building-attack-pattern-library-from-cti-reports

# Building Attack Pattern Library from CTI Reports ## Overview Cyber threat intelligence (CTI) reports from vendors like Mandiant, CrowdStrike, Talos, and Microsoft contain detailed descriptions of adversary behaviors that can be extracted, normalized, and cataloged into a structured attack pattern library. This skill covers parsing CTI reports to extract adversary techniques, mapping behaviors to MITRE ATT&CK technique IDs, creating STIX 2.1 Attack Pattern objects, building a searchable library indexed by tactic, technique, and threat actor, and generating detection rule templates from documented patterns. ## When to Use - When deploying or configuring building attack pattern library from cti reports capabilities in your environment - When establishing security controls aligned to compliance requirements - When building or improving security architecture for this domain - When conducting security assessments that require this implementation ## Prerequisites - Python 3.9+ with `stix2`, `mitreattack-python`, `spacy`, `requests` libraries - Collection of CTI reports (PDF, HTML, or text format) - MITRE ATT&CK STIX data (local or via TAXII) - Understanding of ATT&CK technique structure and naming conventions - Familiarity with detection engineering concepts (Sigma, YARA) ## Key Concepts ### Attack Pattern Extraction CTI reports describe adversary behaviors in natural language. Extraction involves identifying action verbs and technical terms that map to ATT&CK techniques...