msticpy.data.drivers.mordor_driver module

Mordor/OTRF Security datasets driver.

class msticpy.data.drivers.mordor_driver.MitreAttack(attack=None, technique=None, sub_technique=None, tactics=None)

Bases: object

MitreAttack container for techniques and tactics.

Create instance of MitreAttack.

Parameters:

  • attack (Dict[str, Any], optional) – attack data as dictionary, by default None

  • technique (str, optional) – technique ID, by default None

  • sub_technique (str, optional) – sub-technique ID, by default None

  • tactics (List[str], optional) – List of associated tactics, by default None

MTR_TAC_URI = 'https://attack.mitre.org/tactics/{tactic_id}/'
MTR_TECH_URI = 'https://attack.mitre.org/techniques/{technique_id}/'
property tactics_full: list[tuple[str, str, str, str]]

Return full listing of Mitre tactics.

Returns:

List of tuples of: (ID, Name, Description, URI)

Return type:

List[Tuple[str, str, str, str]]

property technique_desc: str | None

Return Mitre technique description.

Returns:

Technique description

Return type:

Optional[str]

property technique_name: str | None

Return Mitre Technique full name.

Returns:

Name of the Mitre technique

Return type:

Optional[str]

property technique_uri: str

Return Mitre Technique URI.

Returns:

URI of the Mitre technique

Return type:

Optional[str]

class msticpy.data.drivers.mordor_driver.MordorDriver(**kwargs)

Bases: DriverBase

Mordor data driver.

Initialize the Mordor driver.

add_query_filter(name, query_filter)

Add an expression to the query attach filter.

Parameters:

  • name (str)

  • query_filter (str | Iterable)

connect(connection_str=None, **kwargs)

Connect to data source.

Parameters:

connection_str (Optional[str]) – Connect to a data source

property connected: bool

Return true if at least one connection has been made.

Returns:

True if a successful connection has been made.

Return type:

bool

Notes

This does not guarantee that the last data source connection was successful. It is a best effort to track whether the provider has made at least one successful authentication.

property driver_queries: Iterable[dict[str, Any]]

Return generator of Mordor query definitions.

Yields:

Iterable[Dict[str, Any]] – Iterable of Dictionaries containing query definitions.

get_driver_property(name)

Return value or KeyError from driver properties.

Parameters:

name (str)

Return type:

Any

static get_http_timeout(**kwargs)

Get http timeout from settings or kwargs.

property instance: str | None

Return instance name, if one is set.

Returns:

The name of driver instance or None if the driver does not support multiple instances

Return type:

Optional[str]

property loaded: bool

Return true if the provider is loaded.

Returns:

True if the provider is loaded.

Return type:

bool

Notes

This is not relevant for some providers.

mdr_idx_tact: dict[str, set[str]]
mdr_idx_tech: dict[str, set[str]]
mitre_tactics: DataFrame
mitre_techniques: DataFrame
mordor_data: dict[str, MordorEntry]
query(query, query_source=None, **kwargs)

Execute query string and return DataFrame of results.

Parameters:

  • query (str) – The query to execute

  • query_source (QuerySource) – The query definition object

  • kwargs – Are passed to the underlying provider query method, if supported.

Returns:

A DataFrame (if successfull) or the underlying provider result if an error.

Return type:

Union[pd.DataFrame, Any]

property query_attach_spec: dict[str, set[str]]

Parameters that determine whether a query is relevant for the driver.

query_usable(query_source)

Return True if query should be exposed for this driver.

Parameters:

query_source (QuerySource)

Return type:

bool

query_with_results(query, **kwargs)

Execute query string and return DataFrame plus native results.

Parameters:

query (str) – The query to execute

Returns:

A DataFrame and native results.

Return type:

Tuple[pd.DataFrame,Any]

property schema: dict[str, dict]

Return current data schema of connection.

Returns:

Data schema of current connection.

Return type:

Dict[str, Dict]

search_queries(search)

Search queries for matching attributes.

Parameters:

search (str) – Search string. Substrings separated by commas will be treated as OR terms - e.g. “a, b” == “a” or “b”. Substrings separated by “+” will be treated as AND terms - e.g. “a + b” == “a” and “b”

Returns:

Iterable of matching query names.

Return type:

Iterable[str]

property service_queries: tuple[dict[str, str], str]

Return queries retrieved from the service after connecting.

Returns:

Dictionary of query_name, query_text. Name of container to add queries to.

Return type:

Tuple[Dict[str, str], str]

set_driver_property(name, value)

Set an item in driver properties.

Parameters:

  • name (str)

  • value (Any)

class msticpy.data.drivers.mordor_driver.MordorEntry(title, id, entry_type, creation_date, modification_date, contributors=NOTHING, author=None, platform=None, description=None, tags=NOTHING, files=NOTHING, datasets=NOTHING, attack_mappings=NOTHING, notebooks=NOTHING, simulation=NOTHING, references=NOTHING, rel_file_paths=NOTHING)

Bases: object

Mordor data set metadata.

Method generated by attrs for class MordorEntry.

Parameters:

  • title (str)

  • id (str)

  • entry_type (str)

  • creation_date (datetime)

  • modification_date (datetime)

  • contributors (list[str])

  • author (str | None)

  • platform (str | None)

  • description (str | None)

  • tags (list[str])

  • files (list[dict[str, Any]])

  • datasets (list[dict[str, Any]])

  • attack_mappings (list[dict[str, Any]])

  • notebooks (list[dict[str, str]])

  • simulation (dict[str, Any])

  • references (list[Any])

  • rel_file_paths (list[dict[str, Any]])

attack_mappings: list[dict[str, Any]]
author: str | None
contributors: list[str]
creation_date: datetime
datasets: list[dict[str, Any]]
description: str | None
entry_type: str
files: list[dict[str, Any]]
get_attacks()

Return list of Mitre attack classifications.

Returns:

List of MitreAttack definitions.

Return type:

List[MitreAttack]

get_file_paths()

Return list of data file links.

Returns:

list of dictionaries describing files. Each entry has key/values for: - file_type - file_path - relative_path - qry_path

Return type:

List[Dict[str, str]]

get_notebooks()

Return the list of notebooks for the dataset.

Returns:

Tuples of (name, project, link)

Return type:

List[Tuple[str, str, str]]

id: str
modification_date: datetime
notebooks: list[dict[str, str]]
platform: str | None
references: list[Any]
simulation: dict[str, Any]
tags: list[str]
title: str
msticpy.data.drivers.mordor_driver.download_mdr_file(file_uri, use_cached=True, save_folder='.', silent=False)

Download data file from Mordor.

Parameters:

  • file_uri (str) – The URI of the file to download.

  • use_cached (bool, optional) – Try to use locally saved file first, by default True

  • save_folder (str, optional) – Path to output folder, by default “.”

  • silent (bool) – If True, suppress feedback. By default, False.

Returns:

DataFrame of Dataset

Return type:

pd.DataFrame

msticpy.data.drivers.mordor_driver.get_mdr_data_paths(item_type='metadata')

Generate Mordor data sets from GitHub repo.

Parameters:

item_type (str, optional) – The type of item required, by default “metadata” Other values are “large”, “small.

Yields:

str – Iterable of paths

Return type:

Generator[str, None, None]

msticpy.data.drivers.mordor_driver.search_mdr_data(mdr_data, terms=None, subset=None)

Return IDs for items matching terms.

Parameters:

  • mdr_data (Dict[str, MordorEntry]) – Mordor dataset

  • terms (str, optional) – Search terms, by default None (comma-separated values are treated as OR terms plus-separated values are treated as AND terms)

  • subset (Iterable[str], optional) – A subset of IDs over which to search, by default None

Returns:

The set of matching IDs.

Return type:

Set[str]