🚧
Special privileges required
Reports & Analysis are only available to users with the Google Threat Intelligence (Google TI) Enterprise or Enterprise Plus licenses.

Returns a list of MITRE tactics with their correspondent techniques that are associated with the Report as follows:

{
    "data":
    {
        "tactics": \<_list of dictionaries_> the list of associated tactics.
        [
            "id": \<_string_> the MITRE tactic identifier.
            "name": \<_string_> the name of the tactic.
            "link": \<_string_> the link to the tactic's MITRE webpage.
            "description": \<_string_> the description of the tactic.
            "techniques": \<_list of dictionaries_> the list of associated techniques that belong to the tactic and are associated with the report.
                [
                    {
                        "id": \<_string_> the MITRE technique identifier.
                        "name": \<_string_> the name of the technique.
                        "link": \<_string_> the link to the technique's MITRE webpage.
                        "description": \<_string_> the description of the technique.
                        "source": \<_list of strings_> whether the technique association comes from the IoCs related to the report object (seen_in_iocs) or is intrinsic to it (operational).
                        "context_attribute": \<_dictionary_> the date when the technique was associated with the report.
                        {
                            "timestamp": \<_integer_> (UTC timestamp).
                        }
                    }
                ]
        ]
    }
}

Example response

{
    "data":
    {
        "tactics":
        [
            "id": "TA0005",
                "name": "Defense Evasion",
                "link": "https://attack.mitre.org/tactics/TA0005/",
                "description": "The adversary is trying to avoid being detected.\n\nDefense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses. ",
                "techniques":
                [
                    {
                        "id": "T1564",
                        "name": "Hide Artifacts",
                        "link": "https://attack.mitre.org/techniques/T1564/",
                        "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.\nAdversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.",
                        "source":
                        [
                            "operational"
                        ],
                        "context_attribute":
                        {
                            "timestamp": 1732728093
                        }
                    }
                ]
        ]
    }
}

Filters

Available filters for MITRE tree of a Report:

mitre_namespace: to get only the tactics and techniques based on MITRE namespace matrix as enterprise (by default), mobile and ics. E.g.: mitre_namespace:mobile.
ttp_source: to specify the origin of the TTPs you want to see in the results as operational (manually linked to the object by analysts), seen_in_iocs (automatically matched during the sandbox detonation of the report's related files) and all (by default - both sources). E.g.: ttp_source:seen_in_iocs.

Examples

Get the operational MITRE TTPs from files associated with the report--24-10074013 report.

import requests

object_id = "report--24-10074013"
filters = "ttp_source:operational ttp_source:seen_in_iocs"
url = f"https://www.virustotal.com/api/v3/collections/{object_id}/mitre_tree?filter={filters}"
headers = {"accept": "application/json","x-apikey": <api-key>}
response = requests.get(url, headers=headers)