Accessing ATT&CK Data
ATT&CK in STIX
Structured Threat Information Expression (STIX™) is a language and serialization format used to exchange cyber threat intelligence (CTI). The ATT&CK dataset is available in STIX 2.0 and STIX 2.1. Other presentations of this dataset, including the ATT&CK Navigator and this website, are built from the STIX data.
STIX is a machine-readable format providing access to the ATT&CK knowledge base. It is the most granular representation of the ATT&CK data, and all other representations are derived from the STIX dataset.
Consider using ATT&CK in STIX if you:
- Have automated workflows that need to ingest ATT&CK data.
- Are a proficient Python user seeking to save time with automation or want to perform advanced queries.
- Want your workflows to keep up-to-date with the evolving knowledge base.
- Want to extend the ATT&CK dataset with custom content, and use this custom content with ATT&CK tools.
The ATT&CK STIX representation is most easily manipulated in Python using the stix2 library. However, because STIX is represented in JSON, other programming languages can easily interact with the raw content.
The ATT&CK STIX data can be retrieved from GitHub directly, or accessed via the official ATT&CK TAXII™ server. Trusted Automated Exchange of Intelligence Information (TAXII) is an application protocol for exchanging CTI over HTTPS. The ATT&CK TAXII server provides API access to the ATT&CK STIX knowledge base. Learn more about accessing the TAXII server here.
ATT&CK in Excel
Excel spreadsheets representing the ATT&CK dataset. These spreadsheets are built from the STIX dataset and provide a more human-accessible view into the knowledge base while also supporting rudimentary querying/filtering capabilities.
Consider using ATT&CK in Excel if you:
- Want to quickly sort, filter and query the dataset in a familiar UI.
- Want to explore the contents of the dataset without having to navigate around the ATT&CK website.
- Are not comfortable enough in Python or other programming languages to work with the STIX representation.
The Excel representation of the ATT&CK dataset includes both master spreadsheets, containing all object types, and individual spreadsheets for each object type. The individual type spreadsheets break out relationships (e.g procedure examples connecting groups to techniques) into separate sheets by relationship type, while the master spreadsheet includes all relationship types in a single sheet. Otherwise the representation is identical.
A citations sheet can be used to look up the in-text citations which appear in some fields. For domains that include multiple matrices, such as Mobile ATT&CK, each matrix gets its own named sheet. Unlike the STIX dataset, objects that have been revoked or deprecated are not included in the spreadsheets.
The source code for the STIX to Excel converter can be found in our mitreattack-python pip module.
Tools for working with ATT&CK
The ATT&CK Workbench is an application allowing users to explore, create, annotate, and share extensions of the ATT&CK knowledge base.