Created
January 28, 2026 14:06
-
-
Save timb-machine/44ba1cfe0e6057e0fc064ff601a75d95 to your computer and use it in GitHub Desktop.
dump-detections.py
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/python/bin/python3 | |
| from mitreattack.stix20 import MitreAttackData | |
| import re | |
| mitre_attack_data = MitreAttackData("enterprise-attack.json") | |
| techniques = mitre_attack_data.get_techniques_by_platform("ESXi", remove_revoked_deprecated=True) | |
| techniques_cache = {} | |
| for technique in techniques: | |
| techniques_cache[technique["id"]] = {} | |
| techniques_cache[technique["id"]]["id"] = mitre_attack_data.get_attack_id(technique["id"]) | |
| techniques_cache[technique["id"]]["name"] = technique["name"] | |
| techniques_cache[technique["id"]]["tactic"] = technique["kill_chain_phases"] | |
| detection_strategies = mitre_attack_data.get_detectionstrategies(remove_revoked_deprecated=True) | |
| log_sources = {} | |
| for detection_strategy in detection_strategies: | |
| detection_strategy_attack_pattern_relations = mitre_attack_data.get_related(detection_strategy["id"], "detects", "attack-pattern", True) | |
| for detection_strategy_attack_pattern_rel in detection_strategy_attack_pattern_relations: | |
| if detection_strategy_attack_pattern_rel in techniques_cache: | |
| for analytic_ref in detection_strategy["x_mitre_analytic_refs"]: | |
| analytic = mitre_attack_data.get_object_by_stix_id(analytic_ref) | |
| if "x_mitre_log_source_references" in analytic: | |
| for log_source_ref in analytic["x_mitre_log_source_references"]: | |
| if log_source_ref["name"] not in log_sources: | |
| log_sources[log_source_ref["name"]] = {} | |
| if "name" not in log_sources[log_source_ref["name"]]: | |
| log_sources[log_source_ref["name"]]["name"] = [] | |
| if detection_strategy["name"] not in log_sources[log_source_ref["name"]]["name"]: | |
| log_sources[log_source_ref["name"]]["name"].append(detection_strategy["name"]) | |
| if "technique" not in log_sources[log_source_ref["name"]]: | |
| log_sources[log_source_ref["name"]]["technique"] = [] | |
| if techniques_cache[detection_strategy_attack_pattern_rel]["name"] not in log_sources[log_source_ref["name"]]["technique"]: | |
| log_sources[log_source_ref["name"]]["technique"].append(techniques_cache[detection_strategy_attack_pattern_rel]["name"]) | |
| if "tactic" not in log_sources[log_source_ref["name"]]: | |
| log_sources[log_source_ref["name"]]["tactic"] = [] | |
| for tactic in techniques_cache[detection_strategy_attack_pattern_rel]["tactic"]: | |
| if tactic["kill_chain_name"] == "mitre-attack": | |
| if tactic["phase_name"] not in log_sources[log_source_ref["name"]]["tactic"]: | |
| log_sources[log_source_ref["name"]]["tactic"].append(tactic["phase_name"]) | |
| for log_source in log_sources: | |
| esxmatch = re.match("esx", log_source, re.IGNORECASE) | |
| if esxmatch: | |
| print("* " + log_source) | |
| for name in log_sources[log_source]["name"]: | |
| print(log_source + "," + name) | |
| for technique in log_sources[log_source]["technique"]: | |
| print(log_source + "," + technique) | |
| for tactic in log_sources[log_source]["tactic"]: | |
| print(log_source + "," + tactic) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment