collection valid: {is_valid}")
347
348
if not is_valid:
349
return
350
351
# Extract and analyze objects
352
objects = converter.extract_objects(collection_data)
353
354
# Quality metrics
355
total_objects = sum(len(obj_list) for obj_list in objects.values())
356
print(f"Total objects: {total_objects}")
357
358
for obj_type, obj_list in objects.items():
359
print(f"{obj_type.capitalize()}: {len(obj_list)}")
360
361
# Check for missing descriptions
362
missing_desc = [obj for obj in obj_list if not obj.get("description")]
363
if missing_desc:
364
print(f" - {len(missing_desc)} {obj_type} missing descriptions")
365
366
# Check metadata completeness
367
metadata = collection_data.get("metadata", {})
368
required_fields = ["name", "version", "description", "created"]
369
missing_metadata = [field for field in required_fields if not metadata.get(field)]
370
371
if missing_metadata:
372
print(f"Missing metadata fields: {missing_metadata}")
373
else:
374
print("All required metadata fields present")
375
376
# Analyze collection quality
377
analyze_collection_quality("my_collection.json")
378
```
379
380
## Collection Format
381
382
ATT&CK Collections follow a standard JSON format:
383
384
```json
385
{
386
"id": "collection-uuid",
387
"spec_version": "2.1",
388
"type": "x-mitre-collection",
389
"name": "Collection Name",
390
"description": "Collection description",
391
"created": "2023-01-01T00:00:00.000Z",
392
"modified": "2023-01-01T00:00:00.000Z",
393
"created_by_ref": "identity--uuid",
394
"object_refs": [
395
"attack-pattern--uuid1",
396
"intrusion-set--uuid2",
397
"malware--uuid3"
398
],
399
"x_mitre_contents": [
400
{
401
"object_ref": "attack-pattern--uuid1",
402
"object_modified": "2023-01-01T00:00:00.000Z"
403
}
404
]
405
}
406
```
407
408
The conversion tools handle this format and extract relevant object references for analysis and documentation generation.