MITRE ATT&CK®
attack
The MITRE ATT&CK® object describes the tactic, technique & sub-technique associated to an attack as defined in ATT&CK® Matrix.
Contents
Attributes
Caption | Name | Type | Is Array | Default | Description |
---|---|---|---|---|---|
Raw Data | raw_data | JSON | The event data as received from the event source. | ||
Record ID | record_id | String | Unique identifier for the object | ||
Sub Technique | sub_technique | MITRE ATT&CK® Sub Technique | The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix. | ||
Tactic | tactic | MITRE ATT&CK® Tactic | The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by ATT&CK® Matrix. | ||
Tactics | tactics | MITRE ATT&CK® Tactic |
The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by ATT&CK® Matrix.
Deprecated since 1.1.0: Use the |
||
Technique | technique | MITRE ATT&CK® Technique | The Technique object describes the technique ID and/or name associated to an attack, as defined by ATT&CK® Matrix. | ||
Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
Version | version | String | The ATT&CK® Matrix version. |
References
Referenced By
- Security Finding
- Detection Finding
- Data Security Finding
- Incident Finding
- Memory Activity
- Process Activity
- Kernel Activity
- File System Activity
- System Activity
- Scheduled Job Activity
- Event Log Activity
- Module Activity
- Kernel Extension Activity
- Web Resources Activity
- Datastore Activity
- Network File Activity
- Tunnel Activity
- RDP Activity
- HTTP Activity
- Email File Activity
- Network Activity
- DHCP Activity
- FTP Activity
- SSH Activity
- SMB Activity
- DNS Activity
- Email Activity
- NTP Activity
- Email URL Activity
- Network
- Windows Service Activity
- Windows Resource Activity
- Registry Key Activity
- Registry Value Activity
- Email Delivery Activity
- Finding Information
- Related Event
- OSINT
Context
JSON
{
"caption": "MITRE ATT&CK\u00ae",
"name": "attack",
"description": "The <a target='_blank' href='https://attack.mitre.org'>MITRE ATT&CK\u00ae</a> object describes the tactic, technique & sub-technique associated to an attack as defined in <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK\u00ae Matrix</a>.",
"extends": "object",
"attributes": {
"tactic": {
"requirement": "optional",
"caption": "Tactic",
"description": "The Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK\u00ae Matrix</a>.",
"type": "tactic"
},
"tactics": {
"requirement": "optional",
"caption": "Tactics",
"description": "The Tactic object describes the tactic ID and/or tactic name that are associated with the attack technique, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK\u00ae Matrix</a>.",
"type": "tactic",
"@deprecated": {
"message": "Use the <code> tactic </code> attribute instead.",
"since": "1.1.0"
},
"is_array": true
},
"technique": {
"requirement": "optional",
"caption": "Technique",
"description": "The Technique object describes the technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK\u00ae Matrix</a>.",
"type": "technique"
},
"sub_technique": {
"requirement": "optional",
"caption": "Sub Technique",
"description": "The Sub Technique object describes the sub technique ID and/or name associated to an attack, as defined by <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK\u00ae Matrix</a>.",
"type": "sub_technique"
},
"version": {
"description": "The <a target='_blank' href='https://attack.mitre.org/wiki/ATT&CK_Matrix'>ATT&CK\u00ae Matrix</a> version.",
"requirement": "recommended",
"caption": "Version",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"constraints": {
"at_least_one": [
"tactic",
"technique",
"sub_technique"
]
}
}