williamzujkowski · November 1, 2025 15:49
diff --git a/cisa-alert-mapper.py b/cisa-alert-mapper.py
 """
 CISA Known Exploited Vulnerabilities Mapper

 Source: https://williamzujkowski.github.io/posts/threat-intelligence-mitre-attack-dashboard/
 Purpose: Maps CISA KEV alerts to MITRE ATT&CK techniques based on vulnerability characteristics
 Prerequisites: aiohttp
 Usage:
    mapper = CISAAlertMapper()
    alerts = await mapper.get_cisa_alerts()

 License: MIT
 """

 import aiohttp

 class CISAAlertMapper:
    def __init__(self):
        self.cisa_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
        self.attack_mappings = self.load_mappings()

    async def get_cisa_alerts(self):
        """Fetch and map CISA alerts to ATT&CK"""
        async with aiohttp.ClientSession() as session:
            async with session.get(self.cisa_url) as response:
                data = await response.json()

        mapped_alerts = []
        for vuln in data['vulnerabilities']:
            # Map vulnerability types to likely ATT&CK techniques
            techniques = self.map_vuln_to_attack(vuln)

            if techniques:
                mapped_alerts.append({
                    'cve': vuln['cveID'],
                    'techniques': techniques,
                    'date_added': vuln['dateAdded'],
                    'ransomware_use': vuln.get('knownRansomwareCampaignUse', False)
                })

        return mapped_alerts

    def map_vuln_to_attack(self, vuln):
        """Map vulnerability characteristics to ATT&CK techniques"""
        techniques = []
        vuln_type = vuln.get('vulnerabilityName', '').lower()

        # Based on research patterns from CVE->ATT&CK mappings
        if 'remote code' in vuln_type:
            techniques.append('T1210')  # Exploitation of Remote Services
        if 'privilege' in vuln_type:
            techniques.append('T1068')  # Exploitation for Privilege Escalation
        if 'sql injection' in vuln_type:
            techniques.append('T1190')  # Exploit Public-Facing Application

        return techniques

    def load_mappings(self):
        """Load predefined CVE to ATT&CK mappings"""
        return {}
	"""
	CISA Known Exploited Vulnerabilities Mapper

	Source: https://williamzujkowski.github.io/posts/threat-intelligence-mitre-attack-dashboard/
	Purpose: Maps CISA KEV alerts to MITRE ATT&CK techniques based on vulnerability characteristics
	Prerequisites: aiohttp
	Usage:
	mapper = CISAAlertMapper()
	alerts = await mapper.get_cisa_alerts()

	License: MIT
	"""

	import aiohttp

	class CISAAlertMapper:
	def __init__(self):
	self.cisa_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
	self.attack_mappings = self.load_mappings()

	async def get_cisa_alerts(self):
	"""Fetch and map CISA alerts to ATT&CK"""
	async with aiohttp.ClientSession() as session:
	async with session.get(self.cisa_url) as response:
	data = await response.json()

	mapped_alerts = []
	for vuln in data['vulnerabilities']:
	# Map vulnerability types to likely ATT&CK techniques
	techniques = self.map_vuln_to_attack(vuln)

	if techniques:
	mapped_alerts.append({
	'cve': vuln['cveID'],
	'techniques': techniques,
	'date_added': vuln['dateAdded'],
	'ransomware_use': vuln.get('knownRansomwareCampaignUse', False)
	})

	return mapped_alerts

	def map_vuln_to_attack(self, vuln):
	"""Map vulnerability characteristics to ATT&CK techniques"""
	techniques = []
	vuln_type = vuln.get('vulnerabilityName', '').lower()

	# Based on research patterns from CVE->ATT&CK mappings
	if 'remote code' in vuln_type:
	techniques.append('T1210') # Exploitation of Remote Services
	if 'privilege' in vuln_type:
	techniques.append('T1068') # Exploitation for Privilege Escalation
	if 'sql injection' in vuln_type:
	techniques.append('T1190') # Exploit Public-Facing Application

	return techniques

	def load_mappings(self):
	"""Load predefined CVE to ATT&CK mappings"""
	return {}
No results found