MITRE ATT&CK TTP Data Set

The dataset contains sentences from MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs) along with their corresponding procedure descriptions. Here’s an overview:

• Columns:
  • Key: Contains TTP techniques and subtechniques.
  • Value: Contains the corresponding procedure descriptions.
• Data Details:
  • The dataset has 19,747 rows, each representing a procedure linked to a TTP ID.
  • It includes 780 unique TTP IDs covering both MITRE ATT&CK techniques and subtechniques.
  • The TTPs and procedure descriptions were extracted from the enterprise-attack-15.1.json file available on GitHub.
• Preprocessing and Data Cleansing:
  The following regex rules were applied to the Value column:
  • Replace URLs related to software with the term "Software":
    re.sub(r'[.?](https://attack\.mitre\.org/software/.?)', 'Software', text)
  • Replace URLs related to groups with the term "Attacker":
    re.sub(r'[.?](https://attack\.mitre\.org/groups/.?)', 'Attacker', text)
  • Remove any text within parentheses:
    str.replace(r'\([^)]*\)', '', regex=True)
  • Remove any text within square brackets:
    str.replace(r'\[.*?\]', '', regex=True)
  • Remove any leading or trailing whitespace:
    str.strip()

Acknowledgments: Funded by the European Union under the European Defence Fund (GA no. 101121403 - NEWSROOM and GA no. 101121418 - EUCINF). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Commission. Neither the European Union nor the granting authority can be held responsible for them. This work is co-funded by the Austrian FFG Kiras project ASOC (GA no. FO999905301).