| get_data_statsA | Return statistics about downloaded MITRE ATT&CK STIX data. This confirms which domains are present on disk, their file paths,
sizes, and ATT&CK release version. It assumes that downloads have
already been attempted at server startup. |
| get_technique_by_idA | "
Retrieve a MITRE ATT&CK technique by its external ATT&CK ID (e.g., "T1055", "T1053.005"). This tool searches the specified ATT&CK domain (enterprise, mobile, or ics)
and returns both structured machine-readable data and an optional formatted
human-readable text block. It is useful for user-facing responses as well
as downstream programmatic reasoning.
Args:
technique_id: The external ATT&CK technique ID (e.g., "T1055").
domain: ATT&CK domain to search in ("enterprise", "mobile", "ics").
include_description: If True, returns the full ATT&CK description text.
Returns:
{
"found": bool,
"technique": {
"id": "<ATT&CK ID>",
"name": "<technique name>",
"stix_id": "<STIX object ID>",
"description": "<full description or null>"
},
"formatted": "<human-readable formatted block>",
"message": "<status message>"
}
|
| get_object_by_attack_idA | Retrieve any MITRE ATT&CK object by its external ATT&CK ID and STIX type.
This tool supports techniques, intrusion sets (APT groups), malware,
tools, mitigations, campaigns, data sources, data components, and tactics.
Args:
attack_id: The external ATT&CK ID (e.g., "T1055", "G0016", "S0154", "M1013").
stix_type: The STIX object type (e.g., "attack-pattern", "intrusion-set").
domain: ATT&CK domain ("enterprise", "mobile", or "ics").
include_description: Whether to include the object's description field.
Returns:
{
"found": bool,
"object": {
"id": "<ATT&CK ID>",
"name": "<object name>",
"stix_id": "<STIX object ID>",
"type": "<stix_type>",
"description": "<description or null>"
},
"formatted": "<human-readable formatted output>",
"message": "<status>"
}
|
| get_object_by_stix_idA | Retrieve any MITRE ATT&CK object by its STIX ID (UUID).
STIX IDs are internal identifiers like:
- attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b
This tool is useful when you already have a STIX ID from another
query or relationship and want to resolve it to the full object.
Args:
stix_id: STIX object ID (e.g., "attack-pattern--...").
domain: ATT&CK domain to search in ("enterprise", "mobile", "ics").
include_description: Whether to include the object's description.
Returns:
{
"found": bool,
"object": {
"attack_id": "<ATT&CK external ID or null>",
"name": "<object name>",
"stix_id": "<STIX ID>",
"type": "<stix type>",
"description": "<description or null>"
},
"formatted": "<human-readable formatted text>",
"message": "<status message>"
}
|
| get_objects_by_nameA | Retrieve MITRE ATT&CK objects by exact name match (case-sensitive).
This tool performs an exact name match for a specific STIX type within
a given ATT&CK domain. It is more strict than generic search methods,
which typically perform partial or keyword matching.
Examples:
- Technique: get_objects_by_name("Phishing", "attack-pattern")
- Group: get_objects_by_name("APT29", "intrusion-set")
- Malware: get_objects_by_name("Cobalt Strike", "malware")
Args:
name: Exact object name to search for (case-sensitive).
stix_type: STIX object type (same values as get_object_by_attack_id),
e.g. "attack-pattern", "intrusion-set", "malware",
"tool", "course-of-action", etc.
domain: ATT&CK domain ("enterprise", "mobile", or "ics").
include_description: Whether to include descriptions in the formatted output
and structured result.
Returns:
{
"count": <number of matching objects>,
"objects": [
{
"attack_id": "<ATT&CK external ID or null>",
"name": "<object name>",
"stix_id": "<STIX ID>",
"type": "<stix_type>",
"description": "<description or null>"
},
...
],
"formatted": "<human-readable multi-object formatted text>",
"message": "<status summary>"
}
|
| get_objects_by_contentA | Search MITRE ATT&CK objects by matching text inside their description field.
This performs a full-text search over object descriptions. It is useful for:
• Finding techniques related to specific technologies (e.g., “PowerShell”)
• Finding groups mentioning a region or country (e.g., “Russia”)
• Finding mitigations referencing specific defenses (e.g., “multi-factor”)
• Searching malware or tool descriptions for keywords
Args:
content: The text to search for (case-insensitive, partial match).
object_type: STIX object type, such as:
- "attack-pattern" (techniques)
- "intrusion-set" (APT groups)
- "malware"
- "tool"
- "course-of-action" (mitigations)
- "campaign"
- "x-mitre-data-source"
- "x-mitre-data-component"
- etc.
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to return descriptions in the structured output.
Returns:
{
"count": <number of matches>,
"objects": [
{
"attack_id": "<ATT&CK ID or null>",
"name": "<object name>",
"stix_id": "<STIX ID>",
"type": "<object_type>",
"description": "<description or null>"
},
...
],
"formatted": "<human-readable formatted list>",
"message": "<status message>"
}
|
| get_techniques_by_tacticA | Get all techniques associated with a specific ATT&CK tactic.
This uses the MITRE ATT&CK Navigator-style mapping between tactics and
techniques for a given domain (e.g., "enterprise-attack").
Examples:
- get_techniques_by_tactic("Initial Access", "enterprise")
- get_techniques_by_tactic("Execution", "enterprise")
- get_techniques_by_tactic("Persistence", "enterprise")
Args:
tactic: Tactic name (e.g., "Initial Access", "Persistence").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include technique descriptions
in the structured and formatted output.
Returns:
{
"count": <number of techniques>,
"techniques": [
{
"attack_id": "<TXXXX or TXXXX.YYY>",
"name": "<technique name>",
"stix_id": "<attack-pattern--...>",
"description": "<description or null>",
"tactic": "<tactic name>",
},
...
],
"formatted": "<human-readable technique list>",
"message": "<status summary>"
}
|
| search_techniquesA | Search MITRE ATT&CK techniques by keyword in their name or description.
This tool performs a case-insensitive search over all non-revoked,
non-deprecated techniques in the given domain. A technique is matched if
the query string appears in either:
• the technique name, or
• the technique description
Examples:
- search_techniques("PowerShell")
- search_techniques("credential dumping")
- search_techniques("initial access", domain="enterprise")
Args:
query: Text to search for in technique names and descriptions.
domain: ATT&CK domain ("enterprise", "mobile", or "ics").
include_description: Whether to include descriptions in the structured
result and formatted output.
Returns:
{
"count": <number of matches>,
"techniques": [
{
"attack_id": "<TXXXX or TXXXX.YYY>",
"name": "<technique name>",
"stix_id": "<attack-pattern--...>",
"description": "<description or null>",
},
...
],
"formatted": "<human-readable formatted list>",
"message": "<status summary>"
}
|
| get_group_by_nameA | Retrieve an intrusion set (APT group) by name or alias (case-insensitive match).
This tool searches ATT&CK intrusion sets by name or alias and returns the first
matching group. Matching is case-insensitive and supports partial matches.
Examples:
- get_group_by_name("APT29")
- get_group_by_name("Lazarus")
- get_group_by_name("Fancy Bear")
Args:
group_name: The group name or alias to search for (case-insensitive).
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include descriptions in the output.
Returns:
{
"found": bool,
"group": {
"attack_id": "<GXXXX>",
"name": "<group name>",
"aliases": [...],
"stix_id": "<intrusion-set--...>",
"description": "<description or null>"
},
"formatted": "<human-readable text>",
"message": "<status>"
}
|
| get_stix_typeA | Determine the STIX object type for a given STIX ID.
This is useful when you have a raw STIX UUID (e.g.,
"attack-pattern--xxxx") but need to know whether it corresponds to a
technique, intrusion set, malware, tool, mitigation, data source, etc.
Args:
stix_id: The STIX UUID identifier to look up.
domain: ATT&CK domain ("enterprise", "mobile", "ics").
Returns:
{
"found": bool,
"stix_type": "<type string or null>",
"message": "<status message>"
}
Examples:
get_stix_type("attack-pattern--a62a8db3-f23a-4d8f-afd6-9dbc77e7813b")
→ "attack-pattern"
|
| search_groupsA | Search MITRE ATT&CK intrusion sets (APT groups) by name, alias, or
description (case-insensitive).
If the query is empty, all groups in the domain are returned.
Args:
query: Search keyword (name, alias, or any text in the description).
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include descriptions in the output.
Returns:
{
"count": <number of matches>,
"groups": [
{
"attack_id": "GXXXX",
"name": "...",
"aliases": [...],
"stix_id": "...",
"description": "..." | null
},
...
],
"formatted": "<LLM-friendly block>",
"message": "<summary>"
}
|
| get_group_techniquesA | Get all techniques used by a specific APT group (intrusion set).
This tool:
1) Locates a group by name or alias (case-insensitive, partial match).
2) Uses MITRE's get_techniques_used_by_group() to retrieve techniques
related to that group (via 'uses' relationships).
Args:
group_name: Group name or alias (e.g., "APT29", "Lazarus Group").
domain: ATT&CK domain ("enterprise", "mobile", or "ics").
include_description: Whether to include descriptions in the output.
Returns:
{
"found": bool, # whether the group was found
"group": {
"attack_id": "GXXXX",
"name": "...",
"aliases": [...],
"stix_id": "intrusion-set--...",
"description": "..." | null
} | null,
"count": <number of techniques>,
"techniques": [
{
"attack_id": "TXXXX or TXXXX.YYY",
"name": "...",
"stix_id": "attack-pattern--...",
"description": "..." | null,
"relationships": [
{
"stix_id": "relationship--...",
"relationship_type": "uses",
"description": "..." | null,
"source_ref": "...",
"target_ref": "..."
},
...
]
},
...
],
"formatted": "<human-readable technique list>",
"message": "<status summary>"
}
|
| get_softwareA | Get all software (malware and tools) in a given ATT&CK domain.
This returns non-revoked, non-deprecated software objects, including
both malware and tools, as defined by the MITRE ATT&CK dataset.
Args:
domain: ATT&CK domain to search ("enterprise", "mobile", or "ics").
include_description: Whether to include descriptions in the output and
formatted text.
Returns:
{
"count": <number of software objects>,
"software": [
{
"attack_id": "<SXXXX or similar, if present>",
"name": "<software name>",
"stix_id": "<STIX ID>",
"type": "<malware|tool|...>",
"description": "<text or null>"
},
...
],
"formatted": "<human-readable list>",
"message": "<status summary>"
}
|
| search_softwareA | Search MITRE ATT&CK software (malware & tools) by keyword in name or
description (case-insensitive).
Args:
query: Keyword to search for in software names and descriptions.
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include descriptions in the response.
Returns:
{
"count": <number of matches>,
"software": [
{
"attack_id": "<SXXXX or similar>",
"name": "...",
"stix_id": "...",
"type": "<tool|malware|...>",
"description": "..." | null
},
...
],
"formatted": "<nicely formatted block>",
"message": "<status summary>"
}
|
| get_attack_idA | Convert a STIX UUID into its human-readable ATT&CK ID.
This tool resolves internal STIX identifiers such as:
attack-pattern--UUID
malware--UUID
intrusion-set--UUID
tool--UUID
course-of-action--UUID
into ATT&CK IDs such as:
T1566 (Technique)
T1055.002 (Sub-technique)
G0016 (Group)
S0154 (Software)
M1013 (Mitigation)
Args:
stix_id: Full STIX UUID identifier.
domain: ATT&CK domain ("enterprise", "mobile", "ics").
Returns:
{
"found": bool,
"attack_id": "<ATT&CK ID or null>",
"message": "<status message>"
}
|
| get_nameA | Resolve the human-readable object name for a given STIX ID.
This converts internal STIX UUIDs such as:
attack-pattern--UUID
intrusion-set--UUID
malware--UUID
tool--UUID
course-of-action--UUID
into ATT&CK object names such as:
"Phishing"
"APT29"
"Cobalt Strike"
"Valid Accounts"
Args:
stix_id: STIX UUID of the object.
domain: ATT&CK domain ("enterprise", "mobile", "ics").
Returns:
{
"found": bool,
"name": "<object name or null>",
"message": "<status message>"
}
|
| get_technique_tacticsA | Get the ATT&CK tactic names associated with a given technique.
This tool:
1) Looks up a technique by its external ATT&CK ID (e.g., "T1055").
2) Extracts its kill chain phases (tactics) from the STIX object.
3) Returns human-readable tactic names (e.g., "Initial Access"),
along with the raw phase names and kill chain names.
Args:
technique_id: External ATT&CK technique ID (e.g., "T1055", "T1055.002").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
Returns:
{
"found": bool,
"technique": {
"id": "<ATT&CK ID>",
"name": "<technique name or null>",
"stix_id": "<attack-pattern--... or null>",
} | null,
"tactics": [
{
"tactic": "<Human readable, e.g., 'Initial Access'>",
"phase_name": "<raw phase name, e.g., 'initial-access'>",
"kill_chain_name": "<kill chain name, e.g., 'mitre-attack'>"
},
...
],
"message": "<status message>"
}
|
| get_statsA | Get basic statistics about the loaded ATT&CK data for a given domain.
This returns counts of key object types (techniques, groups, software,
tactics, mitigations), excluding revoked/deprecated entries.
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
Returns:
{
"domain": "<domain>",
"stats": {
"techniques": <int>,
"groups": <int>,
"software": <int>,
"tactics": <int>,
"mitigations": <int>
},
"message": "<status message>"
}
|
| get_groups_by_aliasA | Get APT groups (intrusion sets) matching a given alias.
Many groups have multiple aliases—e.g., APT29 is also known as:
"Cozy Bear", "NOBELIUM", "Midnight Blizzard", etc.
This tool returns all groups whose alias list contains the given alias
(case-insensitive exact match, per MITRE's own alias indexing).
Args:
alias: Alias to search for (e.g., "Cozy Bear", "NOBELIUM").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include group descriptions.
Returns:
{
"count": <number>,
"groups": [
{
"attack_id": "GXXXX",
"name": "<group name>",
"aliases": [...],
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>"
},
...
],
"formatted": "<formatted list>",
"message": "<status summary>"
}
|
| get_techniques_used_by_groupA | Get all techniques used by a specific APT group, identified by its STIX ID.
This is similar to `get_group_techniques`, but instead of a group name or
alias it takes the group's STIX UUID (e.g. "intrusion-set--..."), which is
useful when you already have the STIX ID from another query or relationship.
Args:
group_stix_id: STIX ID of the group (intrusion-set--UUID).
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include technique descriptions.
Returns:
{
"group": {
"attack_id": "GXXXX" | null,
"name": "<group name or null>",
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>"
} | null,
"count": <number of techniques>,
"techniques": [
{
"attack_id": "TXXXX or TXXXX.YYY" | null,
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>"
},
...
]
},
...
],
"formatted": "<human-readable technique list>",
"message": "<status summary>"
}
|
| get_software_used_by_groupA | Get all software (malware and tools) used by a specific APT group,
identified by its STIX ID.
This uses MITRE's `get_software_used_by_group` to follow 'uses'
relationships from an intrusion set (group) to software objects.
Args:
group_stix_id: STIX ID of the group (e.g., "intrusion-set--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include software descriptions.
Returns:
{
"group": {
"attack_id": "GXXXX" | null,
"name": "<group name or null>",
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>"
} | null,
"count": <number of software objects>,
"software": [
{
"attack_id": "SXXXX or similar" | null,
"name": "<software name>",
"stix_id": "<STIX ID>",
"type": "<malware|tool|...>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of software>",
"message": "<status summary>"
}
|
| get_campaigns_attributed_to_groupA | Get all campaigns attributed to a specific intrusion set (APT group),
identified by its STIX ID.
Campaigns represent specific operations or intrusion events attributed
to a threat group.
Args:
group_stix_id: STIX UUID of the group (e.g., "intrusion-set--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include campaign descriptions.
Returns:
{
"group": {
"attack_id": "GXXXX" | null,
"name": "<group name or null>",
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>"
} | null,
"count": <number of campaigns>,
"campaigns": [
{
"attack_id": "CXXXX" | null,
"name": "<campaign name>",
"stix_id": "<campaign--UUID>",
"description": "<text or null>"
},
...
],
"formatted": "<formatted human-readable block>",
"message": "<status summary>"
}
|
| get_campaigns_by_aliasA | Get campaigns by their alias.
Campaigns frequently have multiple names assigned by different vendors
or research teams. This function resolves those aliases.
Args:
alias: Campaign alias or alternate name (case-insensitive)
domain: ATT&CK domain ("enterprise", "ics", etc.)
include_description: Include campaign descriptions in output
Returns:
{
"alias": "<requested name>",
"count": int,
"campaigns": [
{
"name": "...",
"stix_id": "<campaign--UUID>",
"attack_id": "Cxxxx" | null,
"description": "..." | null
},
...
],
"formatted": "<multi-line readable text>",
"message": "<summary>"
}
|
| get_techniques_used_by_group_softwareA | Get techniques used by the software that a group uses (Group → Software → Techniques).
This provides an indirect view of a group's capabilities by following:
Group (intrusion set) → Software (malware/tools) → Techniques
Args:
group_stix_id: STIX ID of the group (e.g., "intrusion-set--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include technique descriptions.
Returns:
{
"group": {
"attack_id": "GXXXX" | null,
"name": "<group name or null>",
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>",
} | null,
"count": <number of techniques>,
"techniques": [
{
"attack_id": "TXXXX or TXXXX.YYY" | null,
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of techniques>",
"message": "<status summary>"
}
|
| get_groups_using_techniqueA | Get all APT groups (intrusion sets) that use a specific technique.
This is a reverse lookup: Technique → Groups.
It follows 'uses' relationships from a technique STIX ID to intrusion sets.
Args:
technique_stix_id: STIX ID of the technique
(e.g., "attack-pattern--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include group descriptions.
Returns:
{
"technique": {
"attack_id": "TXXXX or TXXXX.YYY" | null,
"name": "<technique name or null>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
} | null,
"count": <number of groups>,
"groups": [
{
"attack_id": "GXXXX" | null,
"name": "<group name>",
"aliases": [...],
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of groups>",
"message": "<status summary>"
}
|
| get_groups_using_softwareA | Get all APT groups (intrusion sets) that use a specific software/malware.
This is a reverse lookup: Software → Groups.
It follows 'uses' relationships from a software STIX ID (tool/malware)
to intrusion sets.
Args:
software_stix_id: STIX ID of the software object
(e.g., "malware--UUID", "tool--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include group descriptions.
Returns:
{
"software": {
"attack_id": "SXXXX or similar" | null,
"name": "<software name or null>",
"stix_id": "<software STIX ID>",
"type": "<tool|malware|...> or null",
"description": "<text or null>",
} | null,
"count": <number of groups>,
"groups": [
{
"attack_id": "GXXXX" | null,
"name": "<group name>",
"aliases": [...],
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of groups>",
"message": "<status summary>"
}
|
| get_groups_attributing_to_campaignA | Get all APT groups (intrusion sets) attributed to a specific campaign.
This is a reverse lookup: Campaign → Groups.
It follows attribution relationships from a campaign STIX ID to
intrusion sets (groups).
Args:
campaign_stix_id: STIX ID of the campaign (e.g., "campaign--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include group descriptions.
Returns:
{
"campaign": {
"attack_id": "CXXXX" | null,
"name": "<campaign name or null>",
"stix_id": "<campaign--UUID>",
"description": "<text or null>"
} | null,
"count": <number of groups>,
"groups": [
{
"attack_id": "GXXXX" | null,
"name": "<group name>",
"aliases": [...],
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "<type>",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of groups>",
"message": "<status summary>"
}
|
| get_software_by_aliasA | Find software/malware by alias (e.g., 'Beacon', 'Mimilib').
Many malware/tools have multiple alternative names. This tool searches
the software catalog for alias matches.
Args:
alias: Alias to search for.
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include description fields.
Returns:
{
"alias": "<alias>",
"count": <number of matches>,
"software": [
{
"attack_id": "<SXXXX or MXXXX or None>",
"name": "<software name>",
"aliases": [...],
"stix_id": "<malware--UUID or tool--UUID>",
"type": "<malware|tool|...>",
"description": "<text or null>"
},
...
],
"formatted": "<human readable output>",
"message": "<status summary>"
}
|
| get_software_using_techniqueA | Get all software (malware/tools) that use a specific technique.
This is a reverse lookup: Technique → Software.
It follows 'uses' relationships from a technique STIX ID to software
(malware and tools) that implement or leverage that technique.
Args:
technique_stix_id: STIX ID of the technique
(e.g., "attack-pattern--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include software descriptions.
Returns:
{
"technique": {
"attack_id": "TXXXX or TXXXX.YYY" | null,
"name": "<technique name or null>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
} | null,
"count": <number of software objects>,
"software": [
{
"attack_id": "SXXXX or similar" | null,
"name": "<software name>",
"stix_id": "<software STIX ID>",
"type": "<malware|tool|...>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of software>",
"message": "<status summary>"
}
|
| get_techniques_used_by_softwareA | Get all techniques used by specific software/malware.
This shows what ATT&CK techniques a given software (tool/malware) is
capable of performing.
Args:
software_stix_id: STIX ID of the software object
(e.g., "malware--UUID", "tool--UUID").
domain: ATT&CK domain ("enterprise", "mobile", "ics").
include_description: Whether to include technique descriptions.
Returns:
{
"software": {
"attack_id": "SXXXX or similar" | null,
"name": "<software name or null>",
"stix_id": "<software STIX ID>",
"type": "<malware|tool|...> or null",
"description": "<text or null>",
} | null,
"count": <number of techniques>,
"techniques": [
{
"attack_id": "TXXXX or TXXXX.YYY" | null,
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "uses",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of techniques>",
"message": "<status summary>"
}
|
| get_all_techniquesA | Get all ATT&CK techniques for a given domain.
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated techniques.
include_description: Whether to include technique descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of techniques>,
"techniques": [
{
"attack_id": "TXXXX or TXXXX.YYY",
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
"tactics": [ "<tactic 1>", "<tactic 2>", ... ]
},
...
],
"formatted": "<optional human-readable output>",
"message": "<summary>"
}
|
| get_all_subtechniquesA | Get all subtechniques in a given ATT&CK domain.
Subtechniques are more specific versions of parent techniques,
e.g., T1566.001 and T1566.002 are subtechniques of T1566.
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated subtechniques.
include_description: Whether to include descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of subtechniques>,
"subtechniques": [
{
"attack_id": "<TXXXX.YYY>",
"name": "<subtechnique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
"tactics": ["<Tactic 1>", "<Tactic 2>", ...],
"parent_attack_id": "<TXXXX>",
"parent_name": "<parent technique name>",
"parent_stix_id": "<attack-pattern--UUID>"
},
...
],
"formatted": "<optional human-readable output>",
"message": "<summary>"
}
|
| get_all_parent_techniquesA | Get all parent techniques (exclude subtechniques) in a given domain.
Parent techniques are the main techniques without a dot in their ATT&CK ID,
e.g., T1566, T1055 (not T1566.001).
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated techniques.
include_description: Whether to include descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of parent techniques>,
"parent_techniques": [
{
"attack_id": "<TXXXX>",
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
"tactics": ["<Tactic 1>", "<Tactic 2>", ...]
},
...
],
"formatted": "<optional human-readable output>",
"message": "<summary>"
}
|
| get_all_groupsA | Get all APT groups (intrusion sets) in a domain.
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated groups.
include_description: Whether to include descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of groups>,
"groups": [
{
"attack_id": "GXXXX",
"name": "<group name>",
"aliases": [...],
"stix_id": "<intrusion-set--UUID>",
"description": "<text or null>"
},
...
],
"formatted": "<optional human-readable listing>",
"message": "<summary>"
}
|
| get_all_softwareA | Get all software (malware and tools) in a domain.
This is effectively an alias for the MITRE helper get_software(), but it
returns structured results suitable for LLMs and clients.
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated software.
include_description: Whether to include descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of software objects>,
"software": [
{
"attack_id": "<SXXXX or similar> | null",
"name": "<software name>",
"aliases": [...],
"stix_id": "<malware--UUID or tool--UUID>",
"type": "<malware|tool|...>",
"description": "<text or null>"
},
...
],
"formatted": "<optional human-readable listing>",
"message": "<summary>"
}
|
| get_all_mitigationsA | Get all mitigations (defensive countermeasures) in a domain.
Mitigations are security controls or practices that can reduce the
effectiveness of adversary techniques (e.g., M1013, M1017).
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated mitigations.
include_description: Whether to include descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of mitigations>,
"mitigations": [
{
"attack_id": "MXXXX" | null,
"name": "<mitigation name>",
"stix_id": "<course-of-action--UUID>",
"description": "<text or null>"
},
...
],
"formatted": "<optional human-readable output>",
"message": "<summary>"
}
|
| get_all_tacticsA | Get all ATT&CK tactics for a domain.
Tactics represent the adversary's tactical goals (e.g., Initial Access,
Defense Evasion, Persistence).
Args:
domain: ATT&CK domain ('enterprise', 'mobile', 'ics')
include_description: Whether to include tactic descriptions.
Returns:
{
"domain": "<domain>",
"count": <number>,
"tactics": [
{
"attack_id": "<TAxxxx>" | null,
"name": "...",
"stix_id": "x-mitre-tactic--UUID",
"description": "...",
}
],
"formatted": "<optional human-readable text>",
"message": "<summary>"
}
|
| get_all_matricesA | Get all ATT&CK matrices in a domain.
Matrices are the top-level organizational structures in ATT&CK.
Each domain typically has one or more matrices
(e.g., Enterprise ATT&CK matrix).
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated matrices.
include_description: Whether to include descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of matrices>,
"matrices": [
{
"attack_id": "<matrix ID or None>",
"name": "<matrix name>",
"stix_id": "<x-mitre-matrix--UUID>",
"description": "<text or null>"
},
...
],
"formatted": "<optional human-readable output>",
"message": "<summary>"
}
|
| get_all_campaignsA | Get all ATT&CK campaigns in a domain.
Campaigns represent specific intrusion events or long-running operations
attributed to threat actors (e.g., SolarWinds, Operation Ghost).
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics")
remove_revoked_deprecated: Whether to exclude revoked/deprecated entries
include_description: Include campaign descriptions in the output
Returns:
{
"domain": "<domain>",
"count": <int>,
"campaigns": [
{
"attack_id": "<Cxxxx or None>",
"name": "<campaign name>",
"stix_id": "campaign--UUID",
"description": "<text or null>"
},
...
],
"formatted": "<nicely formatted output>",
"message": "<summary>"
}
|
| get_all_datasourcesA | Get all ATT&CK data sources in a domain.
Data sources represent *what* kind of telemetry you collect
(e.g., Process Monitoring, Network Traffic, File Monitoring).
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated data sources.
include_description: Whether to include descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of data sources>,
"datasources": [
{
"name": "<data source name>",
"stix_id": "<x-mitre-data-source--UUID>",
"description": "<text or null>",
"platforms": ["<Windows>", "<Linux>", ...] # if available
},
...
],
"formatted": "<optional human-readable output>",
"message": "<summary>"
}
|
| get_all_datacomponentsA | Get all ATT&CK data components in a domain.
Data components are specific aspects of a data source that can be monitored.
For example, the "Process" data source has components like
"Process Creation", "Process Termination", etc.
Args:
domain: ATT&CK domain ("enterprise", "mobile", "ics").
remove_revoked_deprecated: Whether to exclude revoked/deprecated entries.
include_description: Whether to include descriptions.
Returns:
{
"domain": "<domain>",
"count": <number of data components>,
"datacomponents": [
{
"name": "<data component name>",
"stix_id": "<x-mitre-data-component--UUID>",
"description": "<text or null>",
"data_source_stix_id": "<x-mitre-data-source--UUID or null>",
"data_source_name": "<parent data source name or null>",
"data_source_attack_id": "<data source ATT&CK ID or null>"
},
...
],
"formatted": "<optional human-readable output>",
"message": "<summary>"
}
|
| get_all_assetsA | Get all ATT&CK assets in a domain (primarily ICS).
Assets represent industrial control system components
(PLC, HMI, Engineering Workstation, Control Server, etc.)
Args:
domain: ATT&CK domain ("ics" recommended)
remove_revoked_deprecated: Exclude revoked/deprecated entries
include_description: Include asset descriptions
Returns:
{
"domain": "<domain>",
"count": <number>,
"assets": [
{
"name": "...",
"stix_id": "x-mitre-asset--UUID",
"description": "...",
"attack_id": "<Axxxx or None>"
}
],
"formatted": "<human-readable output>",
"message": "<summary>"
}
|
| get_assets_targeted_by_techniqueA | Get all ICS assets targeted by a specific technique.
Assets represent industrial control system components such as
PLCs, RTUs, Engineering Workstations, HMIs, Control Servers, etc.
Args:
technique_stix_id: Technique STIX UUID identifier
domain: ATT&CK domain ('ics' strongly recommended)
include_description: Include asset descriptions, if available
Returns:
{
"technique": {
"attack_id": "Txxxx",
"name": "...",
"stix_id": "<attack-pattern--UUID>"
},
"count": int,
"assets": [
{
"name": "...",
"stix_id": "<x-mitre-asset--UUID>",
"description": "<optional text>",
"asset_type": "<ICS component type>",
},
...
],
"formatted": "<multi-line readable text>",
"message": "<summary>"
}
|
| get_techniques_targeting_assetA | Get all techniques that target a specific ICS asset.
Shows which adversary techniques can affect a given industrial
control system component.
Args:
asset_stix_id: STIX ID of the ICS asset
domain: Domain (default: 'ics')
include_description: Whether to include descriptions in formatted output
Returns:
{
"found": bool,
"count": int,
"techniques": [
{
"id": "<ATT&CK ID>",
"name": "...",
"stix_id": "...",
"description": "..." | None
},
...
],
"formatted": "<optional pretty text>",
"message": "..."
}
|
| get_campaigns_using_techniqueA | Get all campaigns that use a specific technique.
This is a reverse lookup: Technique → Campaigns.
Args:
technique_stix_id: Technique STIX UUID identifier
(e.g., 'attack-pattern--UUID').
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Whether to include campaign descriptions.
Returns:
{
"technique": {
"attack_id": "TXXXX or TXXXX.YYY" | null,
"name": "<technique name or null>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
} | null,
"count": <number of campaigns>,
"campaigns": [
{
"attack_id": "CXXXX" | null,
"name": "<campaign name>",
"stix_id": "<campaign--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "<type>",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of campaigns>",
"message": "<status summary>"
}
|
| get_techniques_used_by_campaignA | Get all techniques used in a specific campaign.
Args:
campaign_stix_id: Campaign STIX UUID identifier
(e.g., 'campaign--UUID').
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Whether to include technique descriptions.
Returns:
{
"campaign": {
"attack_id": "CXXXX" | null,
"name": "<campaign name or null>",
"stix_id": "<campaign--UUID>",
"description": "<text or null>",
} | null,
"count": <number of techniques>,
"techniques": [
{
"attack_id": "TXXXX or TXXXX.YYY" | null,
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
"tactics": ["<Tactic 1>", "<Tactic 2>", ...],
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "<type>",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of techniques>",
"message": "<status summary>"
}
|
| get_campaigns_using_softwareA | Get all campaigns that use specific software/malware.
This is a reverse lookup: Software → Campaigns.
Args:
software_stix_id: Software STIX UUID identifier (e.g., 'malware--UUID', 'tool--UUID').
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Whether to include campaign descriptions.
Returns:
{
"software": {
"attack_id": "SXXXX or similar" | null,
"name": "<software name or null>",
"stix_id": "<software STIX ID>",
"type": "<malware|tool|...> or null",
"description": "<text or null>",
} | null,
"count": <number of campaigns>,
"campaigns": [
{
"attack_id": "CXXXX" | null,
"name": "<campaign name>",
"stix_id": "<campaign--UUID>",
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "<type>",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of campaigns>",
"message": "<status summary>"
}
|
| get_software_used_by_campaignA | Get all software/malware used in a specific campaign.
Args:
campaign_stix_id: Campaign STIX UUID identifier (e.g., 'campaign--UUID').
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Whether to include software descriptions.
Returns:
{
"campaign": {
"attack_id": "CXXXX" | null,
"name": "<campaign name or null>",
"stix_id": "<campaign--UUID>",
"description": "<text or null>",
} | null,
"count": <number of software objects>,
"software": [
{
"attack_id": "SXXXX or similar" | null,
"name": "<software name>",
"stix_id": "<malware--UUID or tool--UUID>",
"type": "<malware|tool|...> or null",
"aliases": ["...", "..."],
"description": "<text or null>",
"relationships": [
{
"stix_id": "<relationship--UUID>",
"relationship_type": "<type>",
"description": "<relationship description or null>",
"source_ref": "<source STIX ID>",
"target_ref": "<target STIX ID>",
},
...
]
},
...
],
"formatted": "<human-readable list of software>",
"message": "<status summary>"
}
|
| get_techniques_by_platformA | Get all ATT&CK techniques that apply to a specific platform.
Args:
platform: Platform name (e.g., 'Windows', 'Linux', 'macOS',
'Cloud', 'Azure AD', 'Network', etc.)
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Whether to include technique descriptions.
Returns:
{
"platform": "<platform>",
"count": <number>,
"techniques": [
{
"attack_id": "Txxxx" or "Txxxx.xxx" or null,
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>"
},
...
],
"formatted": "<optional formatted string>",
"message": "<summary>"
}
|
| get_parent_technique_of_subtechniqueA | Get the parent technique of a subtechnique.
Args:
technique_stix_id: STIX UUID of the subtechnique.
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Whether to include the parent's description.
Returns:
{
"subtechnique_stix_id": "...",
"subtechnique_attack_id": "Txxxx.xxx" or null,
"parent": {
"attack_id": "Txxxx",
"name": "...",
"stix_id": "attack-pattern--UUID",
"description": "..." | null
} or null,
"formatted": "<human readable description>",
"message": "<summary>"
}
|
| get_subtechniques_of_techniqueA | Get all subtechniques of a parent technique.
Args:
technique_stix_id: STIX UUID of the parent technique.
domain: ATT&CK domain.
include_description: Whether to include subtechnique descriptions.
Returns:
{
"parent": {
"stix_id": "...",
"attack_id": "...",
"name": "..."
},
"count": int,
"subtechniques": [
{
"attack_id": "...",
"name": "...",
"stix_id": "...",
"description": "..." | null
},
...
],
"formatted": "<multi-line string>",
"message": "<summary>"
}
|
| get_techniques_mitigated_by_mitigationA | Get all techniques mitigated by a specific mitigation (by STIX ID).
Args:
mitigation_stix_id: STIX UUID of the mitigation (e.g., course-of-action--UUID).
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Include technique descriptions in the output.
Returns:
{
"found": bool,
"mitigation": {
"attack_id": "...",
"name": "...",
"stix_id": "course-of-action--..."
} | null,
"count": int,
"techniques": [
{
"attack_id": "Txxxx",
"name": "...",
"stix_id": "...",
"description": "...",
},
...
],
"formatted": "<multi-line text>",
"message": "<summary>"
}
|
| get_mitigations_mitigating_techniqueA | Get all mitigations that address a specific technique.
Helper returns: list[RelationshipEntry[Mitigation]]
So each item is a wrapper that contains a Mitigation object (usually in `.object`).
We must unwrap before extracting fields.
Returns (same schema as before):
{
"found": bool,
"technique": {...} | null,
"count": int,
"mitigations": [...],
"formatted": str,
"message": str
}
|
| get_datacomponents_detecting_techniqueB | Get all data components that can detect a specific technique.
Primary mode:
- Use mitreattack-python relationship traversal (if present)
Fallback mode (when relationship traversal yields 0):
- Read technique.x_mitre_data_sources (strings)
- Resolve data source objects by name
- Return data components whose x_mitre_data_source_ref points to those data sources
- If the string includes a component name (e.g., "Process: Process Creation"),
filter to that component when possible.
Returns the same structure as before, plus a debug block.
|
| get_techniques_detected_by_datacomponentA | Get all techniques that can be detected by a specific data component.
Shows which adversary techniques can be identified by monitoring
this specific aspect of telemetry.
Args:
datacomponent_stix_id: Data component STIX UUID identifier
(e.g., 'x-mitre-data-component--UUID').
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Whether to include technique descriptions.
Returns:
{
"datacomponent": {
"name": "<data component name or null>",
"stix_id": "<x-mitre-data-component--UUID>",
"description": "<text or null>",
"data_source_stix_id": "<x-mitre-data-source--UUID or null>",
"data_source_name": "<data source name or null>",
"data_source_attack_id": "<data source ATT&CK ID or null>",
} | null,
"count": <number of techniques>,
"techniques": [
{
"attack_id": "Txxxx or Txxxx.xxx" | null,
"name": "<technique name>",
"stix_id": "<attack-pattern--UUID>",
"description": "<text or null>",
},
...
],
"formatted": "<human-readable list of techniques>",
"message": "<status summary>"
}
|
| get_procedure_examples_by_techniqueB | Get procedure examples showing how threat groups used a specific technique.
Procedure examples describe real incident behavior tied to this technique.
Args:
technique_stix_id: STIX UUID of the technique
domain: ATT&CK domain
include_description: Include descriptions of the examples if available
Returns:
{
"technique": {
"attack_id": "Txxxx",
"name": "...",
"stix_id": "attack-pattern--UUID"
},
"count": N,
"examples": [
{
"relationship_id": "relationship--UUID",
"source_group_attack_id": "Gxxxx",
"source_group_name": "...",
"description": "...",
"stix_id": "relationship--UUID"
},
...
],
"formatted": "<multi-line readable text>",
"message": "<summary>"
}
|
| get_procedure_examples_by_tacticA | Get all procedure examples for techniques in a specific tactic.
Shows real-world examples of how threat groups use techniques that fall
under a given tactic (e.g., Initial Access, Persistence).
Args:
tactic: Tactic name (e.g., "Initial Access", "Persistence").
Case-insensitive; should match ATT&CK tactic names.
domain: ATT&CK domain ('enterprise', 'mobile', 'ics').
include_description: Include example descriptions when available.
Returns:
{
"tactic": {
"name": "<tactic name>",
"attack_id": "TAxxxx" | null,
"stix_id": "x-mitre-tactic--UUID" | null,
},
"count": int,
"examples": [
{
"relationship_id": "relationship--UUID",
"description": "<procedure text or null>",
"group": {
"attack_id": "Gxxxx" | null,
"name": "<group name or null>",
"stix_id": "intrusion-set--UUID" | null,
},
"technique": {
"attack_id": "Txxxx or Txxxx.xxx" | null,
"name": "<technique name or null>",
"stix_id": "attack-pattern--UUID" | null,
},
},
...
],
"formatted": "<multi-line human-readable text>",
"message": "<summary>"
}
|
| get_objects_by_typeA | Get all objects of a specific STIX type.
This is a generic method to retrieve ATT&CK/CTI objects by STIX type.
It complements more specific tools such as get_all_techniques(),
get_all_groups(), etc.
Common STIX types include:
- 'attack-pattern' (techniques)
- 'malware' (malware)
- 'tool' (tools)
- 'intrusion-set' (APT groups)
- 'campaign' (campaigns)
- 'course-of-action' (mitigations)
- 'x-mitre-matrix' (matrices)
- 'x-mitre-tactic' (tactics)
- 'x-mitre-data-source' (data sources)
- 'x-mitre-data-component' (data components)
- 'x-mitre-asset' (ICS assets)
Args:
stix_type: STIX object type to fetch.
domain: ATT&CK domain ('enterprise', 'mobile', 'ics', ...).
remove_revoked_deprecated: Exclude revoked/deprecated objects.
include_description: Include object descriptions in output.
Returns:
{
"stix_type": "<type>",
"domain": "<domain>",
"count": int,
"objects": [
{
"name": "...",
"stix_id": "<stix-id>",
"attack_id": "<T/G/S/M/C/... or null>",
"description": "<text or null>",
},
...
],
"formatted": "<multi-line readable text>",
"message": "<summary>"
}
|
| get_tactics_by_matrixA | Get all ATT&CK tactics belonging to a specific matrix.
Args:
matrix_stix_id: STIX ID of the matrix (e.g., x-mitre-matrix--UUID)
domain: ATT&CK domain ('enterprise', 'mobile', 'ics')
include_description: Whether to include tactic descriptions
Returns:
{
"found": bool,
"count": int,
"tactics": [
{
"name": "...",
"stix_id": "...",
"description": "...",
"attack_id": "TAxxxx" or null
}
],
"formatted": "<multiline string>",
"message": "..."
}
|
| get_tactics_by_techniqueA | Get all tactics associated with a specific ATT&CK technique.
Techniques can belong to one or more tactics (kill chain phases).
Args:
technique_stix_id: Technique STIX UUID identifier (attack-pattern--UUID)
domain: ATT&CK domain ('enterprise', 'mobile', 'ics')
include_description: Whether to include tactic descriptions
Returns:
{
"found": bool,
"count": int,
"tactics": [
{
"name": "...",
"stix_id": "...",
"attack_id": "TAxxxx" or null,
"description": "...",
}
],
"formatted": "<multiline formatted output>",
"message": "..."
}
|
| get_objects_created_afterA | Get all ATT&CK objects created after a specific timestamp.
Useful for detecting new additions to the framework.
Timestamp must be ISO8601 format, e.g., '2024-01-01T00:00:00Z'.
Returns:
{
"found": bool,
"count": int,
"objects": [
{
"id": "<ATT&CK ID or None>",
"name": "...",
"stix_id": "...",
"type": "<stix-type>",
"description": "..." | None
},
...
],
"formatted": "<pretty text>",
"message": "..."
}
|
| get_objects_modified_afterA | Get all ATT&CK objects modified after a specific timestamp.
Useful for tracking updates and changes to the ATT&CK framework.
Timestamp must be ISO8601 format, e.g., '2024-01-01T00:00:00Z'.
Returns:
{
"found": bool,
"count": int,
"objects": [
{
"id": "<ATT&CK ID or None>",
"name": "...",
"stix_id": "...",
"type": "<stix-type>",
"description": "..." | None
},
...
],
"formatted": "<pretty text>",
"message": "..."
}
|
| get_revoked_techniquesC | Get all revoked techniques for a domain.
Revoked techniques are no longer valid in the framework, often because
they were merged or replaced.
Returns:
{
"found": bool,
"count": int,
"techniques": [...],
"formatted": "<pretty output>",
"message": "..."
}
|
| generate_layerA | Generate an ATT&CK Navigator layer for visualization.
This wraps mitreattack.navlayers.UsageLayerGenerator and produces a
JSON layer highlighting techniques associated with a given ATT&CK ID.
Only the following ATT&CK ID prefixes are supported:
- Gxxxx : groups (intrusion sets)
- Mxxxx : mitigations (course-of-action)
- Sxxxx : software (tool/malware)
- Dxxxx : data components
Technique IDs (Txxxx / Txxxx.xxx) are NOT supported here.
Args:
attack_id: ATT&CK ID (Gxxxx, Mxxxx, Sxxxx, or Dxxxx)
score: Score to assign to all matched techniques in the layer
domain: ATT&CK domain (e.g., "enterprise", "mobile", "ics")
Returns:
{
"success": bool,
"attack_id": "<G/M/S/D ID>",
"domain": "<domain>",
"count": int, # number of techniques in layer
"layer": { ... } | null, # ATT&CK Navigator layer JSON
"message": "<summary or error>"
}
|
| get_layer_metadataA | Return a standard ATT&CK Navigator layer metadata template.
This provides default layer properties (version info, gradient settings,
layout, filters, etc.) adapted to a specific ATT&CK domain.
Useful for clients that want to build custom layers programmatically
without starting from scratch.
Args:
domain: One of "enterprise", "mobile", "ics". Defaults to "enterprise".
Returns:
{
"success": bool,
"domain": "<domain>",
"metadata": { ... }, # Navigator layer metadata
"message": "<summary>"
}
|