Tessl Tile for pypi/mitreattack-python@5.1.0

or run

npx @tessl/cli init

Version

Tile

Overview

Evals

Files

docs

cli-tools.md collections.md excel-export.md index.md stix20-data-access.md version-comparison.md version-management.md

excel-export.mddocs/

0
# Excel Export and Data Conversion
1

2
Convert ATT&CK STIX data into structured Excel spreadsheets with multiple worksheets for different object types. The Excel export functionality includes pandas DataFrame operations, customizable output formatting, and comprehensive coverage of all ATT&CK object types including techniques, tactics, groups, software, mitigations, and relationships.
3

4
## Capabilities
5

6
### High-Level Export Functions
7

8
Main functions for loading data and exporting to Excel format.
9

10
```python { .api }
11
def get_stix_data(domain: str, version: Optional[str] = None, remote: Optional[str] = None, stix_file: Optional[str] = None) -> MemoryStore:
12
    """
13
    Load ATT&CK STIX data from various sources.
14
    
15
    Args:
16
        domain (str): ATT&CK domain ("enterprise-attack", "mobile-attack", "ics-attack")
17
        version (str, optional): Specific ATT&CK version to load
18
        remote (str, optional): URL to ATT&CK workbench instance
19
        stix_file (str, optional): Path to local STIX file
20
        
21
    Returns:
22
        MemoryStore: A stix2.MemoryStore object containing the domain data
23
    """
24

25
def build_dataframes(src: MemoryStore, domain: str) -> dict:
26
    """
27
    Convert STIX data to pandas DataFrames organized by object type.
28
    
29
    Args:
30
        src (MemoryStore): STIX data in MemoryStore from get_stix_data()
31
        domain (str): ATT&CK domain for proper processing
32
        
33
    Returns:
34
        dict: Dictionary mapping object types to pandas DataFrames
35
    """
36

37
def write_excel(dataframes: dict, domain: str, version: Optional[str] = None, output_dir: str = ".") -> List[str]:
38
    """
39
    Write DataFrames to Excel file with multiple worksheets.
40
    
41
    Args:
42
        dataframes (dict): DataFrames from build_dataframes()
43
        domain (str): ATT&CK domain for filename generation
44
        version (str, optional): Version for filename
45
        output_dir (str): Output directory path. Defaults to current directory.
46
        
47
    Returns:
48
        List[str]: A list of filepaths corresponding to the files written by the function
49
    """
50

51
def export(domain: str = "enterprise-attack", version: Optional[str] = None, output_dir: str = ".", remote: Optional[str] = None, stix_file: Optional[str] = None, mem_store: Optional[MemoryStore] = None) -> None:
52
    """
53
    Download ATT&CK data from MITRE/CTI and convert it to Excel spreadsheets.
54
    
55
    Args:
56
        domain (str): The domain of ATT&CK to download. Defaults to "enterprise-attack".
57
        version (str, optional): The version of ATT&CK to download.
58
        output_dir (str): The directory to write Excel files to. Defaults to current directory.
59
        remote (str, optional): URL of a remote ATT&CK Workbench instance.
60
        stix_file (str, optional): Path to a local STIX file.
61
        mem_store (MemoryStore, optional): Pre-loaded STIX bundle.
62
    """
63

64
def main() -> None:
65
    """
66
    Entrypoint for attackToExcel_cli.
67
    """
68
```
69

70
### STIX to DataFrame Conversion Functions
71

72
Specialized functions for converting different ATT&CK object types to pandas DataFrames.
73

74
```python { .api }
75
def remove_revoked_deprecated(stix_objects):
76
    """Remove any revoked or deprecated objects from queries made to the data source."""
77

78
def filter_platforms(stix_objects, platforms):
79
    """Filter out any objects that don't have a matching platform to one in 'platforms'."""
80

81
def format_date(date):
82
    """Given a date string, return it formatted as %d %B %Y."""
83

84
def get_citations(objects):
85
    """Given a list of STIX objects, return a pandas dataframe for the citations on the objects."""
86

87
def parseBaseStix(sdo):
88
    """Given an SDO, return a dict of field names:values that are common across all ATT&CK STIX types."""
89
```
90

91
### Excel Formatting Classes
92

93
Helper classes for Excel output formatting.
94

95
```python { .api }
96
class CellRange:
97
    def __init__(self, leftCol: int, rightCol: int, topRow: int, bottomRow: int, data=None, format=None):
98
        """
99
        Helper class for handling ranges of cells in a spreadsheet.
100
        
101
        Args:
102
            leftCol (int): Left column (not 0-indexed, starts at 1)
103
            rightCol (int): Right column (not 0-indexed, starts at 1)
104
            topRow (int): Top row (not 0-indexed, starts at 1)
105
            bottomRow (int): Bottom row (not 0-indexed, starts at 1)
106
            data: Optional data to store in the cellrange
107
            format: Optional format dict for XlsxWriter style
108
        """
109
    
110
    def to_excel_format(self) -> str:
111
        """Return the range in excel format, e.g A4:C7."""
112
```
113

114
### Object Type Converters
115

116
Individual converter functions for each ATT&CK object type.
117

118
```python { .api }
119
def techniquesToDf(src: MemoryStore, domain: str) -> dict:
120
    """
121
    Parse STIX techniques from the given data and return corresponding pandas dataframes.
122
    
123
    Args:
124
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
125
        domain (str): domain of ATT&CK src corresponds to, e.g "enterprise-attack"
126
        
127
    Returns:
128
        dict: A lookup of labels (descriptors/names) to dataframes
129
    """
130

131
def tacticsToDf(src: MemoryStore) -> dict:
132
    """
133
    Parse STIX tactics from the given data and return corresponding pandas dataframes.
134
    
135
    Args:
136
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
137
        
138
    Returns:
139
        dict: A lookup of labels (descriptors/names) to dataframes
140
    """
141

142
def datasourcesToDf(src: MemoryStore) -> dict:
143
    """
144
    Parse STIX Data Sources and their Data components from the given data and return corresponding pandas dataframes.
145
    
146
    Args:
147
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
148
        
149
    Returns:
150
        dict: A lookup of labels (descriptors/names) to dataframes
151
    """
152

153
def softwareToDf(src: MemoryStore) -> dict:
154
    """
155
    Parse STIX software from the given data and return corresponding pandas dataframes.
156
    
157
    Args:
158
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
159
        
160
    Returns:
161
        dict: A lookup of labels (descriptors/names) to dataframes
162
    """
163

164
def groupsToDf(src: MemoryStore) -> dict:
165
    """
166
    Parse STIX groups from the given data and return corresponding pandas dataframes.
167
    
168
    Args:
169
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
170
        
171
    Returns:
172
        dict: A lookup of labels (descriptors/names) to dataframes
173
    """
174

175
def campaignsToDf(src: MemoryStore) -> dict:
176
    """
177
    Parse STIX campaigns from the given data and return corresponding pandas dataframes.
178
    
179
    Args:
180
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
181
        
182
    Returns:
183
        dict: A lookup of labels (descriptors/names) to dataframes
184
    """
185

186
def assetsToDf(src: MemoryStore) -> dict:
187
    """
188
    Parse STIX assets from the given data and return corresponding pandas dataframes.
189
    
190
    Args:
191
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
192
        
193
    Returns:
194
        dict: A lookup of labels (descriptors/names) to dataframes
195
    """
196

197
def mitigationsToDf(src: MemoryStore) -> dict:
198
    """
199
    Parse STIX mitigations from the given data and return corresponding pandas dataframes.
200
    
201
    Args:
202
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
203
        
204
    Returns:
205
        dict: A lookup of labels (descriptors/names) to dataframes
206
    """
207

208
def matricesToDf(src: MemoryStore, domain: str) -> list:
209
    """
210
    Parse STIX matrices from the given data and return parsed matrix structures.
211
    
212
    Args:
213
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
214
        domain (str): domain of ATT&CK src corresponds to, e.g "enterprise-attack"
215
        
216
    Returns:
217
        list: List of dictionaries with matrix, name, description, merge, and columns data
218
    """
219

220
def relationshipsToDf(src: MemoryStore, relatedType: Optional[str] = None) -> dict:
221
    """
222
    Parse STIX relationships from the given data and return corresponding pandas dataframes.
223
    
224
    Args:
225
        src (MemoryStore): MemoryStore or other stix2 DataSource object holding the domain data
226
        relatedType (str, optional): singular attack type to only return relationships with, e.g "mitigation"
227
        
228
    Returns:
229
        dict: A lookup of labels (descriptors/names) to dataframes
230
    """
231
```
232

233
## Usage Examples
234

235
### Basic Excel Export
236

237
```python
238
from mitreattack.attackToExcel import get_stix_data, build_dataframes, write_excel
239

240
# Load Enterprise ATT&CK data
241
stix_data = get_stix_data("enterprise-attack")
242

243
# Convert to DataFrames
244
dataframes = build_dataframes(stix_data, "enterprise-attack")
245

246
# Write to Excel file
247
write_excel(dataframes, "enterprise-attack", output_dir="./output")
248

249
# This creates: ./output/enterprise-attack-v[version].xlsx
250
```
251

252
### Working with Individual DataFrames
253

254
```python
255
from mitreattack.attackToExcel.stixToDf import techniquesToDf, groupsToDf
256
from mitreattack.attackToExcel import get_stix_data
257

258
# Load data
259
stix_data = get_stix_data("enterprise-attack")
260

261
# Convert specific object types
262
techniques_df = techniquesToDf(stix_data, "enterprise-attack")
263
groups_df = groupsToDf(stix_data)
264

265
# Analyze the data
266
print(f"Total techniques: {len(techniques_df)}")
267
print(f"Techniques by platform:")
268
print(techniques_df['platforms'].value_counts())
269

270
print(f"\\nTotal groups: {len(groups_df)}")
271
print("Sample group names:")
272
print(groups_df['name'].head())
273
```
274

275
### Custom Filtering and Export
276

277
```python
278
from mitreattack.attackToExcel.stixToDf import remove_revoked_deprecated, filter_platforms
279
from mitreattack.stix20 import MitreAttackData
280

281
# Load data with MitreAttackData for more control
282
attack_data = MitreAttackData("enterprise-attack")
283

284
# Get techniques and filter
285
all_techniques = attack_data.get_techniques(remove_revoked_deprecated=False)
286
active_techniques = remove_revoked_deprecated(all_techniques)
287
windows_techniques = filter_platforms(active_techniques, ["Windows"])
288

289
print(f"All techniques: {len(all_techniques)}")
290
print(f"Active techniques: {len(active_techniques)}")
291
print(f"Windows techniques: {len(windows_techniques)}")
292
```
293

294
### Relationship Analysis in Excel
295

296
```python
297
from mitreattack.attackToExcel.stixToDf import relationshipsToDf
298
from mitreattack.attackToExcel import get_stix_data
299

300
# Load data
301
stix_data = get_stix_data("enterprise-attack")
302

303
# Get all relationships
304
all_relationships = relationshipsToDf(stix_data)
305

306
# Filter specific relationship types
307
uses_relationships = relationshipsToDf(stix_data, relatedType="uses")
308
mitigates_relationships = relationshipsToDf(stix_data, relatedType="mitigates")
309

310
print(f"Total relationships: {len(all_relationships)}")
311
print(f"'Uses' relationships: {len(uses_relationships)}")
312
print(f"'Mitigates' relationships: {len(mitigates_relationships)}")
313

314
# Analyze relationship distribution
315
print("\\nRelationship types:")
316
print(all_relationships['relationship_type'].value_counts())
317
```
318

319
### Using CLI Tool
320

321
```bash
322
# Export latest Enterprise ATT&CK to Excel
323
attackToExcel_cli --domain enterprise-attack --output ./exports/
324

325
# Export specific version
326
attackToExcel_cli --domain enterprise-attack --version 14.1 --output ./exports/
327

328
# Export Mobile ATT&CK
329
attackToExcel_cli --domain mobile-attack --output ./mobile-exports/
330

331
# Export from local STIX file
332
attackToExcel_cli --stix-file /path/to/local-attack.json --output ./local-exports/
333
```
334

335
## Output Structure
336

337
The generated Excel file contains multiple worksheets:
338

339
- **techniques**: All techniques with tactics, platforms, detection info
340
- **tactics**: Tactic information and kill chain phases  
341
- **software**: Malware and tools with platform information
342
- **groups**: Threat actor groups with aliases and descriptions
343
- **mitigations**: Defensive measures and countermeasures
344
- **datasources**: Data collection sources and components
345
- **campaigns**: Threat campaigns with temporal information
346
- **assets**: Target assets by sector and platform
347
- **matrices**: ATT&CK framework structure information
348
- **relationships**: All STIX relationships between objects
349

350
Each worksheet is formatted for analysis with:
351
- Proper column headers and data types
352
- Filtered and cleaned data (no revoked/deprecated items by default)
353
- Comprehensive metadata for each object type
354
- Relationship mappings preserved where applicable

Version

Tile

Files

excel-export.md.css-3qkkll{font-size:var(--chakra-font-sizes-sm);font-weight:var(--chakra-font-weights-normal);color:var(--chakra-colors-gray-300);}docs/

excel-export.mddocs/