Class: AttackKillChainPhase
An ATT&CK-constrained kill chain phase restricting kill_chain_name to the three ATT&CK domain identifiers: 'mitre-attack', 'mitre-mobile-attack', and 'mitre-ics-attack'. The phase_name must match the x_mitre_shortname of the associated x-mitre-tactic object in the same domain. Used in the kill_chain_phases property of Technique, Malware, and Tool objects to map them to their applicable tactic(s).
URI: attack:AttackKillChainPhase
classDiagram
class AttackKillChainPhase
click AttackKillChainPhase href "../AttackKillChainPhase/"
KillChainPhase <|-- AttackKillChainPhase
click KillChainPhase href "../KillChainPhase/"
AttackKillChainPhase : description
AttackKillChainPhase : id
AttackKillChainPhase : kill_chain_name
AttackKillChainPhase --> "1" KillChainNameEnum : kill_chain_name
click KillChainNameEnum href "../KillChainNameEnum/"
AttackKillChainPhase : name
AttackKillChainPhase : phase_name
AttackKillChainPhase : type
Inheritance
- StixEntity
- CommonSchemaComponent
- KillChainPhase
- AttackKillChainPhase
- KillChainPhase
- CommonSchemaComponent
Slots
| Name | Cardinality and Range | Description | Inheritance |
|---|---|---|---|
| kill_chain_name | 1 KillChainNameEnum |
The ATT&CK domain kill chain identifier | KillChainPhase |
| phase_name | 1 String |
The tactic short name corresponding to the x_mitre_shortname of the associate... | KillChainPhase |
| id | 0..1 StixIdentifier |
STIX object identifier | StixEntity |
| type | 0..1 StixTypeName |
STIX object type | StixEntity |
| name | 0..1 String |
Human-readable name | StixEntity |
| description | 0..1 String |
Human-readable description | StixEntity |
In Subsets
Identifier and Mapping Information
Schema Source
- from schema: https://w3id.org/lmodel/attack
Mappings
| Mapping Type | Mapped Value |
|---|---|
| self | attack:AttackKillChainPhase |
| native | attack:AttackKillChainPhase |
LinkML Source
Direct
name: AttackKillChainPhase
description: 'An ATT&CK-constrained kill chain phase restricting kill_chain_name to
the three ATT&CK domain identifiers: ''mitre-attack'', ''mitre-mobile-attack'',
and ''mitre-ics-attack''. The phase_name must match the x_mitre_shortname of the
associated x-mitre-tactic object in the same domain. Used in the kill_chain_phases
property of Technique, Malware, and Tool objects to map them to their applicable
tactic(s).'
in_subset:
- attack_aux
from_schema: https://w3id.org/lmodel/attack
is_a: KillChainPhase
slot_usage:
kill_chain_name:
name: kill_chain_name
description: The ATT&CK domain kill chain identifier. Must be one of 'mitre-attack',
'mitre-mobile-attack', or 'mitre-ics-attack'.
range: KillChainNameEnum
required: true
phase_name:
name: phase_name
description: The tactic short name corresponding to the x_mitre_shortname of the
associated x-mitre-tactic object (e.g., 'initial-access', 'execution').
required: true
Induced
name: AttackKillChainPhase
description: 'An ATT&CK-constrained kill chain phase restricting kill_chain_name to
the three ATT&CK domain identifiers: ''mitre-attack'', ''mitre-mobile-attack'',
and ''mitre-ics-attack''. The phase_name must match the x_mitre_shortname of the
associated x-mitre-tactic object in the same domain. Used in the kill_chain_phases
property of Technique, Malware, and Tool objects to map them to their applicable
tactic(s).'
in_subset:
- attack_aux
from_schema: https://w3id.org/lmodel/attack
is_a: KillChainPhase
slot_usage:
kill_chain_name:
name: kill_chain_name
description: The ATT&CK domain kill chain identifier. Must be one of 'mitre-attack',
'mitre-mobile-attack', or 'mitre-ics-attack'.
range: KillChainNameEnum
required: true
phase_name:
name: phase_name
description: The tactic short name corresponding to the x_mitre_shortname of the
associated x-mitre-tactic object (e.g., 'initial-access', 'execution').
required: true
attributes:
kill_chain_name:
name: kill_chain_name
description: The ATT&CK domain kill chain identifier. Must be one of 'mitre-attack',
'mitre-mobile-attack', or 'mitre-ics-attack'.
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: kill_chain_name
owner: AttackKillChainPhase
domain_of:
- KillChainPhase
range: KillChainNameEnum
required: true
phase_name:
name: phase_name
description: The tactic short name corresponding to the x_mitre_shortname of the
associated x-mitre-tactic object (e.g., 'initial-access', 'execution').
from_schema: https://w3id.org/lmodel/attack
rank: 1000
alias: phase_name
owner: AttackKillChainPhase
domain_of:
- KillChainPhase
range: string
required: true
id:
name: id
description: STIX object identifier.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:externalReference
rank: 1000
alias: id
owner: AttackKillChainPhase
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_identifier
type:
name: type
description: STIX object type.
from_schema: https://w3id.org/lmodel/attack
related_mappings:
- unified_cyber_ontology:state
rank: 1000
alias: type
owner: AttackKillChainPhase
domain_of:
- StixEntity
- Bundle
- Core
- CyberObservableCore
- ExtensionDefinition
- LanguageContent
- MarkingDefinition
- File
range: stix_type_name
name:
name: name
description: Human-readable name.
from_schema: https://w3id.org/lmodel/attack
exact_mappings:
- unified_cyber_ontology:name
rank: 1000
alias: name
owner: AttackKillChainPhase
domain_of:
- RelatedAsset
- StixEntity
- ExtensionDefinition
- MarkingDefinition
- AutonomousSystem
- File
range: string
description:
name: description
description: Human-readable description.
from_schema: https://w3id.org/lmodel/attack
close_mappings:
- unified_cyber_ontology:description
rank: 1000
alias: description
owner: AttackKillChainPhase
domain_of:
- RelatedAsset
- MutableElement
- StixEntity
- ExtensionDefinition
- ExternalReference
range: string