Accessing ATT&CK Data

ATT&CK in STIX

Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). The ATT&CK dataset is available in STIX 2.0 and STIX 2.1. Other presentations of this dataset, including the ATT&CK Navigator and this website, are built from the STIX data.

STIX is a machine-readable format providing access to the ATT&CK knowledge base. It is the most granular representation of the ATT&CK data, and all other representations are derived from the STIX dataset.

Consider using ATT&CK in STIX if you:

  • Have automated workflows that need to ingest ATT&CK data.
  • Are a proficient Python user seeking to save time with automation or want to perform advanced queries.
  • Want your workflows to keep up-to-date with the evolving knowledge base.
  • Want to extend the ATT&CK dataset with custom content, and use this custom content with ATT&CK tools.

The ATT&CK STIX representation is most easily manipulated in Python using the stix2 library. However, because STIX is represented in JSON, other programming languages can easily interact with the raw content.

The ATT&CK STIX data can be retrieved from GitHub directly, or accessed via the official ATT&CK TAXII™ server. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. The ATT&CK TAXII server provides API access to the ATT&CK STIX knowledge base. Learn more about accessing the TAXII server here.

ATT&CK in Excel

Excel spreadsheets representing the ATT&CK dataset. These spreadsheets are built from the STIX dataset and provide a more human-accessible view into the knowledge base while also supporting rudimentary querying/filtering capabilities.

Consider using ATT&CK in Excel if you:

  • Want to quickly sort, filter and query the dataset in a familiar UI.
  • Want to explore the contents of the dataset without having to navigate around the ATT&CK website.
  • Are not comfortable enough in Python or other programming languages to work with the STIX representation.

The Excel representation of the ATT&CK dataset includes both master spreadsheets, containing all object types, and individual spreadsheets for each object type. The individual type spreadsheets break out relationships (e.g procedure examples connecting groups to techniques) into separate sheets by relationship type, while the master spreadsheet includes all relationship types in a single sheet. Otherwise the representation is identical.

A citations sheet can be used to look up the in-text citations which appear in some fields. For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. Unlike the STIX dataset, objects that have been revoked or deprecated are not included in the spreadsheets.

The source code for the STIX to Excel converter can be found in our mitreattack-python pip module.

Tools for working with ATT&CK

ATT&CK Navigator

The ATT&CK Navigator is a web-based tool for annotating and exploring ATT&CK matrices. It can be used to visualize defensive coverage, red/blue team planning, the frequency of detected techniques, and more.

Open the application

Visit the repository

ATT&CK Workbench

The ATT&CK Workbench is an application allowing users to explore, create, annotate, and share extensions of the ATT&CK knowledge base.

Visit the repository

ATT&CK Python Utilities

ATT&CK provides a variety of Python tools for accessing, querying, and processing the ATT&CK dataset. These scripts can be useful utilities or serve as examples for how to work with ATT&CK programmatically.

Install our pip module

Explore our standalone scripts