feat: add attack spec version 3.3.0 objects to stix20/ code

elucchesileon · elucchesileon · commit 440283b77a1a · 2025-10-10T08:43:25.000-04:00
diff --git a/mitreattack/stix20/MitreAttackData.py b/mitreattack/stix20/MitreAttackData.py
@@ -26,10 +26,12 @@
 from stix2.utils import get_type_from_id
 
 from mitreattack.stix20.custom_attack_objects import (
+    Analytic,
     Asset,
     CustomStixObject,
     DataComponent,
     DataSource,
+    DetectionStrategy,
     Matrix,
     StixObjectFactory,
     Tactic,
@@ -106,6 +108,8 @@ class MitreAttackData:
         "x-mitre-data-source",
         "x-mitre-data-component",
         "x-mitre-asset",
+        "x-mitre-analytic",
+        "x-mitre-detection-strategy",
     ]
 
     # --- Software/Group Relationships ---
@@ -148,6 +152,10 @@ class MitreAttackData:
     all_techniques_targeting_all_assets: Optional[RelationshipMapT[Technique]] = None
     all_assets_targeted_by_all_techniques: Optional[RelationshipMapT[Asset]] = None
 
+    # --- Detection Strategy/Technique Relationships ---
+    all_detection_strategies_detecting_all_techniques: Optional[RelationshipMapT[DetectionStrategy]] = None
+    all_techniques_detected_by_all_detection_strategies: Optional[RelationshipMapT[Technique]] = None
+
     def __init__(self, stix_filepath: str | None = None, src: stix2.MemoryStore | None = None):
         """Initialize a MitreAttackData object.
 
@@ -431,6 +439,36 @@ def get_datacomponents(self, remove_revoked_deprecated: bool = False) -> list[Da
         """
         return self.get_objects_by_type("x-mitre-data-component", remove_revoked_deprecated)
 
+    def get_analytics(self, remove_revoked_deprecated: bool = False) -> list[Analytic]:
+        """Retrieve all analytic objects.
+
+        Parameters
+        ----------
+        remove_revoked_deprecated : bool, optional
+            Remove revoked or deprecated objects from the query, by default False.
+
+        Returns
+        -------
+        list[Analytic]
+            A list of Analytic objects.
+        """
+        return self.get_objects_by_type("x-mitre-analytic", remove_revoked_deprecated)
+
+    def get_detectionstrategies(self, remove_revoked_deprecated: bool = False) -> list[DetectionStrategy]:
+        """Retrieve all detection strategy objects.
+
+        Parameters
+        ----------
+        remove_revoked_deprecated : bool, optional
+            Remove revoked or deprecated objects from the query, by default False.
+
+        Returns
+        -------
+        list[DetectionStrategy]
+            A list of DetectionStrategy objects.
+        """
+        return self.get_objects_by_type("x-mitre-detection-strategy", remove_revoked_deprecated)
+
     ###################################
     # Get STIX Objects by Value
     ###################################
@@ -733,6 +771,37 @@ def get_techniques_used_by_group_software(self, group_stix_id: str) -> list[Tech
         technique_ids = [r.target_ref for r in software_uses]
         return self.src.query([Filter("type", "=", "attack-pattern"), Filter("id", "in", technique_ids)])
 
+    def get_analytics_by_detection_strategy(
+        self, detection_strategy_stix_id: str, remove_revoked_deprecated: bool = False
+    ) -> list[Analytic]:
+        """Retrieve analytics for a detection strategy.
+
+        Parameters
+        ----------
+        detection_strategy_stix_id: str
+            Detection Strategy to search.
+        remove_revoked_deprecated : bool, optional
+            Remove revoked or deprecated objects from the query, by default False.
+
+        Returns
+        -------
+        list[Analytic]
+            A list of Analytic objects referenced by the given detection strategy.
+
+        Raises
+        ------
+        ValueError
+            If no detection strategy with the given STIX ID is found.
+        """
+        detection_strategy = self.get_object_by_stix_id(detection_strategy_stix_id)
+        analytic_refs = self.get_field(detection_strategy, "x_mitre_analytic_refs", [])
+
+        filters = [Filter("type", "=", "x-mitre-analytic"), Filter("id", "in", analytic_refs)]
+        analytics = self.src.query(filters)
+        if remove_revoked_deprecated:
+            analytics = self.remove_revoked_deprecated(analytics)
+        return analytics
+
     ###################################
     # Get STIX Object by Value
     ###################################
@@ -1960,3 +2029,87 @@ def get_assets_targeted_by_technique(self, technique_stix_id: str) -> list[Relat
             if technique_stix_id in assets_targeted_by_techniques
             else []
         )
+
+    ############################################
+    # Detection Strategy/Technique Relationships
+    ############################################
+
+    def get_all_detection_strategies_detecting_all_techniques(self) -> RelationshipMapT[DetectionStrategy]:
+        """Get all detection strategies detecting all techniques.
+
+        Returns
+        -------
+        RelationshipMapT[DetectionStrategy]
+            Mapping of asset_stix_id to RelationshipEntry[DetectionStrategy] for each detection strategy detecting the technique.
+        """
+        # return data if it has already been fetched
+        if self.all_detection_strategies_detecting_all_techniques:
+            return self.all_detection_strategies_detecting_all_techniques
+
+        self.all_detection_strategies_detecting_all_techniques = self.get_related(
+            "x-mitre-detection-strategy", "detects", "attack-pattern", reverse=True
+        )
+
+        return self.all_detection_strategies_detecting_all_techniques
+
+    def get_detection_strategies_detecting_technique(
+        self, technique_stix_id: str
+    ) -> list[RelationshipEntry[DetectionStrategy]]:
+        """Get all detection strategies detecting a technique.
+
+        Parameters
+        ----------
+        technique_stix_id : str
+            The STIX ID of the technique.
+
+        Returns
+        -------
+        list[RelationshipEntry[DetectionStrategy]]
+            List of RelationshipEntry[DetectionStrategy] for each detection strategy detecting the technique.
+        """
+        detection_strategies_detecting_techniques = self.get_all_detection_strategies_detecting_all_techniques()
+        return (
+            detection_strategies_detecting_techniques[technique_stix_id]
+            if technique_stix_id in detection_strategies_detecting_techniques
+            else []
+        )
+
+    def get_all_techniques_detected_by_all_detection_strategies(self) -> RelationshipMapT[Technique]:
+        """Get all techniques detected by all detection strategies.
+
+        Returns
+        -------
+        RelationshipMapT[Technique]
+            Mapping of detection_strategy_stix_id to RelationshipEntry[Technique] for each technique detected by the detection strategy.
+        """
+        # return data if it has already been fetched
+        if self.all_techniques_detected_by_all_detection_strategies:
+            return self.all_techniques_detected_by_all_detection_strategies
+
+        self.all_techniques_detected_by_all_detection_strategies = self.get_related(
+            "x-mitre-detection-strategy", "detects", "attack-pattern"
+        )
+
+        return self.all_techniques_detected_by_all_detection_strategies
+
+    def get_techniques_detected_by_detection_strategy(
+        self, detection_strategy_stix_id: str
+    ) -> list[RelationshipEntry[Technique]]:
+        """Get all techniques detected by a detection strategy.
+
+        Parameters
+        ----------
+        detection_strategy_stix_id : str
+            The STIX ID of the detection strategy.
+
+        Returns
+        -------
+        list[RelationshipEntry[Technique]]
+            List of RelationshipEntry[Technique] for each technique detected by the detection strategy.
+        """
+        techniques_detected_by_detection_strategies = self.get_all_techniques_detected_by_all_detection_strategies()
+        return (
+            techniques_detected_by_detection_strategies[detection_strategy_stix_id]
+            if detection_strategy_stix_id in techniques_detected_by_detection_strategies
+            else []
+        )
diff --git a/mitreattack/stix20/custom_attack_objects.py b/mitreattack/stix20/custom_attack_objects.py
@@ -80,6 +80,8 @@ def StixObjectFactory(data: dict) -> Union[CustomStixObject, stix2.v20.sdo._Doma
         "x-mitre-data-source": DataSource,
         "x-mitre-data-component": DataComponent,
         "x-mitre-asset": Asset,
+        "x-mitre-analytic": Analytic,
+        "x-mitre-detection-strategy": DetectionStrategy,
     }
 
     stix_type = data.get("type")
@@ -220,6 +222,7 @@ class DataSource(CustomStixObject, object):
         ("x_mitre_attack_spec_version", StringProperty()),
         # Data Component Properties
         ("x_mitre_data_source_ref", ReferenceProperty(valid_types="x-mitre-data-source", spec_version="2.0")),
+        ("x_mitre_log_sources", ListProperty(DictionaryProperty())),
     ],
 )
 class DataComponent(CustomStixObject, object):
@@ -228,6 +231,7 @@ class DataComponent(CustomStixObject, object):
     Custom Properties
     -----------------
     x_mitre_data_source_ref: str
+    x_mitre_log_sources: list[object]
     """
 
     pass
@@ -268,3 +272,77 @@ class Asset(CustomStixObject, object):
     """
 
     pass
+
+
+@CustomObject(
+    "x-mitre-analytic",
+    [
+        # SDO Common Properties
+        ("id", IDProperty("x-mitre-analytic", spec_version="2.0")),
+        ("type", TypeProperty("x-mitre-analytic", spec_version="2.0")),
+        ("created_by_ref", ReferenceProperty(valid_types="identity", spec_version="2.0")),
+        ("created", TimestampProperty(precision="millisecond")),
+        ("modified", TimestampProperty(precision="millisecond")),
+        ("revoked", BooleanProperty(default=lambda: False)),
+        ("external_references", ListProperty(ExternalReference)),
+        ("object_marking_refs", ListProperty(ReferenceProperty(valid_types="marking-definition", spec_version="2.0"))),
+        ("name", StringProperty(required=True)),
+        ("description", StringProperty()),
+        ("x_mitre_modified_by_ref", ReferenceProperty(valid_types="identity", spec_version="2.0")),
+        ("x_mitre_version", StringProperty()),
+        ("x_mitre_attack_spec_version", StringProperty()),
+        ("x_mitre_domains", ListProperty(StringProperty())),
+        ("x_mitre_contributors", ListProperty(StringProperty())),
+        ("x-mitre-deprecated", BooleanProperty(default=lambda: False)),
+        # Analytic Properties
+        ("x_mitre_platforms", ListProperty(StringProperty())),
+        ("x_mitre_log_source_references", ListProperty(DictionaryProperty())),
+        ("x_mitre_mutable_elements", ListProperty(DictionaryProperty())),
+    ],
+)
+class Analytic(CustomStixObject, object):
+    """Custom Analytic object of type stix2.CustomObject.
+
+    Custom Properties
+    -----------------
+    x_mitre_platforms: list[str]
+    x_mitre_log_source_references: list[object]
+    x_mitre_mutable_elements: list[object]
+    """
+
+    pass
+
+
+@CustomObject(
+    "x-mitre-detection-strategy",
+    [
+        # SDO Common Properties
+        ("id", IDProperty("x-mitre-detection-strategy", spec_version="2.0")),
+        ("type", TypeProperty("x-mitre-detection-strategy", spec_version="2.0")),
+        ("created_by_ref", ReferenceProperty(valid_types="identity", spec_version="2.0")),
+        ("created", TimestampProperty(precision="millisecond")),
+        ("modified", TimestampProperty(precision="millisecond")),
+        ("revoked", BooleanProperty(default=lambda: False)),
+        ("external_references", ListProperty(ExternalReference)),
+        ("object_marking_refs", ListProperty(ReferenceProperty(valid_types="marking-definition", spec_version="2.0"))),
+        ("name", StringProperty(required=True)),
+        ("description", StringProperty()),
+        ("x_mitre_modified_by_ref", ReferenceProperty(valid_types="identity", spec_version="2.0")),
+        ("x_mitre_version", StringProperty()),
+        ("x_mitre_attack_spec_version", StringProperty()),
+        ("x_mitre_domains", ListProperty(StringProperty())),
+        ("x_mitre_contributors", ListProperty(StringProperty())),
+        ("x-mitre-deprecated", BooleanProperty(default=lambda: False)),
+        # Detection Strategy Properties
+        ("x_mitre_analytic_refs", ListProperty(StringProperty())),
+    ],
+)
+class DetectionStrategy(CustomStixObject, object):
+    """Custom Detection Strategy object of type stix2.CustomObject.
+
+    Custom Properties
+    -----------------
+    x_mitre_analytic_refs: list[str]
+    """
+
+    pass
