ATT&CK Data & Tools
Tools to Use with ATT&CK
The following tools allow users to explore, access, visualize, and query ATT&CK in different ways.
ATT&CK Navigator
The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more.
ATT&CK Workbench
The ATT&CK Workbench is an application allowing users to explore, create, annotate, and share extensions of the ATT&CK knowledge base.
Accessing ATT&CK Data
ATT&CK in STIX
Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). The ATT&CK dataset is available in STIX 2.0 and STIX 2.1. Other presentations of this dataset, including the ATT&CK Navigator and this website, are built from the STIX data.
STIX is a machine-readable format providing access to the ATT&CK knowledge base. It is the most granular representation of the ATT&CK data, and all other representations are derived from the STIX dataset.
The ATT&CK STIX representation is most easily manipulated in Python using the stix2 library. However, because STIX is represented in JSON, other programming languages can easily interact with the raw content.
Consider using ATT&CK in STIX if you:
- Have automated workflows that need to ingest ATT&CK data.
- Are a proficient Python user seeking to save time with automation or want to perform advanced queries.
- Want your workflows to keep up-to-date with the evolving knowledge base.
- Want to extend the ATT&CK dataset with custom content, and use this custom content with ATT&CK tools.
TAXII
The ATT&CK STIX data can also be accessed via the official ATT&CK TAXII™ server. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. The ATT&CK TAXII server provides API access to the ATT&CK STIX knowledge base.
ATT&CK in Excel
These spreadsheets are built from the STIX dataset and provide a more human-accessible view into the knowledge base while also supporting rudimentary querying/filtering capabilities.
The Excel representation of the ATT&CK dataset below includes both master spreadsheets, containing all object types, and individual spreadsheets for each object type. The individual type spreadsheets break out relationships (e.g procedure examples connecting groups to techniques) into separate sheets by relationship type, while the master spreadsheet includes all relationship types in a single sheet.
A citations sheet can be used to look up the in-text citations which appear in some fields. For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. Unlike the STIX dataset, objects that have been revoked or deprecated are not included in the spreadsheets.
Consider using ATT&CK in Excel if you:
- Want to quickly sort, filter and query the dataset in a familiar UI.
- Want to explore the contents of the dataset without having to navigate around the ATT&CK website.
- Are not comfortable enough in Python or other programming languages to work with the STIX representation.
Excel Spreadsheets representing the ATT&CK dataset:
This folder within the pip module contains an additional module for converting ATT&CK STIX data to Excel spreadsheets. It also provides a means to access ATT&CK data as Pandas DataFrames for data analysis.